guys guys guys. file level encryption and full disc encryption are two different beasts. Full Disc Encryption are complicated solutions, and require thorough analysis before selecting a product.
When choosing the encryption production, you need to make sure that it provides means for secure key recovery and backup. Full Disc Encryption provides many benefits, some of which are as follows: 1) Everything including the swap space and the temporary files are encrypted in Full Disc Encryption. Encrypting these files is important, as they can reveal important confidential data. 2) With Full Disc Encryption, the decision to encrypt which files and leave which files decrypted is not left up to the users. Everything is encrypted by default. Thus it is user proof. 3) Data Destruction, and HDD repurposing is easier. Data Destruction merely requires removal of the encryption key, and the all the information stored on the HDD is rendered useless. Thus saving tens of thousands of dollars in physical HDD destruction. 4) Support for pre-boot authentication using bio-metric or secure tokens or smart-cards. 5) Hardware based Full Disc Encryption is fast and creates minimum overhead. The employees have NO excuse to NOT encrypt data. However Full Disc Encryption does NOT replace file / directory level encryption. This is a because once the FDE drive boots up, all the data is available in a decrypted format. So if a hacker is able to connect to laptop over network while it is turned on, Full Disc Encryption will not help. However if the individual files are encrypted, the attempt to steal data over network by the hacker may be averted. Microsoft EFS and TrueCrypt are file/directory level encryption. In some cases both file level encryption and full disc encryption are needed. So first you need to get the requirements from the customer. MS Vista will include a crude form of Full Disc Encryption by the name of Bit Locker. It can utilize TPM. However key recovery capabilities are limited. Business class laptops include a Trusted Platform Module chip. TPM can be used to seal + wrap the encryption key used for encryption. This ties the encrypted data to a particular platform, since the each computer has a unique TPM chip. Hardware Token (USB Key or RSA Token) can be used to unlock the TPM, to improve the security of the system. For full disc encryption, I would recommend that we look at full-featured / enterprise grade products like WaveSys' Embassy Suite or Secude. For File/Directory encryption we should look at HP's Protect Tools or Dell's Security Center. Both of these products come "Free" with their business class laptops, and fully support TPM. You don't need to purchase TrueCrypt or similar products. Please let me know if you have any specific questions. I would recommend performing a KT analysis of the available Full Disc Encryption products to select one for your use. This will save you from increase support cost later on. I have compiled a list of full disc encryption products which is a available at: http://www.xml-dev.com/Full_Disc_Encryption.html Also take a look at Seagate's FDE drives, which perform encryption using a ASIC on the drive, thus relieving the CPU from encryption overhead: http://www.seagate.com/docs/pdf/marketing/po_momentus_5400_fde.pdf On 8/24/06, Dietrich Heusel <[EMAIL PROTECTED]> wrote:
Hi Sarah, hi group, as a security auditor and consultant I normally suggest (1) to implement as many security as available, but no more security than really needed. The need should follow an individual risk classification to all IT assets / data of a company. It doesn't make sense to encrypt a folder/partition with none critical data on it. But it really makes sense to encrypt folders/partitions of sensitive data (e.g. internal strategics/business plans, internal financial statements, company secrets, ...). Everytime you encrypt / decrypt a file, folder or partition you will have - file access to the harddisk, - processor load, - memory access - ... This influences the performance of each system. On some systems more significant than on others. So on company wide file servers, an encrypted partition should exist, there people have to store their classified files aligned to their given rights and according the company security policy / risk classification. On mobile devices people should have an encrypted directory or partition, which is access-protected by password or comparable methods and can be mounted (dismounted), when needed (not needed) and there they have to store their classified files according the company security policy / risk classification. This strategy follows the given suggestion (1). Ok. When influenced by real great paranoia, a company also can create a policy, that all HDD need to be encryted. But this is part of the same category, like prohibiting the connection of any hardware to any network. ;-) Cheers, Dietrich >Sarah wrote: > >What is the consensus of the group on the use of whole disk encryption in an enterprise environment? >--------------------------------------------------------------------------- >--------------------------------------------------------------------------- --------------------------------------------------------------------------- ---------------------------------------------------------------------------
-- Saqib Ali, CISSP, ISSAP Support http://www.capital-punishment.net ----------- "I fear, if I rebel against my Lord, the retribution of an Awful Day (The Day of Resurrection)" Al-Quran 6:15 ----------- --------------------------------------------------------------------------- ---------------------------------------------------------------------------
