Hi all, I have recently researched some solutions for our company and was also completely sold on the whole-disk encryption idea, until I started looking at the Mobile Guardian products from Credant Technologies. They claim their product: "uses intelligent encryption to focus data protection on sensitive information, without unnecessarily encrypting operating system or application files." Their software doesn't touch the MBR, so they claim you benefit from no worry of BIOS in-compatibility, 3rd party software MBR corruption, etc. So it supposedly only encrypts your sensitive data, temp files, page file(s), etc., while leaving the system files and application files alone. The company also claims a feature called "User level encryption" for user-specific data, so local admins can't access sensitive data on HR stations, Accountant pc's, CxO laptops, etc. We are still in the eval phase, but if the software is everything that it claims, it would pose a respectable argument against full disk encryption.
Shane -----Original Message----- From: Paul Giddens [mailto:[EMAIL PROTECTED] Sent: Thursday, August 31, 2006 11:29 AM To: focus-ms@securityfocus.com Subject: RE: Whole disk encryption Hey all, This post has been circulating for a while and I have a quick question. GIVEN that, if you are concerned about security and want to use encryption, WHY would you choose to NOT do full disk? Any solution where you try to encrypt some, but not all of the disk has weakness in the plan. So why put yourself (& especially end users) through the hoops of rolling out a half-done solution? IF you want security, do full disk. IF you don't want security, don't do any. IF you want to be annoyed with partial solutions that are not entirely secure, spend a lot of time figuring out how to do a semi-encrypted. Just a thought. Great posts from all views! Love reading this forum! :) Cheers all! Go leafs go! paul g | mcse ccna vcp ccsp ccea rsacse security+ A+ -----Original Message----- From: Galin, Matt (THIP, Corp) [mailto:[EMAIL PROTECTED] Sent: Thursday, August 31, 2006 5:37 AM To: matthew patton Cc: focus-ms@securityfocus.com Subject: RE: Whole disk encryption Forensically speaking, full disk encryption is the only way to address all aspects of data remnants. Stuff sits in the page file, this isn't encrypted. Temp files usually are all over the place, unless directory structure ACL's are very strict.. One can use the workstation security templates for high security and lock down the directories, but there are still writable locations on the disk that users can save stuff to. Unless all you do is use MS office, folder redirection isn't going to do you much good. These strict ACL's break many applications, especially all the home grown ones, and the older junk that's in all of our corporate environments. Volume encryption, such as EFS, TrueCrypt is MORE secure than nothing, but do you really trust your users, and would you be willing to put your job on the line when your CIO walks in and says, we had a laptop stolen, do we have to disclose this to the public? Full disk encryption has it's problems, most of the larger company's products like PointSec, Safeboot and Utimaco have methods for administrative/support logins and key escrow/recovery. They all have methods to deal with supporting software deployments, i.e. scripting a number of automatic logins without requiring pre-boot authentication. All of them have support for SSO, and tokens etc. Only large problems relate to multi-boot configurations, lilo, hidden partition backup solutions etc, as these solutions shim the Master Boot Record or Partition Boot record.. -----Original Message----- From: matthew patton [mailto:[EMAIL PROTECTED] Sent: Tuesday, August 29, 2006 11:23 AM To: focus-ms@securityfocus.com Subject: Re: Whole disk encryption I am not arguing against whole-disk, but why would you hand a user a computer/laptop that allows them to write ANYWHERE but in one directory, their homedir? __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com ------------------------------------------------------------------------ --- ------------------------------------------------------------------------ --- ************************************************************************ * This communication, including attachments, is for the exclusive use of addressee and may contain proprietary, confidential and/or privileged information. If you are not the intended recipient, any use, copying, disclosure, dissemination or distribution is strictly prohibited. If you are not the intended recipient, please notify the sender immediately by return e-mail, delete this communication and destroy all copies. ************************************************************************ * ------------------------------------------------------------------------ --- ------------------------------------------------------------------------ --- ------------------------------------------------------------------------ --- ------------------------------------------------------------------------ --- --------------------------------------------------------------------------- ---------------------------------------------------------------------------