On Sun, Dec 22, 2013 at 6:54 PM, Andrew S. Baker <[email protected]> wrote: > > >>OTOH, if we did use colo - and I'm pushing it for backups/DR/BC - > it'll be on machines that have encrypted file systems, using encrypted > links, and it'll be monitored at least as well as the internal > infrastructure. > > What do you believe that monitoring will do for you as it relates to this > discussion? > > So, you're going to encrypt *all* traffic of every type from the machines? > More power to you if you manage to pull it off, but most orgs don't make that > trade-off until forced. > > I'm not implying that it is undesirable to provide full encryption. I'm > suggesting that there are often business objectives/decisions that preclude > it except in the Utopian realm of online discussion. > > Are you encrypting all of your traffic today?!? > Are you using any Data Leak Prevention technologies today? > Have you forbidden all wireless access to your network today? > > Just asking/saying...
What I'm proposing isn't that difficult, as far as I know. A firewall with an IPSec tunnel back to HQ, and sitting behind that a DPM instance with BitLocker enabled, plus likely a DC with same. If needed, we can do IPSec connections between the local and colo DCs and DPM instances as well - that would require a bit more horsepower for the server CPUs, of course.
