*>>What I'm proposing isn't that difficult, as far as I know. A firewall*
*with an IPSec tunnel back to HQ, and sitting behind that a DPM instance with BitLocker enabled, plus likely a DC with same. Ifneeded, we can do IPSec connections between the local and colo DCs and DPM instances as well - that would require a bit more horsepower for the server CPUs, of course.* I'd love to see your business justification for doing proposing the additional hardware to accomplish this in a reasonable window. Also, why would you terminate the IPsec tunnel at the firewall, if you're so keen on *end-to-end* encryption? Every gap is an attack vector. You need to configure the IPsec connectivity at the host, my friend... I notice that you failed to answer the 3 non-rhetorical questions that I asked... Regards, *ASB **http://XeeMe.com/AndrewBaker* <http://xeeme.com/AndrewBaker> *Providing Virtual CIO Services (IT Operations & Information Security) for the SMB market…* On Sun, Dec 22, 2013 at 10:12 PM, Kurt Buff <[email protected]> wrote: > On Sun, Dec 22, 2013 at 6:54 PM, Andrew S. Baker <[email protected]> > wrote: > > > > >>OTOH, if we did use colo - and I'm pushing it for backups/DR/BC - > > it'll be on machines that have encrypted file systems, using encrypted > > links, and it'll be monitored at least as well as the internal > > infrastructure. > > > > What do you believe that monitoring will do for you as it relates to > this discussion? > > > > So, you're going to encrypt *all* traffic of every type from the > machines? More power to you if you manage to pull it off, but most orgs > don't make that trade-off until forced. > > > > I'm not implying that it is undesirable to provide full encryption. I'm > suggesting that there are often business objectives/decisions that preclude > it except in the Utopian realm of online discussion. > > > > Are you encrypting all of your traffic today?!? > > Are you using any Data Leak Prevention technologies today? > > Have you forbidden all wireless access to your network today? > > > > Just asking/saying... > > What I'm proposing isn't that difficult, as far as I know. A firewall > with an IPSec tunnel back to HQ, and sitting behind that a DPM > instance with BitLocker enabled, plus likely a DC with same. If > needed, we can do IPSec connections between the local and colo DCs and > DPM instances as well - that would require a bit more horsepower for > the server CPUs, of course. > > >
