What is the disk configuration on the server? If it's striped then they'd have a difficult (but not completely impossible) time getting data off multiple stolen drives without the raid configuration or the actual controller. If the chassis is securely bolted to something then it deters opportunistic thieves and if they're specifically targeting the business it's far more likely they'll do it via a web based attack.
John W. Cook Network Operations Manager Partnership For Strong Families 5950 NW 1st Place Gainesville, Fl 32607 Office (352) 244-1610 Cell (352) 215-6944 MCSE, MCP+I, MCTS, CompTIA A+, N+, Security+ VSP4, VTSP4 From: [email protected] [mailto:[email protected]] On Behalf Of Jimmy Tran Sent: Thursday, January 16, 2014 12:35 PM To: [email protected] Subject: [NTSysADM] RE: encrypting Server 2008 R2 virtual disk It's a new office build out so cameras are in discussion now. There will be 8 cameras but they are not hidden. With that said, do you have an suggestions on the encryption? From: [email protected]<mailto:[email protected]> [mailto:[email protected]] On Behalf Of Ziots, Edward Sent: Thursday, January 16, 2014 9:20 AM To: [email protected]<mailto:[email protected]> Subject: [NTSysADM] RE: encrypting Server 2008 R2 virtual disk I agree the physical security concerns definitely would push you in the direction of getting the drives encrypted. And I would also worry about cleaning staff, because they usually have the keys to the offices (thus physical access to perpetrate said scenario). Also is there any hidden camera's that records the office that is sent to an offsite for review or at least building security? (Another detective control you look into) Z Edward E. Ziots, CISSP, CISA, Security +, Network + Security Engineer Lifespan Organization [email protected]<mailto:[email protected]> Work:401-255-2497 This electronic message and any attachments may be privileged and confidential and protected from disclosure. If you are reading this message, but are not the intended recipient, nor an employee or agent responsible for delivering this message to the intended recipient, you are hereby notified that you are strictly prohibited from copying, printing, forwarding or otherwise disseminating this communication. If you have received this communication in error, please immediately notify the sender by replying to the message. Then, delete the message from your computer. Thank you. [Description: Description: Lifespan] From: [email protected]<mailto:[email protected]> [mailto:[email protected]] On Behalf Of Jimmy Tran Sent: Thursday, January 16, 2014 11:16 AM To: [email protected]<mailto:[email protected]> Subject: [NTSysADM] RE: encrypting Server 2008 R2 virtual disk This is for an small Optometrist office that will just have a server rack in the back office, no secured datacenter involved. If someone kicks down the door, breaks open the rack enclosure, then break off the security cover server, they can then un-rack or remove the drives. I think the real concern here is theft is actually possible and if it does happen, we need to be certain the data cannot be retrieved. Jimmy From: [email protected]<mailto:[email protected]> [mailto:[email protected]] On Behalf Of Ziots, Edward Sent: Thursday, January 16, 2014 7:53 AM To: [email protected]<mailto:[email protected]> Subject: [NTSysADM] RE: encrypting Server 2008 R2 virtual disk Here is my question on the encryption part, which HIPAA doesn't really give a lot of leeway on. 1) If you are in a Virtual environment which you are claiming, then how is someone going to steal the VMDK without having access to the LUN ( San or Local) on the datastore in which it resides? (pretty hard to walk into a datacenter with ESX box, and go steal the disk with the data on it) (Encryption by the specification is "addressable" and the real areas of risk is mobile devices (phones, tablets, Laptops) where the cost and justification of the control is higher. ( This is the risk management port of HIPAA 164.308(a) that a lot of people don't look into when looking at what needs to be done) I know this isn't a full answer to your question but wanted to get you context to what is being asked and where the real risk resides. Z From: [email protected]<mailto:[email protected]> [mailto:[email protected]] On Behalf Of Jimmy Tran Sent: Thursday, January 16, 2014 9:48 AM To: [email protected]<mailto:[email protected]> Subject: [NTSysADM] encrypting Server 2008 R2 virtual disk I have a client who needs to comply to HIPPA requirements and encrypt their data. The windows server 2008 r2 is a guest on ESXi 5.5. I looked at bit locker and although vmware doesn't support it, it can still be done. The data is currently planned to reside on the local datastore. Encrypting the entire data store would be ideal but I'm not aware of any tools to do this. Does anyone have any recommendations? Thanks, Jimmy ________________________________ CONFIDENTIALITY STATEMENT: The information transmitted, or contained or attached to or with this Notice is intended only for the person or entity to which it is addressed and may contain Protected Health Information (PHI), confidential and/or privileged material. Any review, transmission, dissemination, or other use of, and taking any action in reliance upon this information by persons or entities other than the intended recipient without the express written consent of the sender are prohibited. This information may be protected by the Health Insurance Portability and Accountability Act of 1996 (HIPAA), and other Federal and Florida laws. Improper or unauthorized use or disclosure of this information could result in civil and/or criminal penalties. Consider the environment. Please don't print this e-mail unless you really need to.
<<inline: image001.jpg>>
