Re: Laptop encryption

[Jim Dillon <Jim.Dillon () CUSYS EDU>]

Answers inline...

Jim

*****************************************
Jim Dillon, CISA, CISSP
IT Audit Manager, CU Internal Audit
jim.dillon () cusys edu
303-492-9734
*****************************************
  

-----Original Message-----
From: Dennis Tracz [mailto:dntracz () UCALGARY CA] 
Sent: Thursday, October 04, 2007 2:53 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] Laptop encryption

Hello all,
 
I am new to this list so please forgive me if this topic has already 
been covered.
I am interested in knowing, what is the common practice for Laptop 
encryption, specifically:
 
1.  What is your current practice:
    a.  Do you use encryption on laptops (for laptops you administer)

<JD - 3 campuses are using Utimaco's Safeguard Easy under a state
contract.  It is essentially being required for notebooks at all three,
and is required definitely if you deal in sensitive information.  Our
fourth campus is looking into PGP based solutions because so much of
their user base is Mac based and Utimaco does not have a Mac solution. -
JD>

    b.  Do you encrypt the entire hard drive or selected folders i.e.( 
My Documents)

<JD - The whole burrito - partials don't work in my opinion, too many
caches and other leak points. I too like the Seagate encrypted hard
drives as a better option, but that is too expensive and not scalable
yet... - JD>

    c.  Do you use a commercial product or EFS

<JD - Utimaco Safeguard Easy - JD>

    e.  If encryption is used is it automatically configured (for 
laptops you administer) or do users have a choice

<JD - At present I can only speak to System Administration -
Administration has packaged an installer that is hands off and robust,
works in the background.  They also backup the system kernel for
recovery purposes and use a global key, not the best practice but
supportive of "dumb" end users.  End users authenticate using their
normal logon procedure and don't know anything has happened to their box
essentially - nice for support purposes, weaker on the security side,
but it sufficiently lowers the greatest risks.  Only about 3 people have
access to the shared key, or so I'm told.  I've been told the overhead
is about 5 to 7 percent of system resources based on observation.  - JD>

<JD - Solutions for PDAs and Memory sticks/etc. are coming from the same
provider under the same state license.  Cost per box under this license
is quite reasonable.  Available to all state agencies. - JD>
   
2.  What is your desired practice if you do not use encryption on
laptops
 
a.  Is this something you are wanting, attempting or not wishing to do?
b.  Would you encrypt the entire hard drive or selected folders i.e.( My

Documents)
c.  Would you use a commercial product or EFS?
d.  Would you automatically encrypt (for laptops you administer) or 
would you let your users have a choice?

Any insight is greatly appreciated.  Thanks in advance

-- 
Dennis N. Tracz CISSP-ISSMP, CISM
Information Security Officer
University of Calgary
(403) 220-4010