Re: Laptop encryption experiences

[Sherry Callahan <scallahan () KUMC EDU>]

We started with the 2006 Gartner Magic Quadrant for mobile encryption and reviewed every vendor offering that was in 
the Leader quadrant.  At the time, it was Safeboot, PointSec, WinMagic and Utimaco.  We also took a look at some 
outside of the Leader quadrant such as Mobile Armor, Credant and Trust Digital.  I no longer have the matrix to share 
with you, but I do remember the main points that we were looking for (in addition to the usual annual costs, support 
offerings, installation volume, how long the company has been in existence, ability to deliver, etc.).  That list 
included:
 
- support for multiple operating systems - Windows 32/64-bit, Macintosh, Linux, and even dual-boot capabilities
- extended encryption for removable media inserted into the device
- secure storage of keys
- had to be encrypt the entire drive with minimum AES-128 encryption (encryption sits at pre-OS level)
- easy mechanism for a centralized admin group to recover lost keys or recover a drive in case of problems with the 
software (emergency decrypt)
- ease of installation and, preferably, a mechanism to "push" the software over the network
- centralized management; particularly, the ability to say with 100% certainty that a device was encrypted on that day 
if it were lost or stolen.  If we didn't have this requirement because of HIPAA, we would have seriously considered 
Bitlocker or another free option
- seamless to the user (single signon) with adherence to Univerity password policies
- we had an interest in two-factor authentication support, but it wasn't a requirement
- protection for hibernation\suspend
- ability to encrypt multiple drives in the same device
- must not be circumventable by the user
- good reporting capabilities
 
I hope you find this list useful!  Most of the players that we looked at in 2006 have now been bought out by some of 
the larger players in the security market, so a comparison today would look much different than ours from 2006.  I can 
tell you, however, that we have been very pleased with our experiences with Safeboot\McAfee Endpoint and the purchase 
by McAfee has only made the product that much better.  We can now use ePO to find devices that are not encrypted and 
can even push encryption to them via the McAfee client.  Our laptops are configured to check into our ePO server no 
matter where they are in the world, so we always have up-to-date information on where they are and whether or not they 
are encrypted.  In the case of a lost or stolen device with sensitive information on it, that can be a lifesaver.
 
Sherry

> > > Shahra Meshkaty <meshkaty () SANDIEGO EDU> 11/15/2010 12:10 PM >>>
We are very much interested in FDE project but have a lot of push back due to complexities and concerns of our 
technical team. We have Computrace on on all of our recent (as of 2 years) laptops. 
The suggestion for manual process is great.  My question is which encryption product you reviewed and which passed the 
test of your comparison?   Can you share matrix used in your pilot process-- is your solution cross platform , what 
about data integrity, restored experience with encrypted data?  


From: Sherry Callahan <scallahan () KUMC EDU>
Reply-To: The EDUCAUSE Security Constituent Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU>
Date: Mon, 15 Nov 2010 09:07:34 -0800
To: "SECURITY () LISTSERV EDUCAUSE EDU" <SECURITY () LISTSERV EDUCAUSE EDU>
Subject: Re: [SECURITY] Laptop encryption experiences


We've been encrypting all of our laptops for four years and currently have approximately 2000 encrypted devices, 
including our medical students' tablets.  One of the things that we grappled with initially was the same litmus test 
that you mentioned.  Ultimately, we felt that we couldn't ensure that patient data or other sensitive information 
wouldn't end up on an unencrypted device, whether through user error or otherwise.   The trade-off for the up-front 
effort to encrypt pays off on the back end in peace of mind and knowing that any data on the drive is protected.  
 
When we began the encryption process, communication was an extremely important component because of the general unease 
that both technical and non-technical folks had with the new software.  We also felt it was necessary to address the 
unease with a manual process at first:  user signs up for an encryption appointment, brings in their laptop, it is 
backed up first, and then encrypted.  At the same time, we also installed CompuTrace (theft-tracking software) and, due 
to a couple of hiccups caused by these two software packages trying to reside side by side in the BIOS, there were a 
handful of times very early on when we were happy that we have the backups of the drive.  But a handful is a small 
percentage of the total number of laptops that we touched and we haven't had these problems for several years.  We are 
now pretty much hands off, since we can push upgrades to the encryption software from a central server (we're using 
Safeboot, dba McAfee Endpoint Encryption) and our folks are no longer scared of the technology.
 
Sherry Callahan
Information Security Officer
University of Kansas Medical Center
(913) 588-0966


> > > Alan Bowen <abowenml () GMAIL COM> 11/15/2010 10:32 AM >>>
At TCNJ, we've been in the alpha/pilot phase of a laptop full disk encryption 
project for a very long time.  We are grappling with the complexities and 
resource requirements for encrypting our entire laptop inventory.  I'd like to 
know what types of parameters schools use for a "litmus test" to determine if a 
given laptop needs to be encrypted.  Also, data on the number of laptops that 
have been encrypted over a time period, e.g. month or semester, would be very 
useful.  Any extenuating circumstances or qualifiers outside of these questions 
would be much appreciated as well.  Thanks.

-Alan
--
Alan Bowen
Manager of IT Security
The College of New Jersey