IT Staff Convention 2008:Encryption

From Provider Notes

Jump to: navigation, search

Encryption

Moderator: Janet Lind, School of Medicine

Notes: Deb Stagg, Wharton

Contents

[edit]

Presentation from Encryption Team

  • Charge to Encryption Team
    • Bill and Ben (please someone, provide the last names) from the Encryption Team spoke about the team's work.
    • The charge was very specifically to identify a product for laptop, whole disk encryption, with addition concern that any recommended product not interfere with file and folder encryption.

The encryption team included representatives from 6-7 schools. Using the Gartner's Magic Quadrant [apparently this reference: http://www.checkpoint.com/products/downloads/Gartner_MQ_for_Mobile_Data_Protection_1H06.pdf], the team looked at 10 vendors.

  • Products Reviewed: the following were identified by name:
    • BitLocker: not ready for prime time.
    • Utimaco
    • PGP
    • Checkpoint Pointsec: ruled out since its architecture is based on file share - a bad idea
  • Additional criteria:
    • -Ability to send policy down
    • -Granular control by school
  • Final Selection (Subject to IT Roundtable acceptance of team's recommendation)
    • Product: PGP
      • Why: PGP was final choice; both PGP and Utimaco were pretty close, but PGP's file and folder encryption played better with full disk encryption than the Utimaco product.
      • Additional info about PGP:
        • -whole disk encryption works like this: on boot, first see the bios screen, then the PGP screen for login, then the Windows screen for login. Protection is in force if machine is powered down or in hibernate mode, NOT in sleep mode. (Some discussion of RAM vulnerability for first 5 minutes of shutdown for powered desktops - longer for laptops with battery power).
        • -a laptop user doesn't need to be a domain member, but if on a domain, policies can be pushed down.
        • -as currently envisioned: larger schools at Penn will run their own universal servers; university will provide that function for smaller schools.
        • Why use PGP rather than free products?
          • -ability to share keys
          • -adherence to standards
          • -danger of losing data with a forgotten password
          • -laws require that the university can prove its data was encrypted
      • pricing/site licensing information
        • -yet to be negotiated: est. from $20 - $100; probably less than $50 per machine.


[edit]

Submitted Questions

  • Key escrow and support inplications:
    • What is key escrow: A data security measure in which a cryptographic key is entrusted to a third party (i.e., kept in escrow). Under normal circumstances, the key is not released to someone other than the sender or receiver without proper authorization.
    • Key escrow supported by PGP via creation of recovery tokens on central server (Key server concept). Encryption methods configurable at the central server level.

Universal decryption keys available for file and folder. Recovery requires access to the machine, coupled with central server activity. For file/folder: can use public key infrastructure. Each school can have key server and exchange public keys.

  • directory/file encryption option or only whole-drive: both.
  • Benefits over built-in OS encryption: key escrow; central management
  • Remote desktop access: if the remote machine is left on; the disk encryption will be bypassed since the decryption happens at initial startup. File/folder encryption will solve this problem.
  • Balance between effectiveness/efficiency (rapid access/decryption): very low additional processing penalty (about 3%-generally unnoticed) for encryption/decryption in terms of individual file/folder access. Initial encryption of disk can take

a long time depending on disk size (perhaps 8 hours).

  • Concern for unencryption 7-10 years hence: No assurances...
[edit]

Esoteric topics

  • Encryption on unix/linus: PGP open standard - GPG file folder encryption; PGP universal server - share keys with Linix and other machines
  • Encryption on Macs: PGP client on Mac worked well.
    • Mac FileVault - problems - getting keys from memory problem - difficult to centrally manage
  • Encryption of Harddrives as built: Seagate; Fujitsu; hardware optimized to minimize lag time; concensus seemed to recommend 'pass' for now.
  • Encryption of email traffic: no central solution
  • After the fact encryption options for archive tapes/backups
  • Encryption of data in transit (exchanging sensitive files)
  • Encryption on handhelds, is there much going on?
  • Encryption for passwords: Password Safe program - sourceforge - good for encrypting passwords
  • Any particular requirements for HIPAA or other regulations?
    • Penn Policies
      • All mobile devices have to have encryption
      • IT Priv/Security group- further policies
      • Critical host - require encrypt of sensitive data
      • handhelds - encrypt at rest
      • SSN policy requires encryption
    • Enforcement:
      • Penn Policies
      • Lauren Steinfeld, Chief Privacy Officer
      • Audit and Compliance




[edit]

References

  • Secure Electronic Messaging & File Encryption: PGP[1]
Retrieved from "http://prowiki.isc-csg.upenn.edu:16080/index.php/IT_Staff_Convention_2008:Encryption"
Personal tools