SANS 2.2 Desktop Encryption

This is a 5 company report on their lessons learned and experience.
Rhonda Maluia from the Naval Special Warfare Development Group spoke on their use of hardware based encryption. They use Flagstone which is a British company (opening U.S. offices shortly).
I took less notes on this talk due to the dark background of the slides. Encryption on the hardware device is a very interesting concept that takes encryption out of the hands of the user completely. They don’t even need to know its going on.
They were seeking a secure solution with ease of use and the ability to fail securely.
They defined a secure solution as FIPS compliance AES 128 bit Full Disk Encryption with pre-boot authentication, tamper evidence and it works.
The more the user has to do, such as putting data in a “secure” folder, the less a solution works. The wanted minimal user intervention and moving parts. A low learning curve and good performance.
The device locks after 5 failed logon attempts. After 5 recovery attempts, the data is gone.
Obviously you still need antivirus, personal firewall, antispyware, etc.
Monty McDougal is speaking on behalf of TrueCrypt. This is a free open source solution for Linux and Windows.
I didn’t take a lot of notes because I’m not interested in this product. One thing that I think would be true across the board is that unexpected power outages can be devastating to the file system. This is harder to recover from with full disk encryption. Backups are key.
Matt Norris
Matt uses Netapp Decru to address the problem of Tape Backup Encryption.
Most people are not addressing the issue of tape backup encryption. This is a real issue.
q. Do you encrypt all backups
a. yes
Tape backup encryption is tough. We’ve all heard stories of needing to recover from 10 year old backups and trying to install the backup software and find the license key. Now imagine that with encryption.
Regarding performance issues, he says that tapes aren’t wired speed anyway.
The netapp appliance connects to the fiberchannel switch and is passed the data.
I don’t have any notes on the other two speakers.