SANS Section 1.2 Promising Practices in Selecting Laptop Encryption

In this session at the SANS Secure Storage and Encryption Summit 3 companies report on the process they used to deploy mobile data encryption enterprise wide.
ACS implemented PGP
Q – Why didn’t ACS uses EFS?
A- Diversity of environment with customers and types of devices supported
Q- ACS lost a laptop with 1 million customer records earlier this year…
A – lets just say you need to look at server data at remote sites. Particularly sites that are easily broken into.
Q- Why whole disk encryption
A- take the choice out of the users hands. Folder level encryption lets the users decide what to encrypt. Further you still have problems with page file and hibernation.
Q – have you had problems where you try to send someone a file but its still encrypted.
A – they maintained they haven’t.
Metavante Corp deployed Utimaco Safeguard
Has problems with Visual Studio installed. If VS is installed on a computer than the Utimaco would not install. If I understood him right, on those computers, they removed VS, installed the Utimaco and then put the VS back.
Q- What were your three finalists?
A- Pointsec, PGP, Utmatico
Q- Why did you avoid the TPM
A- Dont want to wait for computer refresh. Not all systems have TPM now.
Q- Isn’t whole disk encryption going to bog down older computers
A- Not in his experience
Q- How does full disk encryption impact AV and patching
A – it doesn’t (actually later on we find out from another person that the user needs to be logged in. Unattended installs will no longer work if the user is not logged in. )
Q – How do you send files securely to external users
A – Secure email (undefined, does he mean s/mime?) and they have an external site with https for file sharing with their customers/partners.
Alan on file/folder level encryption – you dont know what you’ve encrypted and what you haven’t. This is very important when the laptop is lost and you dont know if you’re protected or not.
Q – Has there been a higher rate of driver failures when using whole disk encryption?
A – no. (we learn in a later seminar that hard drives with problems will die during the rollout and initial encryption. So you should do a full defrag prior to deployment to try and uncover any problems first.
Determine the business need
Determine the scope and avoid scope creep.
Why they picked Utimaco Safeguard:
1. configurable single sign on. Could be integrated with SecurID, AD,biometrics etc.
2. Able to leverage their current software deployment method
3. Able to manage w/o Active Directory (they dont have it at all sites)
4. Ability to limit system resource consumption and also leverage check point capability during the initial encryption process. The initial encryption process could take hours. By throttling this back users can still work and even shut down their computer while initial setup is taking place.
5. Full disk encryption
6. No TPM requirement
7. pricing.
Helpdesk calls related to this deployment <6% of total calls. Most didn't read the instructions. They did run into a problem where users with a camera or ipod attached had their hard drives encrypted. Some called because the software was so seamless they didn't realize it was installed. VESTA - This demonstration was on using the nCipher netHSM to encrypt databases. nCipher is an appliance.