SANS Section 1.3 Top Mistakes in Deploying Mobile Data Encryption

Again these are my notes from the SANS Secure Storage and Encryption Conference. In Session 1.3 four companies discuss their experiences deploying encryption.
JP Morgan Chase – Guardian Edge EPHD
48k laptops deployed.
They found problems due to standardization issues and multiple support teams.
Key Challenges
– If your goal is to encrypt data on laptops specifically you need to be able to find the laptops and know how many you have.
– multiple support organizations
– New login for users
I didn’t quite understand the login issue. Are their users now faced with a dual login where they authenticate to the encryption software and then again to Active Directory?
Reports! Produce reports showing install rates. Highlight the departments doing good.
Your biggest problem will be the guy who likes to screw around with hacker tools even though its not part of his job.
You need to be able to validate that encryption has occurred and continues to occur.
Backups are crucial.
They found that if you boot to safe mode and run defrag you will kill your master boot record. I wonder what that says about booting to safe mode to fix spyware issues. HMMMM.
People think this will slow down their PC. They wont do it on their own. (I would say that the users who have customers demanding it will do it.).
Q – How do you deal with the engineer/hacker wannabe who thinks they know better
A – Log agent with central aggregator.
Northrop Grumman – also using Guardian Edge
High level buy-in is key
They had lots of pushback initially, but the installs turned out to be not that big of an issue.
You don’t want your customer coming back to you and saying your encryption isn’t good enough. That is why they did full disk AES 256.
They spent a lot of time with legal on export control issues. We all know about the axis of evil countries where you cant send export software. But what about less known laws where bringing an encrypted laptop in can cause problems. They have a list of 20 countries that they cant go with their computer. Corporate Security and the Travel office coordinate so people going to these countries dont have sensitive info and use a vanilla PC without encryption.
Communication is key in the deployment. The initial encryption time can be an issue.
Northwest Mutual – Safeboot, Credent Mobile Guardian
q – how did you verify that the solution is installed
a – They used altiris to look for specific EXEs.
Q – how did you handle multi-user pcs
a- I didn’t quite get this. It sounded like you have to assign each user the rights to logon.
use full disk encryption – you dont want to leave the decision in the user’s hands.
users would reboot on their way out for the day. As a result unattended SMS installs did not work. They had to change user behavior.
FDIC Credent Mobile Guardian
Credent does GINA Chaining
In your project you need to give users the confidence that you aren’t going to disrupt them.
Don’t go for the big bang. Test in small groups and deploy.
Lessons Learned –
-Confirm product’s ability to encrypt data regardless of location type and structure. Fill in the gaps where necessary. ( my comment. it can be a real issue when the project scope is defined one way and people start asking about other features)
– Don’t deploy to many things at once. Everything will get blamed on the encryption.