The encryption of mobile devices has been recommended to management for a while now. After it came up again in a recent HIPPA audit, money became available in FY11.
As an administrator of GuardianEdge Hard Disk encryption (GEHD), it was natural to consider them for encrypting USB devices.
GuardianEdge Removable Storage Encryption requires the GuardianEdge Framework. Existing GEHD installs will need to be upgraded. Just as the version of Framework and Hard Disk Encryption must match, so the Removable Storage Encryption version must be a supported version.
The software MSI is created in the GuardianEdge Manager with an initial configuration. As with GEHD configuration changes are done through group policy. Removable Storage Encryption has the following configuration options
– Do not allow access to files on removable storage devices
– Allow read-only access to files on removable storage devices
– Allow read-write access to files on removable storage devices
– Encrypt all files written to or access on removable storage devices
– Encrypt new files written to removable storage devices
– Encrypt to CD/DVD only
– Do no encrypt files on removable storage devices
Exemptions are allowed for multimedia files so you don’t automatically encrypt your mp3s.
In our case we had been looking to initially make the encryption an available tool for users rather than mandatory. Yes, it is a lot less secure. It’s also easier to implement. This product doesn’t have any way to do that.
When files are encrypted to a USB Drive, depending on which options the administrator has enabled, users can use passwords or certificates to encrypt files. The password uses the password policy configured in the GuardianEdge Framework. A recipient of that USB without GuardianEdge software would use the Access utility which is saved to the USB automatically. They can make changes to the files and save them in an encrypted format back to the external device. The access utility is for Mac and Windows only.
The administrator can create groups so that user within that group do not have to have a password or certificate to access the files. This would seem to require a new group policy for each access group. This quickly looks like groups would only be used when you don’t care about insider attacks and prefer to preserve usability internally.
The administrator can also create a recovery certificate so that all files encrypted to removable storage are recoverable in case of lost or forgotten credentials. This is similar to the EFS recovery certificate. GuardianEdge provides some weak instructions for those with a Microsoft CA, for others the only advice is “create a certificate with the “Key Encipherment” usage. If you created all users in the same group, then this recovery “master” certificate is redundant.
For times when you want to mail encrypted files and don’t care about changes needing to be returned securely you can create a self-extracting executable. This is also protected by password or certificate.
When you have both Hard Disk Encryption and Removable Storage Encryption installed, a systray icon is visible. This icon allows access to the User console and the encrypted CD/DVD burner. Both of these items are available on the start menu. I fail to see my this systray icon is required and cannot be removed.
I’m at an early stage of this deployment. Any time you’re making it harder for users to do something they aren’t going to be happy. Unfortunately there are times when the systems need to be locked down and access removed. When regulations dictate the protection of data, we need to protect data both in transit and as it is stored on disk.