I was asked recently via email how to pragmatically uninstall GuardianEdge. I’d been thinking about something similar, that is how do you migrate endpoint security vendors including Full Disk Encryption.
To a certain extent this problem doesn’t affect very many people. Is Full Disk Encryption installed at many companies outside the Federal Government and Government Contractors? I imagine its starting to make more inroads via the encryption safe harbor and regulatory requirements.
I’ve had Full Disk Encryption deployed for over 3 years. With many security products that is an eternity. Features change. Companies get bought and sold. What if I decide to switch from yellow (Symantec) to red (McAfee). Does Sophos have a color?
As far as uninstalling GuardianEdge specifically, I’m pretty sure the manual says you need to decrypt before you uninstall. Therefore, I would need to deploy a decrypt policy via Group Policy, then after sufficient time has occurred for decryption, uninstall GuardianEdge and replace it with my new favorite Full Disk Encryption. The problem with this scenario is 1) The computer is left unencrypted for a period of time 2) this period of time is unspecified 3) The end-user will experience the joyful performance hit of decrypting and encrypting the hard drive. Not Good!
Another possibility is to introduce the new encryption products as computers are replaced. This has the benefit of not interrupting the user. The downside is the helpdesk would have to keep track of two different one-time password programs to allow users to access computers with a forgotten password. Management is twice as hard. I’d have to maintain two different systems. With a three-year lease cycle on computers it would be quite a while before all computers are on the new system.
We’re about to do a rip and replace migration to Windows 7. This would be an ideal time when you’re already doing a system refresh. You don’t have to worry about the decrypt/uninstall. You just back up data, drop the Win7 Ghost load, restore data, encrypt. It is a rare opportunity.
I don’t like these options. Readers, have any of you migrated Full Disk Encryption products? Do you see any alternatives I”m missing? Comments welcomed below. First time commenters will be held in the moderation queue. All comments must clear the spam filter.