UW Desktop Encryption Project

1
UW Desktop Encryption Project

• UWs approach to data encryption

2
Introductions

• Allen Monette - Security Coordinator
• Linda Pruss Security Engineer

3
AGENDA

• Overview of technology
• Endpoint Encryption Project
• Challenges/Issues
• Whats next

4
Effective Practices for Restricted Data
HandlingRisk Reduction Strategy
Risk Reduction Strategies

Risk Assessment

OR
THEN
OR
5
Why Encryption?
6
Its 3am

• Do you know where your laptops are?

Full Disk Encryption protects against lost devices
7
Would you trust

• this guy with your files?

File and Folder Encryption protects specific data
8
How does it work?
9
File encryption

• Think of file encryption as a secret code

A simple code A0 B1 C2 D3 Etc
A message 7 4 11 11 14 22 14 17 11 3
10
Folder encryption

• Think of folder encryption as a safe deposit box

11
Full Disk Encryption

• Think of Full Disk Encryption like a bank vault

12
How does it really work?
13
File and folder Encryption

• Encrypts individual files or entire folders
• Requires authentication to decrypt and access the
  files

14
Full Disk Encryption

• Replaces the master boot record with a special
  pre-boot environment
• Encrypts the entire hard drive
• Preboot Authentication plus OS authentication
• Decrypts as files are used

15
How to choose between Full Disk and File/Folder?
16
When to use Full Disk Encryption
Full Disk Encryption protects against lost devices
17
When to use file/folder

• Need an additional layer of security
• Need portability
• Need to support removable media

18
Endpoint Encryption Project
19
Charter

• To research tools and methods for encrypting data
  on desktops and laptops so that risk is reduced
  if a computer storing restricted data is lost,
  stolen, compromised or disposed of improperly.
• Deliverables are
• recommend a product for pilot
• pilot the product
• recommend final product to sponsors

20
Scope

• Common desktops operating systems
• Macintosh and Windows
• Full disk and file/directory level encryption
• Removable media devices
• USB drives, CDRW
• Managed (IT administered) and unmanaged
  (self-administered) systems

21
Out of scope

• Encryption of Linux OS, handhelds or smart phones
• Hardware encryption
• Database encryption
• Encryption of server-based solutions
• Secure transmission
• Secure printing

22
Out of scope

• End user education
• Best practices
• Support infrastructure
• Policy work

23
Approach

• Define the project
• Get Smart!
• Product and Market Analysis
• Requirements Gathering

24
Get Smart!

• Team knowledge and research
• NIST document (800-111) Nov, 2007
• Guide to Storage Encryption Technologies for end
  user devices
• http//csrc.nist.gov/publications/nistpubs/800-111
  /SP800-111.pdf
• Campus forum
• Leverage others work

25
Market Analysis
Source Gartner Group Full report at
http//mediaproducts.gartner.com/reprints/credant/
151075.html
26
Requirements

• Device support
• Windows all flavors
• Macintosh
• Linux
• Smart Phone/Handheld
• Industry Standard Encryption
• AES 256
• FIPS certified

27
Requirements

• Key Management
• Key backup/escrow mechanisms
• Key recovery mechanisms
• Key generation mechanisms
• Removable Media support
• USB disks, etc
• CD R/W

28
Requirements

• Management Capabilities
• Centrally managed
• Provide service to campus departments
• Cooperatively managed
• Delegated management
• Delegated management
• IT managed
• UW campus or IT department
• Unmanaged
• Self-managed

29
Requirements

• Directory Integration
• Diversity on our campuses
• The more varieties the better
• File and Folder encryption
• Dont want to support multiple product
• Leverage our Public Key Infrastructure
• Strong AuthN

30
Approach

• Define the project
• Get Smart!
• Product and Market Analysis
• Requirements Gathering
• Mapped Solutions to Requirements
• Reduce possible solutions to 9

31
Approach

• Define the project
• Get Smart!
• Product and Market Analysis
• Requirements Gathering
• Mapped Solutions to Requirements
• Reduce possible solutions to 9
• Team Test of top 2 products

32
Product Selected

• SafeBoot
• http//www.safeboot.com/
• Acquired by McAfee in Q4 2007

33
Product Selected

• Key Differentiators
• Macintosh on Roadmap
• File/Folder smartphone encryption too
• Allows for centralized, collaborative and
  delegated models
• Management not tied to specific product
• Lots of connectors (or not)
• Small desktop footprint
• Ease of use understandable

34
Challenges/Issues
35
Technical Challenges

• Market Turbulence/Definition
• Acquisitions/partnerships
• Many new features being introduced
• Assumes client/server model
• Periodic check in to server
• Delegated/collaborative management

36
Technical Challenges

• Laptop states
• Power off protection
• Screen saver
• Logoff
• Hibernate, Suspend
• Not a panacea
• Still need host hardening
• Power on protection

37
Technical Challenges

• Authentication
• Strong passwords
• 2 factor authentication
• Integrated Windows AuthN
• Synchronization issues
• Recovery
• User or machine password recovery
• Identity proofing
• Hardware Failure
• Forensics

38
Non-Technical Challenges
39
Non-Technical Challenges

• Policy
• Where and when to use Full Disk Encryption?
• Where and when to use File/Folder?
• What encryption solutions are acceptable?
• Log in once or twice?

40
Non-Technical Challenges

• Centralized service decentralized campus
• Who pays?
• Maintenance
• Running the server
• Administering the application
• Managing the service
• Support
• Help Desk calls
• 2nd level technical expertise
• Licenses

41
Non-Technical Challenges

• User Acceptance
• Department IT Staff
• Willingness to collaborate
• End Users
• Strong passwords necessary
• Double authentication with Pre-Boot
• Initial setup cost - takes time to encrypt

42
What Next?
43
What next?

• Two new project teams
• Policy
• Support Best Practices
• Pilot runs through the end of June
• Evaluating our ability to collaborate as well as
  the software
• Initial rollouts of 10-20 laptops
• Report to sponsors with recommendations
• Gradually open up pilot starting in July

44
UW Desktop Encryption Project

• Allen Monette, amonette_at_wisc.edu
• Linda Pruss, lmpruss_at_wisc.edu