LaptopDesktop Encryption with PGP Whole Disk Encryption

1
Laptop/Desktop Encryption with PGP Whole Disk
Encryption
Harvard Townsend Chief Info Security
Officer Kansas State University harv_at_ksu.edu Decem
ber 12, 2008
2
Agenda

• Why is encryption important?
• Why now at K-State?
• Encryption terminology
• Why PGP rather than freeware?
• Which computers should be encrypted?
• Overview of PGP deployment plan
• Overview of PGP Whole Disk Encryption product
• Product demo

3
(No Transcript)
4
Why Now at K-State?

• Thefts are happening at K-State
• 16,000 laptops lost or stolen per week in U.S.
  and European airports!
• State law requiring notification if Personal
  Identity Information (PII) breached
• Three notification incidents, several scares
• Dont have to notify in encrypted
• New data classification policy mandates it for
  confidential data
• Encryption products mature, affordable

5
Terminology

• Encryption - process of transforming information
  (referred to as plaintext) using an algorithm
  (called cipher) to make it unreadable to anyone
  except those possessing special knowledge,
  usually referred to as a key.
• Decryption transforming the information back
  into a readable format

6
Terminology

• Encryption key the secret code used to encrypt
  and/or decrypt information youre in big trouble
  if you lose/forget this unless you have a key
  recovery system
• Whole disk encryption (WDE) all data on the
  drive is encrypted, including the operating
  system master boot record often unencrypted aka
  full disk encryption are hardware WDE solutions

7
Terminology

• Volume or file/folder encryption information in
  a specific file, folder, or volume is encrypted,
  not the entire disk. Usually the operating system
  volume is not encrypted. Leaves you vulnerable to
  temporary files, cache files, forgotten files
• AES 256 - Advanced Encryption Standard w/ 256 bit
  keys descriptive of the algorithm used to
  encrypt the data the longer the key, the harder
  it is to crack

8
Why PGP Whole Disk Encryption?

• SIRT evaluation process selected PGP
• Met requirements
• Supports Macs now
• Attractive price
• Superior management environment
• Need a managed product to ensure data can be
  recovered
• TrueCrypt, which is free, can do whole disk
  encryption now but does not support centralized
  management of keys

9
What should be encrypted?

• Data classification security standards for
  confidential data
• Should not store on an individuals workstation
  or mobile device (e.g., a laptop computer) if
  stored on a workstation or mobile device, must
  use whole-disk encryption
• So this isnt just about laptops encrypting
  desktops important too
• Vulnerable to compromise
• Can be stolen too

10
What should be encrypted?

• Recommended for internal data too, like student
  grades
• Confidential or internal data not always obvious
  old files, temp files, browser cache, deleted
  file remnants
• Considered best practice to encrypt all laptops
• Those who travel a lot, especially out of the
  country, should use WDE (remember 16,000
  laptops per week lost or stolen in U.S. and
  European airports!)

11
PGP WDE deployment plan

• Purchase in process
• 32 instead of 38 invoice in January
• Will accept more commitments until 5pm Dec. 19
• After that, normal higher ed price
• Developing web site with instructions, info
• SIRT will develop a default recommended
  configuration
• Distributed deployment, like Trend Micro
• Licenses distributed by Josh McCune

12
PGP WDE deployment plan

• Central managed environment (PGP Universal
  Server) available
• Managed by Josh McCune
• Free installation of laptop client by Tech
  Service Center in East Stadium (only for those
  using central service)
• iTAC Help Desk for key/data recovery
• Will announce it when available
• Departments, colleges can set up their own
  management environment

13
PGP WDE deployment plan

• Purchase includes two years basic support
• All product updates, patches
• Mac version that supports Boot Camp on their
  product roadmap for summer 09
• Two phone contacts for University
• Josh McCune
• iTAC Help Desk manager
• 8-5 M-F phone support

14
PGP WDE Overview

• Whole Disk Encryption for Windows and Macs
• File/Folder encryption (works with USB flash
  drives)
• Must have PGP license wherever USB drive used
• File Shredder tool
• PGP Zip archive tool
• PGP Self-Decrypting archive tool
• PGP Universal Server included
• Runs on Linux
• Works well in a virtual server environment

15
PGP for Macs

• Minimum requirements
• Intel-based Mac OS X 10.4.10 and later, system
  volumes only
• PowerPC-based Mac OS X 10.4.X and Mac OS X
  10.5.X, non-system volumes only
• In other words, no whole disk encryption for
  Power PC-based Macs will do file/folder-based
• Does not support Boot Camp now expected summer
  2009
• Does support running Windows in a virtual machine
  with VMware Fusion or Parallels

16
PGP WDE Demo

• Windows client
• Mac client
• Management environment

17
Whats on your mind?
18
Requirements

• Full-disk encryption
• Pre-boot/Pre-OS encryption
• File/folder encryption optional
• Strong encryption (AES 256)
• Windows, Mac OS X support
• Support centralized management (configuration,
  keys, data recovery)
• Easy installation/uninstallation
• Ease of use
• Minimal performance impact
• USB device support desirable