Laptop/Desktop Encryption with PGP Whole Disk Encryption

Harvard TownsendChief Info Security OfficerKansas State Universityharv@ksu.eduDecember 12, 2008

Agenda

Why is encryption important? Why now at K-State? Encryption terminology Why PGP rather than freeware? Which computers should be encrypted? Overview of PGP deployment plan Overview of PGP Whole Disk Encryption

product Product demo

2

3

Why Now at K-State?

Thefts are happening at K-State 16,000 laptops lost or stolen per week in

U.S. and European airports! State law requiring notification if Personal

Identity Information (PII) breached Three notification incidents, several scares Don’t have to notify in encrypted

New data classification policy mandates it for confidential data

Encryption products mature, affordable4

Terminology

Encryption - process of transforming information (referred to as plaintext) using an algorithm (called cipher) to make it unreadable to anyone except those possessing special knowledge, usually referred to as a key.

Decryption – transforming the information back into a readable format

5

Terminology

Encryption key – the secret code used to encrypt and/or decrypt information; you’re in big trouble if you lose/forget this… unless you have a key recovery system

Whole disk encryption (WDE) – all data on the drive is encrypted, including the operating system; master boot record often unencrypted; aka “full disk encryption”; are hardware WDE solutions

6

Terminology

Volume or file/folder encryption – information in a specific file, folder, or volume is encrypted, not the entire disk. Usually the operating system volume is not encrypted. Leaves you vulnerable to temporary files, cache files, forgotten files

AES 256 - Advanced Encryption Standard w/ 256 bit keys; descriptive of the algorithm used to encrypt the data; the longer the key, the harder it is to crack

7

Why PGP Whole Disk Encryption?

SIRT evaluation process selected PGP Met requirements Supports Macs now Attractive price Superior management environment

Need a managed product to ensure data can be recovered

TrueCrypt, which is free, can do whole disk encryption now but does not support centralized management of keys 8

What should be encrypted? Data classification security standards for

confidential data:“Should not store on an individual’s

workstation or mobile device (e.g., a laptop computer); if stored on a workstation or mobile device, must use whole-disk encryption”

So this isn’t just about laptops – encrypting desktops important too Vulnerable to compromise Can be stolen too 9

What should be encrypted? Recommended for internal data too, like

student grades Confidential or internal data not always

obvious – old files, temp files, browser cache, deleted file remnants

Considered best practice to encrypt all laptops

Those who travel a lot, especially out of the country, should use WDE (remember – 16,000 laptops per week lost or stolen in U.S. and European airports!) 10

PGP WDE deployment plan

Purchase in process $32 instead of $38; invoice in January Will accept more commitments until 5pm Dec.

19 After that, normal higher ed price

Developing web site with instructions, info SIRT will develop a default recommended

configuration Distributed deployment, like Trend Micro Licenses distributed by Josh McCune

11

PGP WDE deployment plan

Central managed environment (“PGP Universal Server”) available Managed by Josh McCune Free installation of laptop client by Tech

Service Center in East Stadium (only for those using central service)

iTAC Help Desk for key/data recovery Will announce it when available

Departments, colleges can set up their own management environment

12

PGP WDE deployment plan

Purchase includes two years basic support All product updates, patches Mac version that supports Boot Camp on

their product roadmap for summer 09 Two phone contacts for University

Josh McCune iTAC Help Desk manager

8-5 M-F phone support13

PGP WDE Overview

Whole Disk Encryption for Windows and Macs File/Folder encryption (works with USB flash

drives) Must have PGP license wherever USB drive used

File Shredder tool PGP Zip archive tool PGP Self-Decrypting archive tool PGP Universal Server included

Runs on Linux Works well in a virtual server environment

14

PGP for Macs Minimum requirements:

Intel-based: Mac OS X 10.4.10 and later, system volumes only

PowerPC-based: Mac OS X 10.4.X and Mac OS X 10.5.X, non-system volumes only

In other words, no whole disk encryption for Power PC-based Macs; will do file/folder-based

Does not support Boot Camp now; expected summer 2009

Does support running Windows in a virtual machine with VMware Fusion or Parallels

15

PGP WDE Demo

Windows client Mac client Management environment

16

What’s on your mind?

17

Requirements

Full-disk encryption Pre-boot/Pre-OS encryption File/folder encryption optional

Strong encryption (AES 256) Windows, Mac OS X support Support centralized management

(configuration, keys, data recovery) Easy installation/uninstallation Ease of use Minimal performance impact USB device support desirable

18