Post on 14-Dec-2014
description
IMPLEMENTING DEVICE
ENCRYPTION IN THE ENTERPRISE
George Mason’s role out of Utimaco’s SafeGuard Easy
Enterprise
Some History
Whole disk encryption seen as the only solution
Product evaluation in 2005 led to the selection of Utimaco Safeguard Easy
Safeguard Easy stand alone solution was deployed in 2006 to a limited number of laptops
The Environment
MESA – Mason Enterprise Services Architecture The newly deploy Active Directory - Open
Source SMS for deployment and support
Only XP or Vista Clients - At risk systems are exclusively Windows XP or Vista with bitlocker
Project Goals
Leverage existing deployment and management systems
Allow for some delegated control
Provide audit trail
Minimize impact on end clients
Ensure a simple, robust & redundant support structure
Project Scope
At first, it was the laptops….
Policies changed requiring encryption at rest for all sensitive workstation with data stores.
The targets for encryption changed to workstations in all business units that routinely work with sensitive data.
The Technology
SafeGuard Easy Enterprise (SGN) v5.2 The Management Server
VMWare ESX hosted Windows 2003 server MS SQL 2005 IIS for client server communication
The Deployment Vehicle A Scripted install for unmanaged XP clients MSI install packages for managed clients
Administrative Interface- Heavy client connects over MS SQL ports to
server
The Support Roles
Roles Master Security Officer
Manage Roles, Create Security Officer
Security Officer Everything but MSO function
Help Desk Officer Challenge/ Response Process View policies , directories and event logs
Client Recovery Methods
Challenge Response
PE or Bart PE Recovery boot media For in the field recovery
Slaving the Hard drive for OS Recovery Security office supported
Configuration Choices
Policies driven configuration Encryption Protocol AES256 What Key to use for system encryption
The default computer To synchronize pre-boot authentication
with OS authentication or not To allow for additional device encryption To allow for external boot media
for recovery
Communication
Communication pieces for Departmental business and technical leads End Clients Support Center Recovery technicians
Training for Support Staff Technical overview Challenge Response process Device recovery process
Deployment Process
Ringed Deployment
Security Office Debug and verify install
ITU internal group Support testing and client feedback
Pilot external group Easy sell to groups who had experienced
exposure All identified external group
Lessons Learned
Password resets can be confusing Watch Utimaco knowledge base for
known issues. SafeGuard Easy client lags major patch
releases Creates complexity that needs to be
managed and communicated clearly. Clearly written support documentation is
critical
System Overview