Post on 22-Dec-2015
Jon AllenInformation Security Officer
Baylor University
Adam SealeyInformation Security Analyst
Baylor University
Bob HartlandDirector of Security, IT Servers,
and NetworksBaylor University
Copyright Baylor University 2008. This work is the intellectual property of the author. Permission is granted for this material to be shared for non-commercial, educational purposes, provided that this copyright statement appears on the reproduced materials and notice is given that the
copying is by permission of the author. To disseminate otherwise or to republish requires written permission from the author.
Chartered in 1845 Largest Baptist University in
the world 14,000 Students 2,225 Full Time Employees 6,500 Baylor owned
computers• Including labs, checkouts, etc.
Approx. 800 Faculty/Staff assigned laptops
2
3
Background on Encryption Types of Encryption Selection Process Implementation Retrospective The Future Q & A
4
5
Offices have now become mobile• Increasing move to laptops• Large percentage of data losses involve
laptop theft/loss 34 states have enacted privacy
legislation requiring notification if breached data is not encrypted
Migration from using SSN did not eliminate old stores of information
6
Spring Semester (www.privacyrights.org)
• Average 50% of reported breaches involved laptop theft
Numerous examples exist in higher education
7
Company Type of Loss Amount of Loss
LifeBlood SSN’s of Donors 321,000
Horizon Blue Cross SSN’s of Customers 300,000
CollegeInvest PII of Customers 200,000
Harley Davidson CC#’s, Drivers Licenses
60,000
Agilent SSN’s of Customers 51,000
Texas Privacy Legislation • Social Security Number• Driver’s License number• Credit card number• Bank account number
FERPA records PCI (Payment Card Industry)
8
9
Manual• Tools that allow users to manually encrypt and
decrypt files and folders Ex: GnuPGP, TrueCrypt, AXCrypt
Automatic (Folder Level)• Tools that allow users to define folders or virtual
drives that are automatically encrypted Ex: Windows EFS, PGP
Whole Disk• Boot time software that provides real-time
encryption/decryption below the OS level. Encrypts the entire volume or disk Ex: PGP, PointSec, SafeBoot, BitLocker, TrueCrypt
10
ManualAutomatic
(Folder Level)
Whole Disk
Cost
Performance
User Education
User Interaction
Temporary Files
Multi-Platform
Disaster Recovery
Central Management
11
Meets requirement Partially meets requirement Does not meet requirement
Performed Fall 2005
16
These weights are for our situation. They need to be re-evaluated for each University’s unique requirements.
Weight Criteria
5 Whole Disk
5 Limited system performance impact
4 Centralized management
4 Passphrase recovery
3 Ease of deployment
3 Cost
1 OS Platform ( Support for multiple OS, Windows assumed)
17
PointSec (www.checkpoint.com)• Recently acquired by Checkpoint. Was independent
at the time of the evaluation. Vista BitLocker (www.microsoft.com)
• Available only on Vista Ultimate and Enterprise, which was not in production at time of product selection.
• Requires TPM PGP (www.pgp.com)
• Good centralized management, solid reputation, and low system impact led to us choosing PGP as our solution.
SafeBoot (www.safeboot.com)• Added to product space after vendor selection.
18
19
Installation• Manual vs. Automatic
Setting up central server• Work through DR scenarios as well• Migrated to VM September 2007
Internal Q/A procedure• Working PGP into our system workflow• Only disk encryption, not mail for most
users
20
Workstation Configuration• Backups• Screensavers• Hibernation vs. Standby
Authentication Method• Single Sign-on• Unified authentication• Separate Credentials
Administrative Tasks• Handling forgotten passphrases• Identifying which workstations require
encryption
21
Administration Buy-in Thorough testing to up front Respond quickly to concerns Exhaustively test new versions
• do not feel compelled to upgrade until testing is complete
22
23
Over 540 clients deployed• Of those over 90% are laptops
Requirements have evolved• Require all faculty/staff laptops be
encrypted Over 800 laptops
• Goal: Include both Mac and Linux installations
Full time employee dedicated to PGP rollout and maintenance
24
Do we think we made the right choice?• Whole disk• PGP
What would we have done differently• Better process for identifying who needs
encryption Data Inventory
• More resources QA resources Deployment resources
• More realistic timelines Deployment timeline
• Leverage Asset Management tools to identify target computers sooner
25
Encryption included with software• OS• Databases
Further legislation mandating encrypted storage• PCI• HIPAA• Federal Legislation
Data Classification and Inventory• Let the policy drive the security effort
26
27
Jon AllenInformation Security
OfficerJon_Allen@baylor.edu
Bob HartlandDirector of Security, IT Servers, and
NetworksBob_Hartland@baylor.edu
Adam SealeyInformation Security
AnalystAdam_Sealey@baylor.edu
28
Derek TonkinInformation Security
AnalystDerek_Tonkin@baylor.edu