Jon AllenInformation Security Officer

Baylor University

Adam SealeyInformation Security Analyst

Baylor University

Bob HartlandDirector of Security, IT Servers,

and NetworksBaylor University

Copyright Baylor University 2008. This work is the intellectual property of the author. Permission is granted for this material to be shared for non-commercial, educational purposes, provided that this copyright statement appears on the reproduced materials and notice is given that the

copying is by permission of the author. To disseminate otherwise or to republish requires written permission from the author.

Chartered in 1845 Largest Baptist University in

the world 14,000 Students 2,225 Full Time Employees 6,500 Baylor owned

computers• Including labs, checkouts, etc.

Approx. 800 Faculty/Staff assigned laptops

2

3

Background on Encryption Types of Encryption Selection Process Implementation Retrospective The Future Q & A

4

5

Offices have now become mobile• Increasing move to laptops• Large percentage of data losses involve

laptop theft/loss 34 states have enacted privacy

legislation requiring notification if breached data is not encrypted

Migration from using SSN did not eliminate old stores of information

6

Spring Semester (www.privacyrights.org)

• Average 50% of reported breaches involved laptop theft

Numerous examples exist in higher education

7

Company Type of Loss Amount of Loss

LifeBlood SSN’s of Donors 321,000

Horizon Blue Cross SSN’s of Customers 300,000

CollegeInvest PII of Customers 200,000

Harley Davidson CC#’s, Drivers Licenses

60,000

Agilent SSN’s of Customers 51,000

Texas Privacy Legislation • Social Security Number• Driver’s License number• Credit card number• Bank account number

FERPA records PCI (Payment Card Industry)

8

9

Manual• Tools that allow users to manually encrypt and

decrypt files and folders Ex: GnuPGP, TrueCrypt, AXCrypt

Automatic (Folder Level)• Tools that allow users to define folders or virtual

drives that are automatically encrypted Ex: Windows EFS, PGP

Whole Disk• Boot time software that provides real-time

encryption/decryption below the OS level. Encrypts the entire volume or disk Ex: PGP, PointSec, SafeBoot, BitLocker, TrueCrypt

10

ManualAutomatic

(Folder Level)

Whole Disk

Cost

Performance

User Education

User Interaction

Temporary Files

Multi-Platform

Disaster Recovery

Central Management

11

Meets requirement Partially meets requirement Does not meet requirement

Performed Fall 2005

16

These weights are for our situation. They need to be re-evaluated for each University’s unique requirements.

Weight Criteria

5 Whole Disk

5 Limited system performance impact

4 Centralized management

4 Passphrase recovery

3 Ease of deployment

3 Cost

1 OS Platform ( Support for multiple OS, Windows assumed)

17

PointSec (www.checkpoint.com)• Recently acquired by Checkpoint. Was independent

at the time of the evaluation. Vista BitLocker (www.microsoft.com)

• Available only on Vista Ultimate and Enterprise, which was not in production at time of product selection.

• Requires TPM PGP (www.pgp.com)

• Good centralized management, solid reputation, and low system impact led to us choosing PGP as our solution.

SafeBoot (www.safeboot.com)• Added to product space after vendor selection.

18

19

Installation• Manual vs. Automatic

Setting up central server• Work through DR scenarios as well• Migrated to VM September 2007

Internal Q/A procedure• Working PGP into our system workflow• Only disk encryption, not mail for most

users

20

Workstation Configuration• Backups• Screensavers• Hibernation vs. Standby

Authentication Method• Single Sign-on• Unified authentication• Separate Credentials

Administrative Tasks• Handling forgotten passphrases• Identifying which workstations require

encryption

21

Administration Buy-in Thorough testing to up front Respond quickly to concerns Exhaustively test new versions

• do not feel compelled to upgrade until testing is complete

22

23

Over 540 clients deployed• Of those over 90% are laptops

Requirements have evolved• Require all faculty/staff laptops be

encrypted Over 800 laptops

• Goal: Include both Mac and Linux installations

Full time employee dedicated to PGP rollout and maintenance

24

Do we think we made the right choice?• Whole disk• PGP

What would we have done differently• Better process for identifying who needs

encryption Data Inventory

• More resources QA resources Deployment resources

• More realistic timelines Deployment timeline

• Leverage Asset Management tools to identify target computers sooner

25

Encryption included with software• OS• Databases

Further legislation mandating encrypted storage• PCI• HIPAA• Federal Legislation

Data Classification and Inventory• Let the policy drive the security effort

26

27

Jon AllenInformation Security

OfficerJon_Allen@baylor.edu

Bob HartlandDirector of Security, IT Servers, and

NetworksBob_Hartland@baylor.edu

Adam SealeyInformation Security

AnalystAdam_Sealey@baylor.edu

28

Derek TonkinInformation Security

AnalystDerek_Tonkin@baylor.edu