130 likes | 292 Vues
Encryption. Jack Roberts, PPD, RAL, STFC. Why?. Government reaction to high profile data losses. STFC General Notices 30 th January, 1 st February 2008.
E N D
Encryption Jack Roberts, PPD, RAL, STFC
Why? • Government reaction to high profile data losses. • STFC General Notices 30th January, 1st February 2008. “staff are hereby instructed that no unencrypted laptops or drives containing personal data should be taken off STFC sites” (30th January)
What is “Personal Data”? “A. Any information that links one or more identifiable living person with private information about them.” “B. Any source of information about 1,000 identifiable individuals or more, other that information sourced from the public domain.” “Consequently, all laptops and PDAs need to be encrypted before they can be taken off site.” (1st February)
What Product? • CRITERIA • CESG approved • FIPS-140 • Full Disk encryption • Need to be able to manage centrally • Transparent to the user • BUT • No Mac solution • Only limited Linux support • No dual boot solution • Products used in STFC • BeCrypt • Pointsec for PC • Pointsec Mobile Red Hat SuSE 9.x RHEL 4 NLD
BeCrypt Pointsec Mobile • Quick fix • ~5 installations in PPD/~100 in STFC • No installation problems • No central management console. • Slightly more expensive than Pointsec for PC • For PDAs • Not yet used in PPD • Tested on a few PDAs in STFC, only 1 successful install. • Newer version being tested.
Pointsec for PC(now renamed as Check Point Full Disk Encryption?)
Installation • Method • Initial preparation. • Installed like a normal application. • Typically takes around 4 hours. • Problems • Has refused to install on one or two laptops. • Not compatible with 64-bit Vista.
How Does It Work? BIOS Pointsec Authentication Screen OS Loads Log in to OS User Account User works as normal Single Sign On (SSO) Enters user’s OS account details automatically.
Recovery • Management Console • Central store of recovery files. • Unlocking user accounts/changing passwords remotely • Decryption
License Key bug • Temporary license key expired 21st March (Good Friday......). • Mad rush on Tuesday 25th to distribute new license key to make sure laptops don’t decrypt. • Some laptops with the new key start decrypting – eek! • Why? License key checks at logon that it can contact an IP address, i.e. No Network Connection = Invalid license = Laptop Decrypts.
Current Status • In PPD: • ~95% Windows Laptops encrypted • ~75% of all Laptops encrypted. • 0 laptops corrupted. • In STFC: • 724 laptops encrypted (6th June). • Maybe one or two laptops corrupted.
For the future... • Hope to be able to perform a risk assessment within the organisation. • Hopeful that a Mac solution will soon be available. • Start encrypting PDAs.