1 / 24

Mobile Device Encryption

Mobile Device Encryption. Chris Edwards IT Services. Mobile Device Encryption Policy. “All confidential data must be encrypted where stored on a mobile device”. What do we mean by “encrypted” ??. Password Protected Trivially bypassed Encrypted Protects data if lost / stolen.

hillj
Télécharger la présentation

Mobile Device Encryption

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Mobile Device Encryption Chris Edwards IT Services

  2. Mobile Device Encryption Policy “All confidential data must be encrypted where stored on a mobile device”

  3. What do we mean by “encrypted” ??

  4. Password Protected • Trivially bypassed • Encrypted • Protects data if lost / stolen

  5. Can we avoid encrypting ? Could maybe: • avoid storing confidential data on the laptop • work completely “across the network” But • often convenient to store locally anyway Also: • data cached on device • temporary folders In practice, virtually all laptops contain confidential data.

  6. What type of encryption tool ? Folder encryption – save confidential data in a special encrypted folder • need to remember to do this • one day will forget • and this still doesn’t encrypt: • data cached on device • temporary folders Full disk encryption (FDE) • encrypts everything • hence much safer!

  7. Full Disk Encryption • Encrypts everything • Fast • Transparent • Native on common OS platforms • Can be enabled without reinstall

  8. Full Disk Encryption • Windows BitLocker • macOS FileVault • Linux LUKS

  9. Standard Staff Desktop (SSD) • BitLockerdefault-on in SSD • (enabled at build time)

  10. Other Laptops • Needs to be organised in your : • College • School • Research Institute • University Service

  11. Other Laptops • Users should be asked to bring University-owned laptops to their Local IT Support • so that Full Fisk Encryption can be configured

  12. Recovery Keys • Data stored on laptops should exist elsewhere • Hard drive could suffer physical failure ! • Might forget the encryption password • Prudent to keep a recovery key - somewhere safe • BitLocker also requires key for certain hardware changes • For SSD, ITS holds recovery keys in campus AD • For non-SSD, local IT teams will want to organise their own repository • Keep recovery keys as part of School IT asset register • AD • Create a school “recovery agent” certificate

  13. How to… Detailed guides with pictures at: www.gla.ac.uk/confidentialdata Click on: • “Laptops” • “Memory sticks”

  14. How to… Guides accessible enough for most reasonably tech savy users. However, where possible we recommend IT support staff should do the encrypting. Precise arrangements need to be determined in your School or College. IT Services happy to advise.

  15. Consumer Grade Laptops • May not have TPM chip • Workaround to enable BitLocker • boot time password • memory stick (unsafe??) • May come with a “Home” edition of Windows • no BitLocker! • may be unsuitable for storing confidential data

  16. Personal Laptops • University cannot mandate FDE for personally-owned laptops • However, requirement to encrypt confidential data stored on a mobile device still applies!! • Must encrypt it be some means • FDE might be the easiest (MS “Device Encryption”?) • Excellent Plan - use a terminal server (or equivalent) to completely avoid storing the data on the laptop in the first place: • SSDremote • Remote Desktop Session (e.g RDP)

  17. Smartphones / Tablets • Essential to set a PIN, or equivalent protection • Fingerprint check • Swipe pattern • Many devices come with encryption • in some cases this is default-on • and the PIN is used to unlock the encryption

  18. Memory Sticks • Must be encrypted if confidential data is stored • guides with pictures at: www.gla.ac.uk/confidentialdata • In many cases easier to not store confidential data on sticks • use the network instead

More Related