260 likes | 391 Views
0. Stay out of the News Encrypt your Files. Educause National Conference October 10, 2006. Tim Foley. Gale Fritsche. Lehigh University. Library and Technology Services. Lehigh Overview. 0. Founded in 1865. Private research university located 90 miles west of NYC
E N D
0 Stay out of the News Encrypt your Files Educause National Conference October 10, 2006 Tim Foley Gale Fritsche Lehigh University Library and Technology Services
Lehigh Overview 0 • Founded in 1865. Private research university located 90 miles west of NYC • Ranks 33rd out of 248 national universities in US News and World Report’s annual survey • Approx 4700 undergraduates, 1200 graduate students, 450 faculty and 1200 staff • Approx 90% Windows PCs, 5% Mac and 5% other (Linux etc.)
0 Library & Technology ServicesOrganizational Structure Vice Provost Library & Technology Client Services Administration & Advancement Library Systems & Collections Enterprise Systems Technology Management Distance Education & Faculty Development
Why we need to encrypt Lehigh’s Committee Structure Process & Recommendation Issues and Concerns Other Data Security Initiatives 0 Presentation Agenda
0 Why do you need encrypted information? • Stolen Cal Berkeley laptop exposes personal data of nearly 100,000 (AP March 29, 2005) • A laptop with personal information of students and applicants was stolen from the Cleveland State University admissions office (WKYC-TV, June 3, 05) • VA laptop stolen exposing sensitive data of over 26 million veterans (GCN, May 22, 2006) • Stolen GE laptop contains social security numbers of 50,000 current and former employees (Reuters, Sept 26, 2006)
31 states with security breach laws Consumers Union report as of 6/27/06 Reported breaches - 93,998,906people affected since 2/15/05 see: http://www.privacyrights.org/ar/ChronDataBreaches.htm
0 Committee Structure Advisory Council for Information Services Advisory Council for Information Services – sets university wide information services policies Account Opening Sub Committee – revises account opening procedures to comply with FERPA and remove SSNs Data Encryption Sub Committee – Address the best way to encrypt PCs, Macs, PDAs and other portable devices, and backups Data Advisory Council Identity Management Sub Committee – redesigns Lehigh’s current authentication system Data Advisory Council – ensures data standards are maintained and enforced Firewall Sub Committee – Develops plans on the best use of Lehigh’s firewalls Data Standards Committee E-Security Committee E-Security Committee – examines and recommends implementation of security related practices and policies Data Standards Committee – standards for shared data elements in Banner Account Opening Sub Committee Firewall Sub Committee Data Encryption Sub Committee Identity Mgmt Sub Committee
0 Committee Charge • Systems Analysts • Security and Policy Officer • Computing Consultants • Database Manager • Enterprise Information Consultant • Client Services Team Leaders Examine current encryption technologies to address the best way to encrypt PCs, Macs, PDAs and other portable devices, and LTS backups to comply with the Lehigh University security plan Members Data Encryption Sub Committee
Subgroups Formed 0 • Basic file access to LTS shares • Removable media • PDAs (Palms and Pocket PCs) • Desktop PC encryption (Windows and Macs) • Backups (Windows and Enterprise) • Encryption of Unix, and Oracle • Microsoft SQL Server Security • Management of Encryption keys • End user training
0 Evaluation Process • Off campus visit • Web/periodical research • Various meetings with clients • Encryption software testing and evaluation • Whole disk encryption • File/folder/virtual disk encryption • Encryption webpage development • Data security seminar development • Finalized Recommendations • Develop data security policy to maintain compliance with FERPA, GLBA and HIPAA
No Encryption Boot Process Boot Process Data Data Operating System Operating System File Encryption Encryption Whole Disk Encryption Boot Process Encryption Software Authentication Data Operating System How Whole Disk Encryption Works
Encryption Needs A Key • A 256 bit key has 2256 possible different number of combinations • There are over 70,000,000,000,000,000 (seventy quadrillion) possible keys of 56 bits Source http://www.UNIX.org
Whole Disk Encryption Evaluation • WinMagic (Securedoc 4.2) • http://www.winmagic.com/ • PGP Desktop Pro 9.0 • http://www.pgp.com/ • Pointsec 6.0 • http://www.pointsec.com/ • Securstar (DriveCrypt 3.5) • http://www.drivecrypt.com/ • Ultimaco (Safeguard 4.2) • http://americas.utimaco.com/safeguard_easy/
Gartner’s Magic Quadrant (Mobile Data Protection)
Whole Disk Encryption Evaluation Process • Step 1: Refreshed a computer with Windows XP SP2 • Step 2: Benchmark tests on CPU, Memory and Hard Disk to create a baseline • Step 3: Installed a whole disk encryption product and ran the benchmark test again. • Step 4: Compared the results to the baseline • Step 5: Repeat Steps 1-4 for each product
Whole Disk Encryption Gateway E series, Windows XP SP2, Pentium 4, 2.4 GHz, 512 MB RAM, 40 GB Hard Disk
Whole Disk Encryption Windows XP Benchmarks Performance Test 6.0: http://www.passmark.com/ • CPU Tests (Examples) • Integer and floating point Math (MOps/Sec) • Image Rotation (# Rotations /Sec) • String Sorting (Thousands strings per second) • Memory Tests • Memory write (Mbytes transferred/sec) • Read cached, Read uncached (Mbytes transferred/sec) • Disk Tests • Sequential read, Sequential write (Mbytes transferred/sec) • Random Seek (Mbytes transferred/sec)
Encryption Software Benchmark Results Benchmark software used: Performance Test 6.0 Gateway E series, Windows XP SP2, Pentium 4, 2.4 GHz, 512 MB RAM, 40 GB Hard Disk
File/Virtual Disk Encryption Evaluation • Windows XP (EFS Encryption) • http://www.microsoft.com/ • Truecrypt 4.2a • http://www.truecrypt.org/ • SecureStar (Drivecrypt 3.5) • http://www.securstar.com/ • CyberAngel • http://www.thecyberangel.com/
Encryption Software Evaluation Virtual Disk/File/Folder Encryption
0 Committee Recommendations • Whole disk encryption for PCs • Virtual Disk and folder/file encryption • Encrypted disk images for Macintosh • Folder encryption using Windows EFS encryption • Truecrypt for Pocket PCs and removable media • Password protect Palm devices or Pocket PCs • Backup encryption (EFS Encryption and MS Backup) • Restricting local logins (XP local security policies) for users with Banner reporting roles • Enterprise backups are secure in machine room and transit. Still examining options for enterprise backup • Terminal Servers for FERPA, GLBA and HIPAA applications
Lehigh Data Security Policy Classification of Data • Confidential Data (Highest level of security) • Protected due to legal requirements (HIPAA, GLBA, FERPA) • All data must be in Encrypted form • Whole disk encryption of PCs is mandatory • Institutional/Proprietary Data (Moderate level of security) • All data must be in encrypted form (including backups) • Whole disk encryption is an option • Public Departmental Data (Lowest level of security) • Protected at the discretion of the department/owner • Recommended that data be stored on secured LAN drives
Addressing Security Requirements Small subset of actual sensitive data evaluated
Methods being Evaluated • SDRAM cards in Pocket PCs and Palm Devices • Enterprise tape backup Encryption • Windows VISTA and Bit Blocker Encryption (Need TPM – Trusted Platform Module) • Winzip as a method of Encrypting backups
Issues and Concerns 0 • Cost of software • Recovering data on drives using whole disk encryption • Management of encryption keys • Privileges to download banner/access reports to PCs • Leaking Data • The recycle bin, temporary internet files • Laptop sleep mode (writes desktop to temporary files) • Management of shared encrypted resources
Contact Information Tim Foley – tim.foley@lehigh.edu Gale Fritsche – gale.fritsche@lehigh.edu Presentation is available at: http://www.educause.edu/E06/9164