150 likes | 324 Views
Safeguarding the Wild West of laptops. Ben Faire Michael McLannahan. encryption@cardiff.ac.uk. Topics. How we started encryption at Cardiff University How the original service was setup Improvements that were made Moving the project forward and improving uptake. What’s your progress?.
E N D
Safeguarding the Wild West of laptops Ben Faire Michael McLannahan encryption@cardiff.ac.uk
Topics How we started encryption at Cardiff University How the original service was setup Improvements that were made Moving the project forward and improving uptake
What’s your progress? Where are you with encryption for workstations/laptops?
Educating our staff • ISF (Information Security Framework )Annual training for all staff • Data Protection applies to ALL staff within the organisation. • Cardiff University is a registered data collector with the Information Commissioner's Office (ICO) • A serious breach of one or more of the DPA (Data Protection Act ) can result in a fine of up to £500,000 • EU General Data Protection Regulation (GDPR) enforcing May 2018 (replacing DPA)– Fines can be up to €20 million or 4% turnover • Individuals can also face criminal charges under certain conditions. • Cardiff have experienced potential loss of unencrypted devices.
Why Sophos SafeGuard? • One interface/system for BitLocker and FileVault2 • Cost • Symantec (5000 users @ 5 yrs) £1,200,000 • Gradian (Hosted) (5000 users @ 5 yrs) £1,900,000 • Sophos (Site licence @ 5 yrs) £170,000* • FDE (full-disk encryption) as well as FE (file encryption) • Auditing of clients • Compliance with FIPS140-2 standard • *Retrospective support contract added for Sophos products (£42k for 3.25yrs)
Sophos SafeGuard v1 Off Site On Site SafeGuard Client SafeGuard Server 1
Sophos SafeGuard v2 Off Site On Site ZENworks Agent SafeGuard Client ZENworks Agent SafeGuard Client OES Appliance 1 Linux OES Appliance 2 Win SafeGuard Server 1 SafeGuard Server 2 DMZ SafeGuard WebHelpDesk
How do we support the service? • Support • Yammer private group • Service desk • Telephone • IM –Skype for Business • Extended teams have access to recovery key access via web portal • PDF’s, PowerPoint, and Panopto guidance produced • Service • DMZ Server(s) • Accurate inventory • Labelled assets • Dedicated staffing • Continued One-2-One sessions with technical support staff • Local Admin rights (AD groups)
Decisions • PC • Scripted/automated method of installation • Active Directory bound • Window 10 64 Bit • Release 1607 Education • Clean install of OS (no bloatware/conflicting software) • PC Naming convention • Zenworks (Inventory Agent)
Decisions • Mac • Scripted/automated method of installation • Active Directory bound for machine only • 10.11 Mac OS X or better • In place install • Mac Naming convention • ZenWorks Inventory Agent (pending) • Password Policy enforced on all accounts
Challenges and Pitfalls • Atom CPU / Slow HDD 5400rpm • Surfaces/tablets • Bios mode UFEI/Legacy/CSM • School procedures/images • Ownership of devices • OS installs wrong edition/version • Users not following guidance or contacting for help • Devices not labelled • Firmware changes and BitLocker invoked
Challenges and Pitfalls • TPM compliance • Shared devices/PIN usage • Inbuilt security products (WinMagic) • BYOD encryption issues • “Workgroup” management (no AD) • No single supplier/procurement process • Inventory – location, hardware and specification • CIFS/OES compliance with Windows 10 • OSX 10.8 FV2 bug (clear PRAM) • Windows 10 Printers (iPrint)
Moving forwards/enhancements • C1 Data holders a priority • Rolling programme • Rebuilt/wiped/new machines only • Case-by-case approach to existing devices • Better procurement (NDNA) • AD or AAD • Migration of old service to new • Potential self-recovery for keys • Embedded procedures within schools/departments • Imaging service for laptops
Going the extra mile! • 2016 CTR • Sophos AV • VPN client • Mapped network drives • Local BL management • Label power pack • Mac OS Upgrade • iPrint install • BIOS upgrade encryption@cardiff.ac.uk