Lessons learned during Sandia’s encryption implementation

1. Lessons learned during Sandia’s encryption implementation NLIT 2009 May 2008 Sam Jones Matt Snitchler Desktop Technology Development Sandia is a multiprogram laboratory operated by Sandia Corporation, a Lockheed Martin Company,for the United States Department of Energy’s National Nuclear Security Administration under contract DE-AC04-94AL85000.

2. Objective • Protect sensitive data on all mobile devices • Meet NAP 14-2-C Cyber Security Requirement

3. Windows Solution • Credant Mobile Guardian • FIPS 140-2 Certified • Enterprise key management • Reporting capability • Supports removable media • Not a silver bullet

4. Mac Solution • FileVault • Credant Mac Client (Beta) • Managed by console • Does not support Windows Credant EMS • WinMagic • Removable media support not integrated

5. Linux Solutions • GnuPG • RHEL 5.3 • Linux Unified Key Setup (LUKS) • Does not support Windows Credant EMS • Dual Boot problems • Removable media support not integrated • Hardware based FDE software support immature

6. Encryption hurts • Long encryption times • I/O intensive applications affected • Flash drives cumbersome • Large USB drives experience initial long encryption time • System recovery more complex

7. Hardware FDE • Works well with I/O intensive applications • No initial encryption hit • Does not work with all hardware vendors • Dell, HP, Lenovo • Enterprise management solutions immature • Key management • Reporting • Wave, Secude, WinMagic • Technically not FIPS 140-2 • Hardware FDE option on Preferred System List

8. Hardware encrypted flash • IronKey • Multi platform • Windows, Linux, Mac (Beta) • FIPS 140 certified • Expensive • Enterprise management solutions immature • Key management • Reporting • Does not work well with Credant EMS

9. Questions • ? • sejones@sandia.gov • 505 845-8643 • mdsnitc@sandia.gov • 505 844-7790