[FDE] FDE Digest, Vol 2, Issue 6
Ryan Booton
rbooton at yahoo.com
Sun Nov 12 00:04:20 MST 2006
I don't have all the answers but here are a few.
> 1. What features should be important?
Certifications: FIPS, Common Criteria. This would
help you look good in court if you were being sued
because of a stolen laptop.
AES 256 or other encryption cyphers just as strong.
Encryption of external media, working the way you need
it to. Utamaco Safeguard easy encrypts external media
by encrypting the entire drive. People who do not have
Safeguard Easy and the key, cannot access the files.
Pointsec allows you to only encrypt specific files or
folders on a drive, and optionally allows passwords to
be created so that people without Pointsec can open
the files as long as they know the right password.
Both allow policies to be created to require
encryption of external media. One downfall to
Utamaco's approach is that it can take a long time to
encrypt your external media, since it encrypts the
entire drive.
Support for two-factor authentication during the
preboot authentication process.
Flexibility in the way it can be configured. Find a
company that's been doing it a while. A lot of the
products I've seen, don't offer much flexibility, and
seem to be written very poorly with bad documentation.
Don't worry too much about the price. If you buy some
cheap product that fails at some point, and your CIO
can't access his laptop, you will regret it.
> 2. If a single vendor is not used, will the system
> play well with
> others?
Again, Pointsec Media Encryption (PME) works well in
sharing information with others, since it doesn't
require others to have it installed. I don't think
many others have this ability.
> 4. Will it work with Windows XP/Linux/Apple/Unix
> (could be separate
> packages)
Check into Entrust. They have parnerships with
Pointsec and other companies and are selling something
called Entelligence Disk Security. According to a
Gartner report they support Linux, Mac OS9, Palm OS
Windows Movile, RIM, Symbian and Windows.
> 5. Does it support removable media?
Some do most don't. Some are add-ons, some aren't. I
think it's good to find something that allows you to
set up a policy to require that all removable media is
encrypted. Then if a USB drive is lost, it won't be a
big deal.
> 6. Does it support Tape storage systems?
I don't know of any that will keep data encrypted on
tape. You might need to buy something extra for that.
> 7. Does it support smartphone/blackberry/PDAs? (the
> seeming bane of my
> existence!)
A lot of them do. Look for a Gartner report called
"Magic Quadrant for Movile Data Protection, 1H06. You
can get it from Gartner for $500 or you can download
it I believe from Utimaco's web site for free, as long
as you fill out a questionaire and give them your
contact info.
> 8. Does it split the administrative (master key)
> into multiple segments
> so that it requires 2 or more admins to decrypt
> media?
Nothing that I have looked at works this way. If you
want to make it so that an administrator cannot have
access to the data contained on everyone's laptop, you
might want to check out Credant, but it's not FDE.
> 9. Does it support a master key/corporate key so if
> an employee
> suddenly leaves (or is being investigated) we can
> unlock what has been
> enciphered?
I think they all do this. There can be multiple
administrative accounts set up. Usually you create an
install package, which has this information contained
in it. Then you push the install out to the clients.
They all would then use the same administrative
accounts.
> 10. Does it play well with Windows networking AND
> Novell (at the same
> time!)?
It depends on what you mean. If you mean does it
cause any problems in this scenario the answer is no.
The encryption works beneath the operating system. So
as far as Windows and Novell are concerned, they don't
even realize that the disk is encrypted.
The types of software that you may run into problems
with are things that access the hard drive at a level
beneath the OS. Such as some antivirus programs.
Also, if you want to single sign-on to Windows, you
may have problems if you are using other software that
replaces the normal Windows gina authentication.
Ryan Booton
CISSP, GSEC
--- fde-request at www.xml-dev.com wrote:
> Send FDE mailing list submissions to
> fde at www.xml-dev.com
>
> To subscribe or unsubscribe via the World Wide Web,
> visit
> http://www.xml-dev.com/mailman/listinfo/fde
> or, via email, send a message with subject or body
> 'help' to
> fde-request at www.xml-dev.com
>
> You can reach the person managing the list at
> fde-owner at www.xml-dev.com
>
> When replying, please edit your Subject line so it
> is more specific
> than "Re: Contents of FDE digest..."
>
>
> Today's Topics:
>
> 1. Re: FDE - Can we manage it? (Laundrup, Jens)
> 2. Product evaluations (Sam Henry)
> 3. Re: Can you keep a secret? This encrypted
> drive can...
> (Thomas Brewster)
> 4. Re: Intro and EFS as a viable FDE solution?
> (Saqib Ali)
> 5. Re: Can you keep a secret? This encrypted
> drive can... (Saqib Ali)
> 6. Re: Product evaluations (Saqib Ali)
> 7. Re: hardware accelerated full disk encryption
> (Saqib Ali)
> 8. Re: hardware accelerated full disk encryption
> (coderman)
> 9. Re: hardware accelerated full disk encryption
> (Adrian Skerratt)
>
>
>
----------------------------------------------------------------------
>
> Message: 1
> Date: Wed, 8 Nov 2006 12:06:16 -0800
> From: "Laundrup, Jens" <Jens.Laundrup at METROKC.GOV>
> Subject: Re: [FDE] FDE - Can we manage it?
> To: "Mike Johnson" <mike at enoch.org>
> Cc: fde at www.xml-dev.com
> Message-ID:
>
>
<416FE21C43CED045BD57B8D600AF90AFE042B3 at mkey02.kc.kingcounty.lcl>
> Content-Type: text/plain; charset="us-ascii"
>
> I too have looked at PGP but like many others, they
> do not play well
> with other brands.
>
> Where I have gone so far: (this is all very
> preliminary!!)
>
> http://www.pointsec.com/products/managementtools/
> but they do not seem
> to support Servers and mass storage, e-mail, DSS
> etc.
>
> http://www.sun.com/encryption/index.jsp but they do
> not seem to address
> PCs, laptops or e-mail
>
> http://www.pgp.com/products/index.html Addresses
> most things but they do
> not play well with the mainframe systems or DSS for
> other than e-mail.
>
> http://www.ncipher.com/key_management/ But they do
> not seem to address
> e-mail platforms or DSS (though they have an
> interesting management
> system)
>
>
http://www.ce-infosys.com/CeiProducts_GlobalAdmin.asp
> Looks interesting
> but I am not sure they work with mainframe systems,
> though it looks like
> they are fairly flexible.
>
>
> I am certain there are others that I have yet to
> find!
>
> The big questions are; (add to the list! Maybe
> Saquib would create a
> spreadsheet for us so we can look at the different
> features and compare
> products <please>).
>
> 1. What features should be important?
>
> 2. If a single vendor is not used, will the system
> play well with
> others?
>
> 3. Is it capable of supporting multiple AD
> sub-forests?
>
> 4. Will it work with Windows XP/Linux/Apple/Unix
> (could be separate
> packages)
>
> 5. Does it support removable media?
>
> 6. Does it support Tape storage systems?
>
> 7. Does it support smartphone/blackberry/PDAs? (the
> seeming bane of my
> existence!)
>
> 8. Does it split the administrative (master key)
> into multiple segments
> so that it requires 2 or more admins to decrypt
> media?
>
> 9. Does it support a master key/corporate key so if
> an employee
> suddenly leaves (or is being investigated) we can
> unlock what has been
> enciphered?
>
> 10. Does it play well with Windows networking AND
> Novell (at the same
> time!)?
>
> And a million other questions.
>
> Jens
>
>
>
>
>
> ------------------------------
>
> Message: 2
> Date: Wed, 8 Nov 2006 16:07:24 -0500 (EST)
> From: "Sam Henry" <samhenry at excite.com>
> Subject: [FDE] Product evaluations
> To: fde at www.xml-dev.com
> Message-ID:
> <20061108210724.1F17591FF7 at xprdmxin.myway.com>
> Content-Type: text/plain; charset="us-ascii"
>
>
> Hello List,I noticed the great work done by Saquib
> Ali on benchmarking and was wondering if Winmagic's
> product SecurDoc happened to be in the mix. Actually
> it's obviously not in the list and I am wondering if
> there was a reason why it is missing? I am also
> wondering if it could be added ?I have looked at
> many of these products and it seems like they all
> get the job done, PGP, Utimaco, safeboot, Authenex,
> Winmagic, -- The list goes on and on..But there are
> many many neuances to selecting a product for
> enterprise level use. (Ease of use, Cost, Ease of
> administration, Logging, ability to encrypt
> removable media)One of my pet peeves is that if I am
> going to spend so much on this technology, I don't
> think it is too much of a stretch to expect being
> able to encrypt data put on a USB drive or
> something.Two that allow you to encrypt removable
> media included safeboot, and authenex. They require
> you to have an additional product license or
> hardware (= added cost) in order to encrypt
> data on removable media. Apparently WinMagic's
> product (enterprise product) will allow for
> encrypting removable media as part of their product.
> They also have a retail box version called
> mysecuredoc personal plus which allows encryption of
> removable media and harddisk.Has anyone used the
> winmagic enterprise securedoc product? Thanks secsam
>
> _______________________________________________
> Join Excite! - http://www.excite.com
> The most personalized portal on the Web!
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL:
>
http://www.xml-dev.com/pipermail/fde/attachments/20061108/728ef715/attachment-0001.html
>
>
> ------------------------------
>
> Message: 3
> Date: Wed, 8 Nov 2006 17:41:52 -0500
> From: "Thomas Brewster"
> <thomas_brewster at hotmail.com>
> Subject: Re: [FDE] Can you keep a secret? This
> encrypted drive can...
> To: "Saqib Ali" <docbook.xml at gmail.com>
> Cc: fde at www.xml-dev.com
> Message-ID:
> <BAY103-DAV59CCFCAA876BC8A4F302F8EF10 at phx.gbl>
> Content-Type: text/plain; charset="iso-8859-1"
>
>
=== message truncated ===
____________________________________________________________________________________
Yahoo! Music Unlimited
Access over 1 million songs.
http://music.yahoo.com/unlimited
More information about the FDE
mailing list