1 / 26

Gale Fritsche

0. Stay out of the News Encrypt your Files. Educause National Conference October 10, 2006. Tim Foley. Gale Fritsche. Lehigh University. Library and Technology Services. Lehigh Overview. 0. Founded in 1865. Private research university located 90 miles west of NYC

bessie
Download Presentation

Gale Fritsche

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. 0 Stay out of the News Encrypt your Files Educause National Conference October 10, 2006 Tim Foley Gale Fritsche Lehigh University Library and Technology Services

  2. Lehigh Overview 0 • Founded in 1865. Private research university located 90 miles west of NYC • Ranks 33rd out of 248 national universities in US News and World Report’s annual survey • Approx 4700 undergraduates, 1200 graduate students, 450 faculty and 1200 staff • Approx 90% Windows PCs, 5% Mac and 5% other (Linux etc.)

  3. 0 Library & Technology ServicesOrganizational Structure Vice Provost Library & Technology Client Services Administration & Advancement Library Systems & Collections Enterprise Systems Technology Management Distance Education & Faculty Development

  4. Why we need to encrypt Lehigh’s Committee Structure Process & Recommendation Issues and Concerns Other Data Security Initiatives 0 Presentation Agenda

  5. 0 Why do you need encrypted information? • Stolen Cal Berkeley laptop exposes personal data of nearly 100,000 (AP March 29, 2005) • A laptop with personal information of students and applicants was stolen from the Cleveland State University admissions office (WKYC-TV, June 3, 05) • VA laptop stolen exposing sensitive data of over 26 million veterans (GCN, May 22, 2006) • Stolen GE laptop contains social security numbers of 50,000 current and former employees (Reuters, Sept 26, 2006)

  6. 31 states with security breach laws Consumers Union report as of 6/27/06 Reported breaches - 93,998,906people affected since 2/15/05 see: http://www.privacyrights.org/ar/ChronDataBreaches.htm

  7. 0 Committee Structure Advisory Council for Information Services Advisory Council for Information Services – sets university wide information services policies Account Opening Sub Committee – revises account opening procedures to comply with FERPA and remove SSNs Data Encryption Sub Committee – Address the best way to encrypt PCs, Macs, PDAs and other portable devices, and backups Data Advisory Council Identity Management Sub Committee – redesigns Lehigh’s current authentication system Data Advisory Council – ensures data standards are maintained and enforced Firewall Sub Committee – Develops plans on the best use of Lehigh’s firewalls Data Standards Committee E-Security Committee E-Security Committee – examines and recommends implementation of security related practices and policies Data Standards Committee – standards for shared data elements in Banner Account Opening Sub Committee Firewall Sub Committee Data Encryption Sub Committee Identity Mgmt Sub Committee

  8. 0 Committee Charge • Systems Analysts • Security and Policy Officer • Computing Consultants • Database Manager • Enterprise Information Consultant • Client Services Team Leaders Examine current encryption technologies to address the best way to encrypt PCs, Macs, PDAs and other portable devices, and LTS backups to comply with the Lehigh University security plan Members Data Encryption Sub Committee

  9. Subgroups Formed 0 • Basic file access to LTS shares • Removable media • PDAs (Palms and Pocket PCs) • Desktop PC encryption (Windows and Macs) • Backups (Windows and Enterprise) • Encryption of Unix, and Oracle • Microsoft SQL Server Security • Management of Encryption keys • End user training

  10. 0 Evaluation Process • Off campus visit • Web/periodical research • Various meetings with clients • Encryption software testing and evaluation • Whole disk encryption • File/folder/virtual disk encryption • Encryption webpage development • Data security seminar development • Finalized Recommendations • Develop data security policy to maintain compliance with FERPA, GLBA and HIPAA

  11. No Encryption Boot Process Boot Process Data Data Operating System Operating System File Encryption Encryption Whole Disk Encryption Boot Process Encryption Software Authentication Data Operating System How Whole Disk Encryption Works

  12. Encryption Needs A Key • A 256 bit key has 2256 possible different number of combinations • There are over 70,000,000,000,000,000 (seventy quadrillion) possible keys of 56 bits Source http://www.UNIX.org

  13. Whole Disk Encryption Evaluation • WinMagic (Securedoc 4.2) • http://www.winmagic.com/ • PGP Desktop Pro 9.0 • http://www.pgp.com/ • Pointsec 6.0 • http://www.pointsec.com/ • Securstar (DriveCrypt 3.5) • http://www.drivecrypt.com/ • Ultimaco (Safeguard 4.2) • http://americas.utimaco.com/safeguard_easy/

  14. Gartner’s Magic Quadrant (Mobile Data Protection)

  15. Whole Disk Encryption Evaluation Process • Step 1: Refreshed a computer with Windows XP SP2 • Step 2: Benchmark tests on CPU, Memory and Hard Disk to create a baseline • Step 3: Installed a whole disk encryption product and ran the benchmark test again. • Step 4: Compared the results to the baseline • Step 5: Repeat Steps 1-4 for each product

  16. Whole Disk Encryption Gateway E series, Windows XP SP2, Pentium 4, 2.4 GHz, 512 MB RAM, 40 GB Hard Disk

  17. Whole Disk Encryption Windows XP Benchmarks Performance Test 6.0: http://www.passmark.com/ • CPU Tests (Examples) • Integer and floating point Math (MOps/Sec) • Image Rotation (# Rotations /Sec) • String Sorting (Thousands strings per second) • Memory Tests • Memory write (Mbytes transferred/sec) • Read cached, Read uncached (Mbytes transferred/sec) • Disk Tests • Sequential read, Sequential write (Mbytes transferred/sec) • Random Seek (Mbytes transferred/sec)

  18. Encryption Software Benchmark Results Benchmark software used: Performance Test 6.0 Gateway E series, Windows XP SP2, Pentium 4, 2.4 GHz, 512 MB RAM, 40 GB Hard Disk

  19. File/Virtual Disk Encryption Evaluation • Windows XP (EFS Encryption) • http://www.microsoft.com/ • Truecrypt 4.2a • http://www.truecrypt.org/ • SecureStar (Drivecrypt 3.5) • http://www.securstar.com/ • CyberAngel • http://www.thecyberangel.com/

  20. Encryption Software Evaluation Virtual Disk/File/Folder Encryption

  21. 0 Committee Recommendations • Whole disk encryption for PCs • Virtual Disk and folder/file encryption • Encrypted disk images for Macintosh • Folder encryption using Windows EFS encryption • Truecrypt for Pocket PCs and removable media • Password protect Palm devices or Pocket PCs • Backup encryption (EFS Encryption and MS Backup) • Restricting local logins (XP local security policies) for users with Banner reporting roles • Enterprise backups are secure in machine room and transit. Still examining options for enterprise backup • Terminal Servers for FERPA, GLBA and HIPAA applications

  22. Lehigh Data Security Policy Classification of Data • Confidential Data (Highest level of security) • Protected due to legal requirements (HIPAA, GLBA, FERPA) • All data must be in Encrypted form • Whole disk encryption of PCs is mandatory • Institutional/Proprietary Data (Moderate level of security) • All data must be in encrypted form (including backups) • Whole disk encryption is an option • Public Departmental Data (Lowest level of security) • Protected at the discretion of the department/owner • Recommended that data be stored on secured LAN drives

  23. Addressing Security Requirements Small subset of actual sensitive data evaluated

  24. Methods being Evaluated • SDRAM cards in Pocket PCs and Palm Devices • Enterprise tape backup Encryption • Windows VISTA and Bit Blocker Encryption (Need TPM – Trusted Platform Module) • Winzip as a method of Encrypting backups

  25. Issues and Concerns 0 • Cost of software • Recovering data on drives using whole disk encryption • Management of encryption keys • Privileges to download banner/access reports to PCs • Leaking Data • The recycle bin, temporary internet files • Laptop sleep mode (writes desktop to temporary files) • Management of shared encrypted resources

  26. Contact Information Tim Foley – tim.foley@lehigh.edu Gale Fritsche – gale.fritsche@lehigh.edu Presentation is available at: http://www.educause.edu/E06/9164

More Related