Upload
lynette-booker
View
222
Download
1
Embed Size (px)
Citation preview
Gale Fritsche
Lehigh UniversityLibrary and Technology Services
Stay out of the NewsEncrypt your Files
Educause National Conference October 10, 2006
Tim Foley
• Founded in 1865. Private research university located 90 miles west of NYC
• Ranks 33rd out of 248 national universities in US News and World Report’s annual survey
• Approx 4700 undergraduates, 1200 graduate students, 450 faculty and 1200 staff
• Approx 90% Windows PCs, 5% Mac and 5% other (Linux etc.)
Lehigh Overview
Library & Technology ServicesOrganizational Structure
Vice ProvostLibrary & Technology
Client Services
Library Systems & Collections
Technology Management
Administration &Advancement
Distance Education &Faculty Development
Enterprise Systems
Presentation Agenda
• Why we need to encrypt
• Lehigh’s Committee Structure
• Process & Recommendation
• Issues and Concerns
• Other Data Security Initiatives
Why do you need encrypted information?
• Stolen Cal Berkeley laptop exposes personal data of nearly 100,000 (AP March 29, 2005)
• A laptop with personal information of students and applicants was stolen from the Cleveland State University admissions office (WKYC-TV, June 3, 05)
• VA laptop stolen exposing sensitive data of over 26 million veterans (GCN, May 22, 2006)
• Stolen GE laptop contains social security numbers of 50,000 current and former employees (Reuters, Sept 26, 2006)
31 states with security breach laws
Reported breaches - 93,998,906 people affected since 2/15/05 see: http://www.privacyrights.org/ar/ChronDataBreaches.htm
Consumers Union report as of 6/27/06
Identity Mgmt Sub Committee
Firewall Sub Committee
Account Opening Sub Committee
Data Encryption Sub Committee
Data Standards Committee
E-Security Committee
Data Advisory Council
Advisory Council for Information Services – sets university wide information services policies
Data Advisory Council – ensures data standards are maintained and enforced
Data Standards Committee – standards for shared data elements in Banner
E-Security Committee – examines and recommends implementation of security related practices and policies
Account Opening Sub Committee – revises account opening procedures to comply with FERPA and remove SSNs
Data Encryption Sub Committee – Address the best way to encrypt PCs, Macs, PDAs and other portable devices, and backups
Firewall Sub Committee – Develops plans on the best use of Lehigh’s firewalls
Identity Management Sub Committee – redesigns Lehigh’s current authentication system
Advisory Council for Information Services
Committee Structure
• Systems Analysts
• Security and Policy Officer
• Computing Consultants
• Database Manager
• Enterprise Information Consultant
• Client Services Team Leaders
Data Encryption Sub Committee
Examine current encryption technologies to address the best way to encrypt PCs, Macs, PDAs and other portable devices, and LTS
backups to comply with the Lehigh University security plan
Members
Committee Charge
• Basic file access to LTS shares
• Removable media
• PDAs (Palms and Pocket PCs)
• Desktop PC encryption (Windows and Macs)
• Backups (Windows and Enterprise)
• Encryption of Unix, and Oracle
• Microsoft SQL Server Security
• Management of Encryption keys
• End user training
Subgroups Formed
Evaluation Process
• Off campus visit
• Web/periodical research
• Various meetings with clients
• Encryption software testing and evaluation– Whole disk encryption – File/folder/virtual disk encryption
• Encryption webpage development• Data security seminar development• Finalized Recommendations• Develop data security policy to maintain
compliance with FERPA, GLBA and HIPAA
How Whole Disk Encryption Works
Boot Process Operating
System Data
No Encryption
Encryption Software
Authentication
Boot Process Operating
System Data
Whole Disk Encryption
File Encryption
Boot Process Operating
System Data
Encryption
Encryption Needs A Key
Source http://www.UNIX.org
• A 256 bit key has 2256 possible different number of combinations
• There are over 70,000,000,000,000,000 (seventy quadrillion) possible keys of 56 bits
Whole Disk Encryption Evaluation
• WinMagic (Securedoc 4.2)– http://www.winmagic.com/
• PGP Desktop Pro 9.0– http://www.pgp.com/
• Pointsec 6.0– http://www.pointsec.com/
• Securstar (DriveCrypt 3.5)– http://www.drivecrypt.com/
• Ultimaco (Safeguard 4.2)– http://americas.utimaco.com/safeguard_easy/
Whole Disk Encryption
• Step 1: Refreshed a computer with Windows XP SP2
• Step 2: Benchmark tests on CPU, Memory and Hard Disk to create a baseline
• Step 3: Installed a whole disk encryption product and ran the benchmark test again.
• Step 4: Compared the results to the baseline• Step 5: Repeat Steps 1-4 for each product
Evaluation Process
Software Platforms Supported
Encryption Algorithm
Installation (incl. encryption)(Windows XP SP2)
Retail $(Single User)
Supported Storage Devices
Winmagic Securedoc 4.2
Windows XP AES (256) 72 Min $129 Hard Disks (I,E) USB Flash Dr.
PGP Desktop 9.0
Windows XP, Mac OSX
AES (256) 82 Min $149 (Disk)
$199 (Desktop)
Hard Disks (I,E) USB Flash Dr.
Pointsec 6.0 Windows XP
Linux
AES (256) 135 Min $149 Hard Disks (I,E) USB Flash Dr.
Drivecrypt 3.5 Windows XP/NT/2000
AES (256) 78 Min $161 Hard Disks (I,E) USB Flash Dr.
Ultimaco Safeguard 4.2
Windows XP/2000/Server 2003
AES (256) 73 Min $240 Hard Disks (I,E) USB Flash Dr.
SD Cards
Gateway E series, Windows XP SP2, Pentium 4, 2.4 GHz, 512 MB RAM, 40 GB Hard Disk
Whole Disk Encryption
Windows XP Benchmarks
• CPU Tests (Examples)
– Integer and floating point Math (MOps/Sec)
– Image Rotation (# Rotations /Sec)
– String Sorting (Thousands strings per second)
• Memory Tests– Memory write (Mbytes transferred/sec)
– Read cached, Read uncached (Mbytes transferred/sec)
• Disk Tests– Sequential read, Sequential write (Mbytes transferred/sec)
– Random Seek (Mbytes transferred/sec)
Performance Test 6.0: http://www.passmark.com/
Whole Disk Encryption
Encryption Software Benchmark Results
Software Memory CPU Hard Disk Overall
Winmagic Securedoc 4.2
-.3% -1.1% -49.8% -17.5%
PGP Desktop 9.0 0% -1% -70% -25%
Pointsec 6.0 0% -1% -62% -21%
Drivecrypt 3.5 -1% -3% -52% -19%
Ultimaco Safeguard 4.2
0% -1% -25% -9%
Benchmark software used: Performance Test 6.0 Gateway E series, Windows XP SP2, Pentium 4, 2.4 GHz, 512 MB RAM, 40 GB Hard Disk
File/Virtual Disk Encryption Evaluation
• Windows XP (EFS Encryption)– http://www.microsoft.com/
• Truecrypt 4.2a– http://www.truecrypt.org/
• SecureStar (Drivecrypt 3.5)– http://www.securstar.com/
• CyberAngel– http://www.thecyberangel.com/
Encryption Software Evaluation
Software Platforms Supported
Encryption Algorithms
Cost Notes
Windows EFS
Windows 2000, XP
Data Encryption Standard (DESX), Triple DESX
Comes with Windows XP/2000
NTFS Volumes only, no system files
Truecrypt 4.2a
Windows Linux
AES 256, Blowfish 448, Cast5, Serpent 256, Triple DES
Free FAT16, FAT32 and NTFS and Linux.
Drivecrypt 3.5
Windows 95, 98, ME, NT,2000,XP
AES 256, Triple AES (768) Blowfish 256, 448, Triple Blowfish (1344)
$77.34 Fat16, FAT32, NTFS. Up to 4 passwords for unlocking container
Cyberangel Windows 95, 98, ME, NT/2000 and XP
AES 128, 256, Blowfish 128, 256, Twofish 128, 256, Triple DES and Standard DES
$25 (Software)
$60/yr (Monitoring)
Encrypted partition automatically expands
Virtual Disk/File/Folder Encryption
Committee Recommendations
• Whole disk encryption for PCs • Virtual Disk and folder/file encryption
– Encrypted disk images for Macintosh– Folder encryption using Windows EFS encryption – Truecrypt for Pocket PCs and removable media
• Password protect Palm devices or Pocket PCs • Backup encryption (EFS Encryption and MS Backup)• Restricting local logins (XP local security policies) for
users with Banner reporting roles• Enterprise backups are secure in machine room and
transit. Still examining options for enterprise backup• Terminal Servers for FERPA, GLBA and HIPAA
applications
• Confidential Data (Highest level of security)
– Protected due to legal requirements (HIPAA, GLBA, FERPA)
– All data must be in Encrypted form– Whole disk encryption of PCs is mandatory
• Institutional/Proprietary Data (Moderate level of security)
– All data must be in encrypted form (including backups)– Whole disk encryption is an option
• Public Departmental Data (Lowest level of security)
– Protected at the discretion of the department/owner– Recommended that data be stored on secured LAN drives
Lehigh Data Security Policy
Classification of Data
Addressing Security Requirements
Security Department Type of data Solution Notes
HIPAA Counseling/Health Center
Student counseling records
Installed Terminal Server with SQL server database
Limited access to CS staff
FERPA Student Affairs/Judicial System Database
Student disciplinary issues
Upgrade to SQL Server pending
Currently using MS Access
FERPA Athletics Student GPA, SSN and other data
Upgrade to SQL Server
Currently using MS Access
HIPAA Human Resources
Healthcare Enrollment
Currently being determined
Currently Excel SS
Small subset of actual sensitive data evaluated
• SDRAM cards in Pocket PCs and Palm Devices
• Enterprise tape backup Encryption
Methods being Evaluated
• Windows VISTA and Bit Blocker Encryption (Need TPM – Trusted Platform Module)
• Winzip as a method of Encrypting backups
Issues and Concerns
• Cost of software• Recovering data on drives using whole disk
encryption• Management of encryption keys • Privileges to download banner/access reports to
PCs• Leaking Data
– The recycle bin, temporary internet files– Laptop sleep mode (writes desktop to
temporary files)• Management of shared encrypted resources
Contact Information
Tim Foley – [email protected]
Gale Fritsche – [email protected]
Presentation is available at: http://www.educause.edu/E06/9164