Gale Fritsche

Lehigh UniversityLibrary and Technology Services

Stay out of the NewsEncrypt your Files

Educause National Conference October 10, 2006

Tim Foley

• Founded in 1865. Private research university located 90 miles west of NYC

• Ranks 33rd out of 248 national universities in US News and World Report’s annual survey

• Approx 4700 undergraduates, 1200 graduate students, 450 faculty and 1200 staff

• Approx 90% Windows PCs, 5% Mac and 5% other (Linux etc.)

Lehigh Overview

Library & Technology ServicesOrganizational Structure

Vice ProvostLibrary & Technology

Client Services

Library Systems & Collections

Technology Management

Administration &Advancement

Distance Education &Faculty Development

Enterprise Systems

Presentation Agenda

• Why we need to encrypt

• Lehigh’s Committee Structure

• Process & Recommendation

• Issues and Concerns

• Other Data Security Initiatives

Why do you need encrypted information?

• Stolen Cal Berkeley laptop exposes personal data of nearly 100,000 (AP March 29, 2005)

• A laptop with personal information of students and applicants was stolen from the Cleveland State University admissions office (WKYC-TV, June 3, 05)

• VA laptop stolen exposing sensitive data of over 26 million veterans (GCN, May 22, 2006)

• Stolen GE laptop contains social security numbers of 50,000 current and former employees (Reuters, Sept 26, 2006)

31 states with security breach laws

Reported breaches - 93,998,906 people affected since 2/15/05 see: http://www.privacyrights.org/ar/ChronDataBreaches.htm

Consumers Union report as of 6/27/06

Identity Mgmt Sub Committee

Firewall Sub Committee

Account Opening Sub Committee

Data Encryption Sub Committee

Data Standards Committee

E-Security Committee

Data Advisory Council

Advisory Council for Information Services – sets university wide information services policies

Data Advisory Council – ensures data standards are maintained and enforced

Data Standards Committee – standards for shared data elements in Banner

E-Security Committee – examines and recommends implementation of security related practices and policies

Account Opening Sub Committee – revises account opening procedures to comply with FERPA and remove SSNs

Data Encryption Sub Committee – Address the best way to encrypt PCs, Macs, PDAs and other portable devices, and backups

Firewall Sub Committee – Develops plans on the best use of Lehigh’s firewalls

Identity Management Sub Committee – redesigns Lehigh’s current authentication system

Advisory Council for Information Services

Committee Structure

• Systems Analysts

• Security and Policy Officer

• Computing Consultants

• Database Manager

• Enterprise Information Consultant

• Client Services Team Leaders

Data Encryption Sub Committee

Examine current encryption technologies to address the best way to encrypt PCs, Macs, PDAs and other portable devices, and LTS

backups to comply with the Lehigh University security plan

Members

Committee Charge

• Basic file access to LTS shares

• Removable media

• PDAs (Palms and Pocket PCs)

• Desktop PC encryption (Windows and Macs)

• Backups (Windows and Enterprise)

• Encryption of Unix, and Oracle

• Microsoft SQL Server Security

• Management of Encryption keys

• End user training

Subgroups Formed

Evaluation Process

• Off campus visit

• Web/periodical research

• Various meetings with clients

• Encryption software testing and evaluation– Whole disk encryption – File/folder/virtual disk encryption

• Encryption webpage development• Data security seminar development• Finalized Recommendations• Develop data security policy to maintain

compliance with FERPA, GLBA and HIPAA

How Whole Disk Encryption Works

Boot Process Operating

System Data

No Encryption

Encryption Software

Authentication

Boot Process Operating

System Data

Whole Disk Encryption

File Encryption

Boot Process Operating

System Data

Encryption

Encryption Needs A Key

Source http://www.UNIX.org

• A 256 bit key has 2256 possible different number of combinations

• There are over 70,000,000,000,000,000 (seventy quadrillion) possible keys of 56 bits

Whole Disk Encryption Evaluation

• WinMagic (Securedoc 4.2)– http://www.winmagic.com/

• PGP Desktop Pro 9.0– http://www.pgp.com/

• Pointsec 6.0– http://www.pointsec.com/

• Securstar (DriveCrypt 3.5)– http://www.drivecrypt.com/

• Ultimaco (Safeguard 4.2)– http://americas.utimaco.com/safeguard_easy/

Gartner’s Magic Quadrant(Mobile Data Protection)

Whole Disk Encryption

• Step 1: Refreshed a computer with Windows XP SP2

• Step 2: Benchmark tests on CPU, Memory and Hard Disk to create a baseline

• Step 3: Installed a whole disk encryption product and ran the benchmark test again.

• Step 4: Compared the results to the baseline• Step 5: Repeat Steps 1-4 for each product

Evaluation Process

Software Platforms Supported

Encryption Algorithm

Installation (incl. encryption)(Windows XP SP2)

Retail $(Single User)

Supported Storage Devices

Winmagic Securedoc 4.2

Windows XP AES (256) 72 Min $129 Hard Disks (I,E) USB Flash Dr.

PGP Desktop 9.0

Windows XP, Mac OSX

AES (256) 82 Min $149 (Disk)

$199 (Desktop)

Hard Disks (I,E) USB Flash Dr.

Pointsec 6.0 Windows XP

Linux

AES (256) 135 Min $149 Hard Disks (I,E) USB Flash Dr.

Drivecrypt 3.5 Windows XP/NT/2000

AES (256) 78 Min $161 Hard Disks (I,E) USB Flash Dr.

Ultimaco Safeguard 4.2

Windows XP/2000/Server 2003

AES (256) 73 Min $240 Hard Disks (I,E) USB Flash Dr.

SD Cards

Gateway E series, Windows XP SP2, Pentium 4, 2.4 GHz, 512 MB RAM, 40 GB Hard Disk

Whole Disk Encryption

Windows XP Benchmarks

• CPU Tests (Examples)

– Integer and floating point Math (MOps/Sec)

– Image Rotation (# Rotations /Sec)

– String Sorting (Thousands strings per second)

• Memory Tests– Memory write (Mbytes transferred/sec)

– Read cached, Read uncached (Mbytes transferred/sec)

• Disk Tests– Sequential read, Sequential write (Mbytes transferred/sec)

– Random Seek (Mbytes transferred/sec)

Performance Test 6.0: http://www.passmark.com/

Whole Disk Encryption

Encryption Software Benchmark Results

Software Memory CPU Hard Disk Overall

Winmagic Securedoc 4.2

-.3% -1.1% -49.8% -17.5%

PGP Desktop 9.0 0% -1% -70% -25%

Pointsec 6.0 0% -1% -62% -21%

Drivecrypt 3.5 -1% -3% -52% -19%

Ultimaco Safeguard 4.2

0% -1% -25% -9%

Benchmark software used: Performance Test 6.0 Gateway E series, Windows XP SP2, Pentium 4, 2.4 GHz, 512 MB RAM, 40 GB Hard Disk

File/Virtual Disk Encryption Evaluation

• Windows XP (EFS Encryption)– http://www.microsoft.com/

• Truecrypt 4.2a– http://www.truecrypt.org/

• SecureStar (Drivecrypt 3.5)– http://www.securstar.com/

• CyberAngel– http://www.thecyberangel.com/

Encryption Software Evaluation

Software Platforms Supported

Encryption Algorithms

Cost Notes

Windows EFS

Windows 2000, XP

Data Encryption Standard (DESX), Triple DESX

Comes with Windows XP/2000

NTFS Volumes only, no system files

Truecrypt 4.2a

Windows Linux

AES 256, Blowfish 448, Cast5, Serpent 256, Triple DES

Free FAT16, FAT32 and NTFS and Linux.

Drivecrypt 3.5

Windows 95, 98, ME, NT,2000,XP

AES 256, Triple AES (768) Blowfish 256, 448, Triple Blowfish (1344)

$77.34 Fat16, FAT32, NTFS. Up to 4 passwords for unlocking container

Cyberangel Windows 95, 98, ME, NT/2000 and XP

AES 128, 256, Blowfish 128, 256, Twofish 128, 256, Triple DES and Standard DES

$25 (Software)

$60/yr (Monitoring)

Encrypted partition automatically expands

Virtual Disk/File/Folder Encryption

Committee Recommendations

• Whole disk encryption for PCs • Virtual Disk and folder/file encryption

– Encrypted disk images for Macintosh– Folder encryption using Windows EFS encryption – Truecrypt for Pocket PCs and removable media

• Password protect Palm devices or Pocket PCs • Backup encryption (EFS Encryption and MS Backup)• Restricting local logins (XP local security policies) for

users with Banner reporting roles• Enterprise backups are secure in machine room and

transit. Still examining options for enterprise backup• Terminal Servers for FERPA, GLBA and HIPAA

applications

• Confidential Data (Highest level of security)

– Protected due to legal requirements (HIPAA, GLBA, FERPA)

– All data must be in Encrypted form– Whole disk encryption of PCs is mandatory

• Institutional/Proprietary Data (Moderate level of security)

– All data must be in encrypted form (including backups)– Whole disk encryption is an option

• Public Departmental Data (Lowest level of security)

– Protected at the discretion of the department/owner– Recommended that data be stored on secured LAN drives

Lehigh Data Security Policy

Classification of Data

Addressing Security Requirements

Security Department Type of data Solution Notes

HIPAA Counseling/Health Center

Student counseling records

Installed Terminal Server with SQL server database

Limited access to CS staff

FERPA Student Affairs/Judicial System Database

Student disciplinary issues

Upgrade to SQL Server pending

Currently using MS Access

FERPA Athletics Student GPA, SSN and other data

Upgrade to SQL Server

Currently using MS Access

HIPAA Human Resources

Healthcare Enrollment

Currently being determined

Currently Excel SS

Small subset of actual sensitive data evaluated

• SDRAM cards in Pocket PCs and Palm Devices

• Enterprise tape backup Encryption

Methods being Evaluated

• Windows VISTA and Bit Blocker Encryption (Need TPM – Trusted Platform Module)

• Winzip as a method of Encrypting backups

Issues and Concerns

• Cost of software• Recovering data on drives using whole disk

encryption• Management of encryption keys • Privileges to download banner/access reports to

PCs• Leaking Data

– The recycle bin, temporary internet files– Laptop sleep mode (writes desktop to

temporary files)• Management of shared encrypted resources

Contact Information

Tim Foley – tim.foley@lehigh.edu

Gale Fritsche – gale.fritsche@lehigh.edu

Presentation is available at: http://www.educause.edu/E06/9164