26
INFORMATION TECHNOLOGY SECURITY SERVICES http://safecomputing.umich.edu 1 Mobile Device Security FAQs for IT Pros Protecting Data at Rest: Guidance for the Encryption of Sensitive Data on Laptops & USB Flash Drives

Mobile Device Security FAQs for I

Embed Size (px)

DESCRIPTION

 

Citation preview

Page 1: Mobile Device Security FAQs for I

INFORMATION TECHNOLOGY SECURITY SERVICEShttp://safecomputing.umich.edu

1

Mobile Device Security FAQs for IT Pros

Protecting Data at Rest:Guidance for the Encryption of Sensitive

Data on Laptops & USB Flash Drives

Page 2: Mobile Device Security FAQs for I

INFORMATION TECHNOLOGY SECURITY SERVICES

ContentsGeneral Topics.....................................................................................................................3I don’t have time to read all this. Just tell me what to do.......................................................3What is a mobile device?........................................................................................................3What is mobile device security?.............................................................................................4Why should I care about mobile device security?...................................................................4What are some best practices using mobile devices?.............................................................4

Encryption............................................................................................................................5How do I provide mobile device security?..............................................................................5What is encryption?................................................................................................................5Why can’t I just password protect my laptop?........................................................................6Why is encryption so important?............................................................................................6Do I need to encrypt my data?................................................................................................6What data is considered “sensitive”?.....................................................................................6What should I look for in an encryption solution?..................................................................6Explain file/folder-level encryption versus full-drive encryption............................................7How do I decide between file/folder-level encryption and full-drive encryption?...................7What encryption solutions are out there?...............................................................................8What is meant by virtual disk encryption?...........................................................................11Your encryption solution matrix only references four parameters. What other variables should I consider when evaluating an encryption solution?.................................................11Why should I pay for a third-party solution when encryption is built in to Windows/Mac?..12

Encryption for Windows....................................................................................................13What encryption solutions are built-in to Windows?............................................................13What’s the difference between EFS and Bitlocker?..............................................................13Can EFS and BitLocker be used together?...........................................................................13Why would I use both EFS and BitLocker?...........................................................................13I’m purchasing new laptops. What should I get to run BitLocker?.......................................13How do I use BitLocker?.......................................................................................................14How do I use EFS?................................................................................................................14

Encryption for Macs..........................................................................................................14What encryption solution is built-in to the Macintosh?........................................................14What’s the difference between FileVault and Disk Utility?..................................................14Can FileVault and Disk Utility be used together?.................................................................14Why would I use both FileVault and Disk Utility?................................................................14How do I use the Macintosh Disk Utility to encrypt data?...................................................14

USB Flash Drive Encryption.............................................................................................15What about USB flash drive encryption? What are the decision factors?............................15Which USB flash drives have encryption software built-in?.................................................15What are some concerns with purchasing a secure flash drive?..........................................16

Physical Protection............................................................................................................17What about “LoJack” type (device recovery) solutions?.......................................................17What about remote erasure solutions?.................................................................................17How do I securely dispose of or recycle a mobile device?....................................................17

2

Page 3: Mobile Device Security FAQs for I

INFORMATION TECHNOLOGY SECURITY SERVICES

General Topics

I don’t have time to read all this. Just tell me what to do.First, avoid storing sensitive data on mobile devices. If you must store sensitive data on mobile devices (particularly laptops and USB flash drives), use the encryption software that is already built-in to those devices:

If your laptops are running Windows XP\SP2, use EFS (Encrypting File System). as explained here: http://www.safecomputing.umich.edu/tools/download/securityshorts_encrypt_docs_windows.pdf

If your laptops are running Windows Vista Enterprise or Ultimate Edition, use Bitlocker as explained here: http://www.safecomputing.umich.edu/tools/security_shorts.html

If your laptops are running a version of Windows Vista other than Enterprise or Ultimate, upgrade to Enterprise or Ultimate.

If you‘re using a Macintosh, use FileVault, which can be found in system preferences under Security.

If you will be purchasing a PC-based laptop, we recommend any Dell Latitude, which will meet the following requirements:

o They meet the minimum hardware requirements for Windows Vista (http://go.microsoft.com/fwlink/?LinkId=83233)

o They have a TPM 1.2 chip (TPM stands for Trusted Platform Module)

o They are TCG compliant BIOS (TCG stands for Trusted Computing Group)

If you need to store data on a USB flash drive, we recommend the Lexar JumpDrive with encryption software Secure II Software v2.0. This USB flash drive can be used with both Windows and Macs (Windows 2000/SP4/ Windows XP/SP2/ Vista and Mac OSX v10.4+ ). Instructions for setting up the encryption can be found here: http://www.safecomputing.umich.edu/tools/download/securityshorts_encrypt_thumbdrive.pdf

What is a mobile device?Mobile devices include portable computers (such as laptops, notebooks, tablet PCs); handheld devices (such as Personal Digital Assistants (PDA’s), SmartPhones, BlackBerries) and portable storage devices such as USB flash drives (aka thumb drives) or USB hard drives. For the purposes of this document, we have limited the scope of our recommendations to portable laptops and USB flash drives.

3

Page 4: Mobile Device Security FAQs for I

INFORMATION TECHNOLOGY SECURITY SERVICES

What is mobile device security?Mobile device security refers to those tools and techniques that are particularly useful for mitigating the types of threats mobile devices are commonly exposed to, specifically theft, loss, and communication over insecure public networks such as the Internet or wireless hotspots. Why should I care about mobile device security?Liability and privacy are the primary drivers for mobile device security. As of Fall 2007, at least 35 states (including Michigan) legislate businesses and state agencies (including public universities) to publicly disclose security breaches involving personal information. This notification process is costly not only in terms of pure process, but also in negative publicity.

Additionally,If you are a …

Reasons you should care about mobile device security (and this FAQ)…

Researcher

You don’t want to lose your research data. You don’t want your research data to fall into the wrong

hands. You don’t want to put your research subjects in jeopardy. You don’t want lack of proper security controls to be a

factor in getting a research grant. You don’t want lack of proper security controls to stall the

IRB approval process. You don’t want yourself or the University to be liable with

respect to regulations that cover certain types of research data. For example, the Health Insurance Portability and Accountability Act (HIPAA) may apply to certain types of human subject research.

Faculty or Staff Member

If you store any “institutional” data on a mobile (or any other) device, then you have an obligation and a job responsibility to protect that resource appropriately and in accordance with applicable laws and regulations. See SPG 601.12 for further information including a definition of “institutional” data.

IT Profession

al

There are no University-wide mandates or required products for the protection of sensitive data on mobile (or any other) devices. Thus, you should become familiar with the risks that are present in your environment as well as the options for mitigating those risks.

What are some best practices using mobile devices?Follow these best practices for physically securing your mobile device:

Don’t store sensitive data on your mobile device in the first place! Do not leave your laptop unattended. Lock your office or lab when you leave. Use a laptop lock in your work station, or lock it out of sight if you are traveling with it. Be particularly cautious about keeping your laptop safe in airports and other public

places.

4

Page 5: Mobile Device Security FAQs for I

INFORMATION TECHNOLOGY SECURITY SERVICES

Use a strong password: more than eight characters, with a combination of upper- and lower-case letters, symbols and numerals.

Keep software up-to-date. For more information, see: (http://www.safecomputing.umich.edu/tools/download/securityshorts_essentials_homepc.pdf)

Use a host-based firewall. For more information, see: (http://www.safecomputing.umich.edu/tools/download/securityshorts_essentials_homepc.pdf)

Install anti-virus software. For more information, see: (http://www.safecomputing.umich.edu/tools/download/securityshorts_essentials_homepc.pdf)

Encryption

How do I provide mobile device security?The short answer is encryption. Encrypt data at rest and encrypt data in motion1. Encryption mitigates the most prevalent threats associated with mobile devices. Encrypting data at rest mitigates the disclosure of data when a mobile device is lost or stolen. Encrypting data in motion mitigates the threats (e.g. eavesdropping) associated with the transmission of sensitive data over insecure public networks that mobile devices often connect to.

Encryption, of course, does not address every mobile device concern. For example, encryption does nothing to prevent a mobile device from be lost or stolen in the first place. This FAQ talks about other safeguards that can be used in conjunction with encryption to address a range of mobile device concerns.

What is encryption?Encryption scrambles data in a way that it can only be read by someone who possesses the corresponding decryption key. If an unauthorized individual obtains access to a device with encrypted data, but does not have the decryption key, they see only random gibberish instead of sensitive data.

Why can’t I just password protect my laptop?Using a “boot” (BIOS) password and/or account password along with a password protected screensaver is a recommended best practice for keeping honest people honest. These “boot” or logon passwords however, do nothing to prevent an individual from accessing a hard drive if they want to: to bypass a boot password, all someone has to do is put the hard drive in

1 Data at rest is data that is stored on some physical storage media like a hard disk, flash drive, or DVD. Data in motion refers to data that is traveling as packets through a network e.g. as an email makes its way across the internet. Note that data on a thumb drive is considered data at rest even though the thumb drive itself may be mobile.

5

Page 6: Mobile Device Security FAQs for I

INFORMATION TECHNOLOGY SECURITY SERVICES

another machine. To bypass an account password, someone can simply insert a different boot disk. In short, passwords provide no protection when physical security is breached as in the case of a stolen, lost, or confiscated device.

Why is encryption so important?Besides actually protecting confidential data from unauthorized disclosure, encryption has the added benefit of saving you the cost and embarrassment of having to notify potentially affected individuals when your mobile device is lost, stolen, confiscated etc. Because a properly implemented encryption solution is recognized as an adequate protection mechanism against even the most determined attacker, most notification laws provide for an exemption if sensitive data on a lost or stolen device is encrypted. Due to the high costs and negative publicity of notification along with the potential fines and legal ramifications associated with a sensitive data breach, encryption of sensitive data is often cost justified.

Do I need to encrypt my data?If it’s sensitive and mobile, you should encrypt it. Of course, there are other scenarios that also warrant encryption, but this FAQ is focused on protecting sensitive data on mobile devices.

What data is considered “sensitive”?Sensitive data is defined as data whose unauthorized disclosure may have serious adverse effect on the University’s reputation, resources, services, or individuals. The following link has further information:https://www.itss.umich.edu/umonly/documents/Data%20Classifications.pdf

What should I look for in an encryption solution?Deciding on an encryption solution can depend on a lot of factors. Some decision points such as usability, cost, and platform support are easy to understand. Other decision factors, such as algorithm support, are complicated but less interesting because in the end, different solutions will support the same techniques.

One influential parameter that is worth understanding further is the approach used to secure the files on disk. The two competing philosophies are File/Folder-level encryption and Full-Drive encryption. These two approaches are explained in further detail below.

Explain file/folder-level encryption versus full-drive encryptionFile/folder level encryption is selective. It allows specific files to be encrypted or it allows a container (i.e. folder or directory) to be created such that files saved in the container are encrypted. Full-drive encryption, on the other hand, encrypts all the sectors on a disk or disk volume. Thus, a full-drive encryption solution will often encrypt operating system files,

6

Page 7: Mobile Device Security FAQs for I

INFORMATION TECHNOLOGY SECURITY SERVICES

applications, system settings, and cache files in addition to specific sensitive data files.

The benefit most often cited for full-drive encryption over file/folder-level encryption is that full-drive encryption leaves less doubt about whether all instances of sensitive data were actually encrypted. This is because operating systems and applications write data in caches, temp directories, page files, hibernation files and other areas that are difficult to identify let alone selectively encrypt. Furthermore, humans make mistakes. Users may simply forget to store sensitive data in the right (encrypted) folder. Techniques and solutions exist to mitigate all of these file/folder-level shortcomings, but such solutions are typically only viable in “managed” environments where the mobile devices are managed by an IT department and end-users do not log in with administrative privileges.

How do I decide between file/folder-level encryption and full-drive encryption2?First, make sure you have a choice. Your unit, or authoritative compliance office, may already mandate a specific encryption approach. If the file/folder versus full-drive approach has not already been decided, we offer the following guidance:

If both approaches are available for the effectively the same cost3, then use the full-drive encryption approach.

However, if the cost of full-drive encryption significantly outweighs the cost of file/folder level encryption, then that cost needs to be weighed against the likelihood and incremental impact of the lost or stolen laptop. When considering this trade-off, we offer these baseline recommendations:

If the data being encrypted is subject to legal or regulatory requirements and that data is newsworthy in terms of quantity, then strive to use the full-drive encryption approach.

Even if the data is not regulated but its unauthorized access would have a significant impact on people’s lives or on the reputation or mission of the University, then strive to use the full-drive encryption approach.

Full-drive encryption is recommended for regulated environments because, as explained in the answer to the previous question, full-drive encryption reduces doubts that people (users, administrators, auditors, investigators, customers, research subjects etc.) have regarding the possible exposure of sensitive data when the device is lost or stolen. In fact, in Japan, only the

2 File/folder and full-drive encryption are not necessarily mutually exclusive. However, this FAQ does not discuss using both approaches simultaneously because this FAQ is concerned primarily with the threat of information disclosure due to a lost, stolen, or confiscated laptop and either approach may be used, by itself, to mitigate this threat.3 Cost includes administrative, operational and performance costs in addition to outright hardware & software costs.

7

Page 8: Mobile Device Security FAQs for I

INFORMATION TECHNOLOGY SECURITY SERVICES

full-drive encryption approach is recognized as sufficient for avoiding notification when a device containing private personal information is lost or stolen4.

That being said, highly “managed” environments which are run by an IT department supporting end users that do not have administrative rights may be able to successfully deploy a policy-based file/folder level encryption solution even for regulated or other highly sensitive data. For these environments, a good centrally-managed policy based file-folder encryption solution may be as transparent and demonstrably comprehensive as the full-disk encryption approach, but the IT department should convince themselves of that.

What encryption solutions are out there?The following table provides information regarding encryption solutions offered by various vendors in the Fall of 2007. Use the table to narrow down your options based on the following parameters:

File/Folder versus Full-Drive Encryption – As noted earlier, rely on a Full-Drive encryption solution unless you are in a highly managed environment where centralized policies and reporting capabilities increase the likelihood that sensitive data is being encrypted.

Platform (Windows, Macintosh, Linux) – Obviously, the chosen solution needs to run on the hardware and operating system that you have. When available, we’ve tried to include more detailed information in the Notes column regarding specific versions supported within a given platform. Always check with the vendor, however, to get the most up to date, definitive version information. In general, you can assume that Windows includes (or will soon include) Windows Vista.

Consider for Managed/Unmanaged Environments – These two columns distinguish products based on their target markets. “Consider for Managed Environments” means you should consider the product only if you have an IT department that provides an infrastructure for and centrally manages end-user desktops. “Consider for UnManaged Environments” means the product is more likely to be successfully used by end users that manage their own desktops. When a single product is listed in the table as meeting both criteria, it is likely part of a “product line” that, e.g., may include a personal edition along with an enterprise edition.

Notes – The notes column includes additional information readily gleaned from the vendor’s web site regarding additional or limited functionality not covered by the other columns. Absence of a note does not mean there is nothing noteworthy (either positive or negative) about the product. It most likely means the web-site is less forthcoming with information.

License Cost – In this version of the FAQ, the license cost column is used to distinguish “free” products from products that require an additional capital expenditure.

4 http://www.busmanagement.com/pastissue/article.asp?art=269724&issue=222

8

Page 9: Mobile Device Security FAQs for I

INFORMATION TECHNOLOGY SECURITY SERVICEShttp://safecomputing.umich.edu

VendorProduct or

Product Line

File

/Fo

lder

Fu

ll-D

rive

Win

do

ws

Mac

Lin

ux

Co

nsi

der

fo

r M

anag

ed

En

vir

on

men

ts

Co

nsi

der

fo

r U

nm

an

aged

E

nv

iro

nm

ents

NotesLicense

Cost

Apple FileVault Encrypts user’s home directory Free (Built-In)

Apple Disk Utility File\Folder level encryption is provided via Virtual Disk Encryption

Free(Built-In)

Authenex HDLock Uses “Two-Factor” to encrypt/decrypt $$$Authenex ASafe Uses “Two-Factor” to encrypt/decrypt $$$

Beachhead Lost Data Destruction

Also supports the concept of “data destruction” for lost or stolen devices. However, if you only plan on using the encryption feature, compare with the Microsoft Data Encryption Toolkit. The Beachhead solution simply uses policies to manage EFS which is the same approach taken by the Data Encryption Toolkit which is free. The Beachhead solution is also resold by Iron Mountain under the “Data Defense” brand.

$$$

BeCrypt DISK Protect Solutions also for PDA’s (Personal Digital Assistants) and USB Flash Drives $$$

CE Infosys Compusec Free Linux = RedHat and Suse Free

CE Infosys Compusec Mobile

Adds support for Hardware based encryptionLinux = 2.4 and 2.6 Kernels

$$$

Checkpoint Pointsec PC

Linux = 2.6.4 or higher kernelRed Hat, SuSE 9.x RHEL4, NLDCheckpoint also has separate products for PDA and USB encryption. “Pointsec Mobile” for encryption on PDA’s and SmartPhones. “Pointsec Protector” for encryption of USB Flash Drives.

$$$

CREDANT Technologies CMG

Policy-based file/folder encryption. Also supports encryption for PDA’s and USB Flash Drives

$$$

Entrust Entelligence Disk Security Based on Pointsec for PC Technology $$$

Entrust Entelligence Media Security Based on Pointsec Media Technology $$$

GNU Privacy Guard (GPG)

Expert only encryption solution designed to be compliant with the OpenPGP standard and thus compatible with PGP.

Free (Open

Source)

Guardian Edge

Data Protection Platform

Also has a Removable Storage Encryption solution under the same Data Protection Platform

$$$

Iron Mountain

Data Defense Data Defense also supports the concept of “data destruction” for lost or stolen devices. However, if you plan on using only the encryption feature, compare with the Microsoft Data Encryption Toolkit. Iron Mountain simply uses policies to manage

$$$

9

Page 10: Mobile Device Security FAQs for I

INFORMATION TECHNOLOGY SECURITY SERVICES

VendorProduct or

Product Line

File

/Fo

lder

Fu

ll-D

rive

Win

do

ws

Mac

Lin

ux

Co

nsi

der

fo

r M

anag

ed

En

vir

on

men

ts

Co

nsi

der

fo

r U

nm

an

aged

E

nv

iro

nm

ents

NotesLicense

Cost

EFS which is the same approach taken by the Data Encryption Toolkit which is free. Secondly, the Iron Mountain solution is a repackaging of the Beachhead solution so consider sourcing it from the original vendor instead.

Information Security

CorporationSecret Agent Also support Unix flavors and Pocket PC’s $$$

Information Security

CorporationSpyProof! Allows mounting of encrypted virtual disk. $$$

Microsoft EFS EFS is not supported on the Home Edition of XP or the Basic Edition of Vista

Free(Built-In)

Microsoft Data Encryption Toolkit Centrally Manage EFS Encryption via Group

Policy Free

Microsoft Bitlocker Windows = Vista Ultimate and Enterprise Editions only

Free(Built-In)

Mobile Armor Data Armor Linux = Red Hat 3.0Also supports Windows Mobile, Palm OS and RIM BlackBerry

$$$

Mobile Armor File Armor Also supports USB Flash Drives $$$

PGP Whole Disk Encryption

Full Drive Encryption on Mac is for non-boot disks only

File\Folder level encryption is provided via Virtual Disk Encryption – can use to encrypt USB Flash Drives

Includes support for Secure Delete Managed environments may want to

combine with PGP Universal Server

$$$

PGP PGP Desktop Professional Same as PGP Whole Disk Encryption, but

adds support for encrypting email. $$$

SafeBootDevice

Encryption for PC

Device encryption for Palm OS, Pocket PC, Symbian, Tablet PC, and Windows Mobile also available.

$$$

SafeBoot Content Encryption

“…the solution is powered by SafeBoot® Persistent Encryption Technology™ (PET), so files and folders remain encrypted regardless of where they are copied or saved, even if they are attached to an e-mail, are used in terminal services environments, or are stored on removable media such as USB memory sticks, CDs, or DVDs.”

$$$

SafeNet ProtectDrive Supports encryption of data on USB Flash Drives. $$$

SafeNet ProtectFile Supports encryption of data on File Servers and USB Flash Drives. $$$

TrueCrypt TrueCrypt Full Drive Encryption only applies to Non-OS partitions. File/Folder encryption is via Virtual Disk.

Free (Open

Source)Ultimaco Safeware SafeGuard Easy $$$

Ultimaco SafeGuard Virtual disk solution available in an $$$

10

Page 11: Mobile Device Security FAQs for I

INFORMATION TECHNOLOGY SECURITY SERVICES

VendorProduct or

Product Line

File

/Fo

lder

Fu

ll-D

rive

Win

do

ws

Mac

Lin

ux

Co

nsi

der

fo

r M

anag

ed

En

vir

on

men

ts

Co

nsi

der

fo

r U

nm

an

aged

E

nv

iro

nm

ents

NotesLicense

Cost

Safeware PrivateDisk Enterprise and “Personal” editionWinMagic SecureDoc Corporate and Personal Editions available $$$

11

Page 12: Mobile Device Security FAQs for I

INFORMATION TECHNOLOGY SECURITY SERVICEShttp://safecomputing.umich.edu

What is meant by virtual disk encryption?Virtual disk encryption is a technique for providing file/folder level encryption. Virtual disk encryption works by creating a single encrypted file and making that one file appear to look like an entirely new disk volume (or, in Windows, a drive letter). Files that are then copied to that disk volume (drive letter) are automatically encrypted. When evaluating a file/folder level encryption solution that uses the virtual disk approach, be cognizant of the following:

Can’t encrypt “Home Directories” – Virtual disk solutions require you to create a single file which is then “mounted” to appear as a separate disk. This approach precludes the ability to encrypt the user’s “home directory” or “user profile” which is where sensitive data in the form of documents and temporary files is saved by default.

Dynamic versus Static Virtual Disks – Is the size of the virtual disk file static or dynamic? In other words, can the size of the virtual disk change over time or must you anticipate and reserve the size you think you are going to need?

Your encryption solution matrix only references four parameters. What other variables should I consider when evaluating an encryption solution?

Scope (range of devices) Key Management

o Generation, Storage, Caching, Recovery Backup

o Key Recovery vs. Data Recovery Algorithm Support Ease of Use Manageability Company Viability Technical Nuances

o Hibernation versus Standby etc.o Virtual disk space utilizationo Two factor authentication (2FA)

Why should I pay for a third-party solution when encryption is built-in to Windows/Mac?In order to survive, third-party (add-on) solutions must provide value add that is significantly beyond what is already built-in to the operating system. Therefore, you should thoroughly understand your security requirements and you should thoroughly understand the capabilities of the solutions that are already built-in to your operating system. If your requirements are not already met by the operating system AND the cost associated with a third-party solution is worth the

12

Page 13: Mobile Device Security FAQs for I

INFORMATION TECHNOLOGY SECURITY SERVICES

incremental5 benefit, then you may want to consider investing in the third-party solution.

Over time, purchasing a third-party solution will become harder to justify as the built-in solutions become better, more comprehensive, and ubiquitous. Here are some scenarios however that may justify a third-party solution in the near term:

I need full-drive encryption for XP since I can’t upgrade to Vista – Since Windows XP only supports file/folder level encryption natively, if you can’t upgrade to Vista, then you would need to purchase a third-party solution to provide full-drive encryption instead.

I need full-drive encryption for Macintosh – Like Windows XP, the Macintosh only has file/folder level encryption built-in. Thus, you would need to purchase a third- party solution to provide full-drive encryption for the Macintosh. As noted in the table above however, we are unaware of any third-party solution that will provide full-drive encryption for the Macintosh OS volume. Thus, if full-drive encryption is mandated or otherwise required, you would need to leverage a different platform.

Too many different built-in solutions – If you need to support an extremely heterogeneous environment of platforms, platform versions, and mobile devices you may want to standardize on a third-party solution to provide consistency for end users, administrators or both.

Value Add – Third-party encryption solutions may provide some additional related capabilities that you either need or want. For example, laptop recovery, remote disk wiping, secure delete, email integration, port control, ease of use, better management etc.

Encryption for Windows

What encryption solutions are built-in to Windows?There are two encryption options to consider in Windows environments: EFS and BitLocker.

EFS (Encrypting File System) is available in Windows 2000 and up including Windows Vista.6 EFS provides file/folder level encryption on a per-user basis.

BitLocker is available in the Ultimate and Enterprise editions of Windows Vista and provides full-drive encryption for all users.

What’s the difference between EFS and Bitlocker?

5 i.e. the 3rd party solution is “Cost Effective”. Mathematically, “Cost Effective” means:Cost of 3rd-party solution/(Benefit of 3rd Party solution – Benefit of Built-In Solution) > 16 EFS is not available in Windows XP Home Edition or Windows Vista Basic Edition.

13

Page 14: Mobile Device Security FAQs for I

INFORMATION TECHNOLOGY SECURITY SERVICES

EFS provides file/folder level encryption. Bitlocker provides full-drive encryption. The difference between file/folder encryption and full-drive encryption is explained earlier in this FAQ (see Explain file/folder-level encryption versus full-drive encryption). Additionally, EFS encrypts files on a per-user basis so that each user of a given machine can encrypt files independently of other users. In contrast, BitLocker encrypts all system, application and data files for all users of the system.

Can EFS and BitLocker be used together?Yes.

Why would I use both EFS and BitLocker?Add EFS to BitLocker if you are also concerned about the “insider threat.” Specifically, if multiple users need to share the laptop or there are IT administrators that are capable of logging on to the laptop and you want to ensure that these other users or administrators can’t access the sensitive data, then you can encrypt it with EFS.

I’m purchasing new laptops. What should I get to run BitLocker?Besides meeting the minimum hardware requirements for Windows Vista, (http://go.microsoft.com/fwlink/?LinkId=83233), make sure your laptop has a:

TPM 1.2 chip – TPM (Trusted Platform Module) is a special hardware chip used to protect the BitLocker decryption keys.

TCG compliant BIOS – TCG stands for Trusted Computing Group. Confirm with the vendor that the BIOS is TCG-compliant, Windows Vista-ready, and that it passes the Windows Vista logo tests.

If possible, it is also helpful to have the laptop hard disk pre-configured with two partitions. BitLocker requires a small (minimum 1.5GB) partition to hold the core boot files that remain unencrypted.

Note: This recommendation should not be interpreted to mean that BitLocker requires a TPM 1.2 chip – it doesn’t. Having the TPM 1.2 chip is just the preferred way to implement BitLocker. If you have a laptop without TPM support, you can deploy BitLocker using a USB flash drive instead.

How do I use BitLocker?See the ITSS Security Short Windows Vista Drive Encryption http://www.safecomputing.umich.edu/tools/security_shorts.html

How do I use EFS?See the ITSS Security Short How to Encrypt Documents on your Windows Computer (http://www.safecomputing.umich.edu/tools/security_shorts.html)

Encryption for Macs

What encryption solution is built-in to the Macintosh?

14

Page 15: Mobile Device Security FAQs for I

INFORMATION TECHNOLOGY SECURITY SERVICES

Macs have built-in file/folder level encryption that can be leveraged in two different ways. FileVault allows a user to encrypt their home directory. Disk Utility allows a user to create arbitrary encrypted virtual disks that can store encrypted data. See the question entitled “What is meant by “Virtual Disk” Encryption?” elsewhere in this FAQ.

What’s the difference between FileVault and Disk Utility?Scope. FileVault encrypts a user’s home directory only. Disk Utility can be used to create virtual disks for encrypting data outside of a user’s home directory. Under the covers, both applications use the same technology. Specifically FileVault simply creates an encrypted virtual disk that is then used to hold the user’s home directory.

Can FileVault and Disk Utility be used together?Yes.

Why would I use both FileVault and Disk Utility?If you need to share sensitive data between users you would need to use Disk Utility to store that encrypted data outside of a given user’s home directory. Simultaneously, you may want to continue using FileVault to secure remnants of this sensitive data that persist in the form of temp files, intermediate versions etc.

How do I use the Macintosh Disk Utility to encrypt data?See the LSA document on this topic: http://www.lsa.umich.edu/lsait/admin/mac/EncryptingSensitiveData.pdf

USB Flash Drive Encryption

What about USB flash drive encryption? What are the decision factors?There are two approaches to consider when purchasing USB flash drives (a.ka. thumb drives) that need to store encrypted data:

Purchase blank flash drives and use your own encryption software OR Purchase flash drives that come with encryption software pre-installed.

This decision should be related to your laptop encryption decision as follows:

If your laptop encryption solution can also encrypt USB flash drives, choose the first option. In fact, you may have chosen your laptop encryption solution precisely because it was also capable of encrypting your USB flash drives and, possibly, other mobile devices.

On the other hand, if your preferred laptop encryption solution does not also encrypt your USB flash drives, then purchase a secure flash drive that has encryption software pre-installed.

Note: Regardless of the approach taken, keep in mind that the solution used to encrypt/decrypt data on the flash drive must be able to run under the

15

Page 16: Mobile Device Security FAQs for I

INFORMATION TECHNOLOGY SECURITY SERVICES

operating systems where you want the flash drive to be inserted. For example, if you want to be able to read or write encrypted data on a flash drive that is inserted into a Macintosh computer, then a Macintosh version of the encryption/decryption software must be available.

Which USB flash drives have encryption software built-in?As of Fall 2007, the following vendors claim7 to offer USB flash drives with encryption support either built-in to the hardware or available via software that is pre-installed on the flash drive:

Vendor Flash Drive Product Supported Platforms (for Encryption Software)1

Advanced Media RIDATA EZ Drive lineup(see http://www.ritekusa.com)

Windows 2000/XP/Vista; Linux Kernel 2.4+; MacOS 8.6+

Kanguru MicroDrive AES Windows 98/98SE/ME/2000/XP/Vista (32-bit only);Windows Server 2003

Lexar JumpDrive with Secure II Software v2.0

Windows 2000/SP4; Windows XP/SP2; VistaMac OSX v10.4+

Imation Pivot Flash Drive Windows 2000/XP/VistaIronKey IronKey Windows XP/VistaKingston Data Traveler Elite Windows 98SE/2000/ XPPNY Secure Attache Windows 2000/XPSanDisk Cruzer Professional

Cruzer EnterpriseWindows 2000 SP4\XP SP1\2003\Vista

What are some concerns with purchasing a secure flash drive?The primary concerns with purchasing a secure flash drive (i.e. a flash drive with pre-installed encryption software) are:

1. Driver Installation2. Platform Support3. Algorithm Implementation4. Maintenance

1. Driver InstallationThe primary benefit often cited for purchasing a secure flash drive (i.e. a flash drive with pre-installed encryption software) is that the software moves with the flash drive. Theoretically, this makes it easier to access the encrypted portion of the flash drive as it moves from machine to machine because you can simply launch the encryption software directly from the flash drive itself.

The unadvertised problem with this claim is that, in many cases, the pre-installed encryption software needs to install a file system driver on the host PC. This one-time driver installation step requires root or administrator privileges. Thus, in order to use the encrypted portion of the USB flash drive

7 ITSS has not evaluated these products and cannot confirm the vendor’s claims regarding encryption capabilities or platform support. The information conveyed by this table comes from posted product reviews and vendor web sites. If you have first-hand experience with the encryption capabilities of these or thumb drives not listed, please send feedback to [email protected].

16

Page 17: Mobile Device Security FAQs for I

INFORMATION TECHNOLOGY SECURITY SERVICES

on a given PC, the end-user has to be an administrator on that PC or some other administrator would have had to pre-install the file system driver.

In short, don’t assume that you’ll be able to purchase any secure flash drive, hand it out and have end-users be able to start reading and writing encrypted data as they move from machine to machine. In managed environments (where users do not have administrative access to their machines) you may need to identify and pre-install driver software on each machine where you expect the flash drives to be used. In unmanaged environments (where end-users manage their own machines) the driver installation will usually happen “under the covers” when the user logs in as an administrator and launches the encryption program from the flash drive.

2. Platform SupportThe unencrypted portion of a secure USB flash drive can typically be accessed on any platform. However, the encryption capabilities are often limited to specific platforms. PNY is one of the few vendors that is forthcoming with this distinction: “Security and Encryption features only accessible on Windows(R) 2000/XP systems with administrative rights. Will function as a standard USB storage device on other operating systems.”

3. Vendors Cryptographic ImplementationWhile a particular encryption algorithm (such as AES) may be well vetted, that algorithm still needs to be interpreted and implemented by developers in software. If there are weaknesses in the developers implementation of a given encryption algorithm those weaknesses will be exploited. While there is no evidence whatsoever to suggest the existence of weaknesses in the encryption implementations of various secure flash drive vendors, these vendors are more well-known for their hardware solutions than their software and security prowess.

4. MaintenanceUsers need to consider how the required platform drivers and the applications that are resident on the flash drive be updated over time.

Physical Protection

What about “LoJack” type (device recovery) solutions?Tracking and recovering a stolen laptop is different than, and insufficient for, protecting the data on that laptop from unauthorized disclosure. The “LoJack” type of tracking and recovery solutions may be worth investigating if you have unusually expensive equipment that can cost-justify the service or if you cannot adequately back up your data and want to gamble on a recovery service as a last-ditch effort for recovering data that is not otherwise backed up. However, if your primary goal is to prevent the unauthorized disclosure of sensitive data, then it must be encrypted whether you use a tracking and recovery solution or not.

17

Page 18: Mobile Device Security FAQs for I

INFORMATION TECHNOLOGY SECURITY SERVICES

What about remote erasure solutions?As with the “LoJack” type of solutions, you can’t count on remote data wiping solutions alone to protect the confidentiality of sensitive data. Remote erasure implies the ability to contact a machine remotely or the machine needs to have its own time bomb that initiates a self-destruct sequence if contact is not made after a given period of time. It sounds cool, but due to the implicit communication and/or time delay requirements, encryption is the better confidentiality solution.

How do I securely dispose of or recycle a mobile device?The University of Michigan Property Disposition recommends that the most efficient and economical means of sanitizing computers and media storage devices such as PDAs or thumb drives is to overwrite the entire device with zeroes.Other sanitizing methods include:

Commercial software, such as ShredIt for Windows and Macs. Free software like Eraser; its source code is released under GNU General

Public License. Built-in capability: For Windows: use the Secure Delete command. (see

www.microsoft.com/technet/sysinternals/Utilities/SDelete.mspx) For later versions of the Mac OS X: use the Secure Erase Trash command

that overwrites files in the trash. (see www.apple.com/macosx/features/security/ for "Permanent Deletion.")

In some circumstances it is best to physically destroy hard drives, CD-ROMs or tapes. When physical destruction is implemented, departments are still responsible for sending the remains to Property Disposition for proper disposal.

For more information, visit:http://propertydisposition.umich.edu/html/computerprep.html

18