| T O P I C R E V I E W |
| jadgate |
Posted - 05/08/2007 : 8:43:13 PM
Ultan-
Thanks for getting the ball rolling on this. I'll start this forum with a new topic: laptop (or mobile device) theft policies (or more properly, procedures for dealing with them). For the uninitiated, large companies are now formally creating policies and procedures for dealing with security.
Last year, I took a stab at trying to draft a laptop(or mobile device, such as a Blackberry) policy for the organization I worked for at the time. I quickly came to the conclusion this was a multi-headed beast of a task, due the the multiple state data breach notice laws (at last count there were 34), not even considering Federal mandates. For a company that is located in many, if not all states, this is unmanageable. Many of the state laws are modeled on the CA law, which provides a disk encryption "safe harbor" if a laptop with sensitive data is lost/stolen, so that may be a way to reduce the risk on this...
Anyone come up with a workable policy/procedure that helps this risk/exposure? It's too early to see if Bitlocker will be a get out of jail free card on this, but it's a step in the right direction.
My research turned up a few companies who have implemented this, albeit after they had been wacked over the head (e.g. sensitive data on a mobile device was lost), but no good language.
Jim
|
| 12 L A T E S T R E P L I E S (Newest First) |
| jadgate |
Posted - 05/11/2007 : 5:14:42 PM
Agreed, I had a few nervous moments with PointSec when my PS encrypted laptop wouldn't boot while my Dell was in it's docking station. Removal from the DS fixed that, but I was nervous about restarting the system after that. It's moments like that when you pray for backups. This is the whole issue for me, if the system isn't backed up at least every couple of days, then you are really screwed when something bad happens, then conventional recovery tricks won't work..
Jim
|
| joe_elway |
Posted - 05/11/2007 : 12:00:33 PM
PointSec ... was trying to remember that name. I had multiple different builds of that (including pre-release) before making a purchasing decision. I was using base XP SP1 on HP NC610's. Installing the agent (before an encrypt policy was applied) would cause the machine to fail to boot up. Support from PointSec was awful (they just blamed a plain RIS installation) so it made the decision _very_ easy for me. |
| jadgate |
Posted - 05/11/2007 : 11:30:54 AM
Guys-
I'd say the jury is still out on Bitlocker. I'm not bashing MS, but in the security world, something is not considered effective until it's been battle-tested over time, so to speak. It's better than not having encrypted drives at all, but we'll see how it works out vs. third party products like Point Sec (no endorsement, just what I've used). And most of the systems out there are not running Vista yet, so there is a big exposure.
Jim |
| ukinahan |
Posted - 05/11/2007 : 08:38:58 AM
cool thanks Tim... |
| mitachu |
Posted - 05/10/2007 : 3:38:10 PM
http://en.wikipedia.org/wiki/BitLocker_Drive_Encryption
You're right.
|
| ukinahan |
Posted - 05/10/2007 : 1:08:10 PM
Hi Tim
It would work for me i would think however Microsoft did not have the good foresight to think about including this on Vista Business. Bitlocker is only available on Ultimate & Enterprise unless i am mistaken... (please let me know if thats incorrect)
|
| mitachu |
Posted - 05/10/2007 : 06:49:58 AM
What about Vista's BitLocker?
|
| joe_elway |
Posted - 05/09/2007 : 4:43:57 PM
If you use windows powered PDA's then safeboot can manage/encrypt those too ... same console.
Oh .... if this stuff is _really_ serious for you then have a look at the MS solution ... Rights Management Servics. You can encrypt documents at the document level so only authorised readers can access them ... prevents those nasty salesmen/directors trying to smuggle data out of the compnay via web mail, etc .... don't think your web mail policies at the firewall work 100% ... they are not fool proof. |
| ukinahan |
Posted - 05/09/2007 : 09:58:44 AM
Hi Jim,
I would have to agree with Aidan. Safeboot may the best fit for the secanrio. I do use that on all laptops that leave my office but as far as the blackberries go all we do i ask that the user report to us if it is lost/stolen etc & then we send a wipe signal to the unit from the management console so that the next time the unit is powered on (if at all) all data is wiped from the unit. |
| joe_elway |
Posted - 05/09/2007 : 09:28:09 AM
I really liked SafeBoot for full disk encryption on laptops. It uses 256 AES to encrypt the HD. An agent is installed that downloads policy from a management server. Thus you can control encryption, who can log on etc. Everyone has different logons to the disk. It also features challenge/response for remote/disconnected password resets. Think it was pretty cheap. They dominate the Irish market... financials and government. Same crowd as SafeGuard, I believe. |
| Playwell |
Posted - 05/09/2007 : 04:15:58 AM
I've designed a laptop configuration at a bank a while ago. They have used a program called safeguard easy |
| netmarcos |
Posted - 05/08/2007 : 11:20:08 PM
The only company that I have worked with that has dealt with this did go the route of total drive encryption for all laptops - thousands of them. At the time that was Encryption Plus Hard Disk 7.0 |
