Date: Fri, 29 Mar 2024 15:48:40 +0000 (UTC)
Message-ID: <1352200752.8203.1711727320757@ip-10-10-7-29.ec2.internal>
Subject: Exported From Confluence
MIME-Version: 1.0
Content-Type: multipart/related;
boundary="----=_Part_8202_626453472.1711727320755"
------=_Part_8202_626453472.1711727320755
Content-Type: text/html; charset=UTF-8
Content-Transfer-Encoding: quoted-printable
Content-Location: file:///C:/exported.html
Introdu=
ction to Full Disk Encryption (FDE)
Full disk encryption (FDE) is a security safeguard that protects all dat=
a stored on a hard drive from unauthorized access using disk-level encrypti=
on. With FDE, all data is encrypted by default, taking the security decisio=
n out of the hands of the user. The most common use case for implementing F=
DE is to protect data loss due to lost or stolen laptops, which is often su=
fficient enough to avoid costly data breach notification requirements.
The purpose of this guide is to provide worthwhile strategies for implem=
enting full disk encryption throughout your organization, and to identify c=
ommon pitfalls to avoid. The following topics are covered on this page:
<=
/span>
Define the Scope
- Determine what your goals are for the FDE project. Are you simply tryin=
g to protect personally identifiable information and avoiding data breach n=
otification requirements? Are you trying to protect other data?
- Are you only concerned about lost laptops and opportunistic thefts? Are=
you also concerned about attackers targeting your institutions data?
- Are you interested in protecting all managed laptops? Only faculty and =
staff laptops? Only certain employees or divisions? Only those who have acc=
ess to the data you are trying to protect?
- Consider protecting both Windows, Macs and mobile devices.
- Are you interested in protecting only laptops? What about desktops or s=
ervers?
- Consider enabling FDE on desktops or servers that house confidentia=
l data in areas where theft may be possible and more likely.
- Are you interested in protecting only the primary device, or are you al=
so concerned about removable media such as removable media and backup drive=
s?
Top of page
Develop Policies=
and Procedures
- Create a standard of which systems to protect with FDE. Will you requir=
e that all laptops are encrypted, or only those who belong to faculty and s=
taff? Do you have desktops or servers that are at risk of theft that should=
also be protected?
- Determine incident response policies and procedures for lost equipment =
that is protected by FDE. Consider federal, state, and local regulations ap=
plicable to your institution. Are you exempt from data breach requirements =
if FDE is in place? Do you need to provide some level of assurance that FDE=
was active on the device?
- Determine who has access to encryption recovery tokens and how that acc=
ess will be audited.
Top of page
Ch=
oosing Software, Hardware, and Configuration
- Select the appropriate software for your goals, environment, and cultur=
e. Common solutions include:
- BitLocker =E2=80=93 Windows Vista/7 (Enterprise Edition or Ultimate=
Edition only)
- Included with operating system at no extra cost
- Use with Microsoft Active Directory to centrally storing encryption key=
s and to manage BitLocker settings via Group Policy
- Used with Microsoft System Center Configuration Manager to validate tha=
t BitLocker is continuously enabled
- PGP Whole Disk Encryption =E2=80=93 Windows, Mac OS, Linux
- Best if used with PGP Universal Server
- TrueCrypt =E2=80=93 Windows only
- Note: TrueCrypt provides system encryption for f=
or Windows, Mac OS, and Linux. However it only provide full disk encryption=
for Windows operating systems.
- FileVault2 =E2=80=93 Mac (Lion 10.7 only)
- A more complete list of solutions can be found on the following Wik=
ipedia page: http://en.wikip=
edia.org/wiki/Comparison_of_disk_encryption_software#Features
- Consider purchasing laptops that include Trusted Platform Module (TPM).=
TPM is an integrated security processor that handles encryption keys and o=
ther security tokens in a more secure manner, and can provide additional fl=
exibility when determining the user login experience. TPM is available with=
most modern, mainstream laptops vendors, including Acer, Dell, HP, Lenovo,=
Sony, and Toshiba.
- Select the required login method when booting the computer. For BitLock=
er, options include requiring a passphrase or PIN, a USB token, the TPM mod=
ule (if applicable), or a combination of the three.
- Consider the threats you're looking to protect against. If you're o=
nly concerned with lost laptops and thefts of opportunity, TPM only may be =
sufficient. This will provide a more desirable user experience as users wil=
l not be required to enter a PIN, passphrase, or USB token at boot up.=
- If you have a particularly high risk asset, or if you're concerned =
that a user or system may be specifically targeted, consider requiring a PI=
N, passphrase, or USB token at boot up for an additional layer of protectio=
n.
- If TPM is not an option, the use of a PIN, passphrase, or USB token=
is required at boot up.
- Determine if enterprise management capabilities are needed for the scop=
e of your implementation. This can greatly ease software updates, key recov=
ery and assurance of encryption status.
Top of page
Implementation and S=
upport
- Carefully plan, test, and pilot your infrastructure and system before d=
eploying a FDE solution.
- Ensure you have a system in place for key management.
- Create procedures for how to enable, recover from, and service encrypte=
d laptops.
- Educate Help Desk and User Support staff on how to address potential FD=
E issues users may face.
- Integrate your deployment plan with planned service, such as laptop upg=
rades.
- Prevent users from disabling encryption, or look for ways to verify and=
prove that full disk encryption has not been disabled.
Top of page
Understand the Limit=
ations
- FDE does not protect data within a running operating system from malwar=
e or physical access.
- FDE is only effective when coupled with other security controls, such a=
s screensaver passwords, disabling auto-logon and strong account passwords.=
Top of page
Dos and Don'ts
- Do choose a FDE technology that's as ubiquitous across your OS platform=
as possible.
- Do decide early on if you will be escrowing keys for FDE recovery, and =
if so, how it will be managed.
- Do verify the polices that will cover encryption/decryption of drives (=
all, some, none).
- Do use hardware encryption such as TPM to avoid USB drives that may fai=
l, get lost, or stolen.
- Don't wait for a "holy grail" technology to appear that will solve all =
your FDE issues.
- Don't constantly change vendors implementations of FDE.
- Don't allow for end user decision on escrowing.
- Don't take FDE as "ad-hoc" security measure without any policy or proce=
dures backed by IT.
- Don't allow recovery keys to be stored with the laptop/desktop.
#Top of page
Additional Reso=
urces in the Guide
Top of page
Questions or=
comments? Contact us.
Except wher=
e otherwise noted, this work is licensed under a Creative Commons Attributi=
on-NonCommercial-ShareAlike 4.0 International License (=
CC BY-NC-SA 4.0).
------=_Part_8202_626453472.1711727320755
Content-Type: image/svg+xml
Content-Transfer-Encoding: 7bit
Content-Location: file:///C:/0d839e34c442efc3b909aa82acd46059