Jon Allen

Information Security Officer Baylor University

Bob Hartland
Director of Security, IT Servers, and Networks Baylor University

Adam Sealey
Information Security Analyst Baylor University

Copyright Baylor University 2008. This work is the intellectual property of the author. Permission is granted for this material to e shared for non!commercial" educational purposes" provided that this copyright statement appears on the reproduced materials and notice is given that the copying is y permission of the author. To disseminate otherwise or to repu lish re#uires written permission from the author.

Chartered in 1845 Largest Baptist University in the world 14,000 Students 2,225 Full i!e "!ployees #,500 Baylor owned $o!puters
% &n$luding la's, $he$(outs,

*ppro+) 800 Fa$ulty,Sta-assigned laptops

et$)

Ba$(ground on "n$ryption ypes o- "n$ryption Sele$tion .ro$ess &!ple!entation /etrospe$tive he Future 01*

&

2--i$es have now 'e$o!e !o'ile

% &n$reasing !ove to laptops % Large per$entage o- data losses involve

laptop the-t,loss

34 states have ena$ted priva$y legislation re4uiring noti-i$ation i'rea$hed data is not en$rypted 5igration -ro! using SS6 did not eli!inate old stores o- in-or!ation
'

Spring Se!ester 7www)priva$yrights)org8

Company Li-eBlood <ori=on Blue Cross College&nvest <arley ;avidson *gilent Type of Loss SS6:s o- ;onors SS6:s o- Custo!ers .&& o- Custo!ers CC>:s, ;rivers Li$enses SS6:s o- Custo!ers Amount of Loss 321,000 300,000 200,000 #0,000 51,000

% *verage 509 o- reported 'rea$hes involved laptop

6u!erous e+a!ples e+ist in higher edu$ation

(

the-t

e+as .riva$y Legislation

% So$ial Se$urity 6u!'er % ;river:s Li$ense nu!'er % Credit $ard nu!'er % Ban( a$$ount nu!'er

F"/.* re$ords .C& 7.ay!ent Card &ndustry8

5anual

% ools that allow users to !anually en$rypt and

"+? @nu.@., rueCrypt, *ACrypt

de$rypt -iles and -olders

*uto!ati$ 7Folder Level8 Bhole ;is(

"+? Bindows "FS, .@.

% ools that allow users to de-ine -olders or virtual

drives that are auto!ati$ally en$rypted

% Boot ti!e so-tware that provides realCti!e

"+? .@., .ointSe$, Sa-eBoot, BitLo$(er, rueCrypt
*0

en$ryption,de$ryption 'elow the 2S level) "n$rypts the entire volu!e or dis(

Manual Cost Performance ser !ducation ser "nteraction Temporary Files Multi#Platform Disaster $ecovery Central Mana%ement
+eets re#uirement

Automatic (Folder Level)

Whole Disk

Partially meets re#uirement

,oes not meet re#uirement

**

.er-or!ed Fall 2005

*'

Wei%ht 5 5 4 4 3 3 1

Criteria Bhole ;is( Li!ited syste! per-or!an$e i!pa$t Centrali=ed !anage!ent .assphrase re$overy "ase o- deploy!ent Cost 2S .lat-or! 7 Support -or !ultiple 2S, Bindows assu!ed8

hese weights are -or our situation) hey need to 'e reCevaluated -or ea$h University:s uni4ue re4uire!ents)
*(

.ointSe$ Dista BitLo$(er

7www)$he$(point)$o!8 7www)!i$roso-t)$o!8

% /e$ently a$4uired 'y Che$(point) Bas independent

at the ti!e o- the evaluation)

% *vaila'le only on Dista Ulti!ate and "nterprise,

.@.

whi$h was not in produ$tion at ti!e o- produ$t sele$tion) % /e4uires .5

7www)pgp)$o!8

% @ood $entrali=ed !anage!ent, solid reputation, and

Sa-eBoot 7www)sa-e'oot)$o!8

low syste! i!pa$t led to us $hoosing .@. as our solution)

% *dded to produ$t spa$e a-ter vendor sele$tion)

*8

*)

&nstallation
% 5anual vs) *uto!ati$

Setting up $entral server

% Bor( through ;/ s$enarios as well % 5igrated to D5 Septe!'er 200E

&nternal 0,* pro$edure

% Bor(ing .@. into our syste! wor(-low % 2nly dis( en$ryption, not !ail -or !ost

users
20

Bor(station Con-iguration
% Ba$(ups % S$reensavers % <i'ernation vs) Stand'y % Single SignCon % Uni-ied authenti$ation % Separate Credentials

*uthenti$ation 5ethod

*d!inistrative as(s
% <andling -orgotten passphrases % &denti-ying whi$h wor(stations re4uire

en$ryption

2*

*d!inistration BuyCin horough testing to up -ront /espond 4ui$(ly to $on$erns "+haustively test new versions
% do not -eel $o!pelled to upgrade until

testing is $o!plete

22

2$

2ver 540 $lients deployed

% 2- those over F09 are laptops

/e4uire!ents have evolved

% /e4uire all -a$ulty,sta-- laptops 'e

en$rypted
2ver 800 laptops

% @oal? &n$lude 'oth 5a$ and Linu+

installations

Full ti!e e!ployee dedi$ated to .@. rollout and !aintenan$e

2%

;o we thin( we !ade the right $hoi$eG Bhat would we have done di--erently
% Better pro$ess -or identi-ying who needs
;ata &nventory

% Bhole dis( % .@.

en$ryption

% 5ore resour$es 0* resour$es ;eploy!ent resour$es % 5ore realisti$ ti!elines ;eploy!ent ti!eline % Leverage *sset 5anage!ent tools to identi-y

target $o!puters sooner

2&

"n$ryption in$luded with so-tware Further legislation !andating en$rypted storage

% .C& % <&.** % Federal Legislation % 2S % ;ata'ases

;ata Classi-i$ation and &nventory

% Let the poli$y drive the se$urity e--ort
2'

2(

Bo' <artland ;ire$tor o- Se$urity, & Servers, and 6etwor(s Bo'I<artlandJ'aylor)edu Hon *llen &n-or!ation Se$urity 2--i$er HonI*llenJ'aylor)edu *da! Sealey &n-or!ation Se$urity *nalyst *da!ISealeyJ'aylor)edu

;ere( on(in &n-or!ation Se$urity *nalyst ;ere(I on(inJ'aylor)edu

28