Thanks for the heads up on this product; we are in the same boat looking
for the "best" solution to secure our laptops. Does anyone have
experience with this product and vendor?
Steve
-----Original Message-----
From: Brooks, Shane [mailto:SBrooks@orangelake.com]
Sent: September 1, 2006 11:32 AM
To: Paul Giddens; focus-ms@securityfocus.com
Subject: RE: Whole disk encryption
Hi all,
I have recently researched some solutions for our company and was also
completely sold on the whole-disk encryption idea, until I started
looking at the Mobile Guardian products from Credant Technologies. They
claim their product:
"uses intelligent encryption to focus data protection on sensitive
information, without unnecessarily encrypting operating system or
application files."
Their software doesn't touch the MBR, so they claim you benefit from no
worry of BIOS in-compatibility, 3rd party software MBR corruption, etc.
So it supposedly only encrypts your sensitive data, temp files, page
file(s), etc., while leaving the system files and application files
alone. The company also claims a feature called "User level encryption"
for user-specific data, so local admins can't access sensitive data on
HR stations, Accountant pc's, CxO laptops, etc.
We are still in the eval phase, but if the software is everything that
it claims, it would pose a respectable argument against full disk
encryption.
Shane
-----Original Message-----
From: Paul Giddens [mailto:PaulG@graycon.com]
Sent: Thursday, August 31, 2006 11:29 AM
To: focus-ms@securityfocus.com
Subject: RE: Whole disk encryption
Hey all,
This post has been circulating for a while and I have a quick question.
GIVEN that, if you are concerned about security and want to use
encryption,
WHY would you choose to NOT do full disk?
Any solution where you try to encrypt some, but not all of the disk has
weakness in the plan. So why put yourself (& especially end users)
through the hoops of rolling out a half-done solution?
IF you want security, do full disk.
IF you don't want security, don't do any.
IF you want to be annoyed with partial solutions that are not entirely
secure, spend a lot of time figuring out how to do a semi-encrypted.
Just a thought. Great posts from all views! Love reading this forum! :)
Cheers all!
Go leafs go!
paul g | mcse ccna vcp ccsp ccea rsacse security+ A+
-----Original Message-----
From: Galin, Matt (THIP, Corp) [mailto:matt.galin@thehartford.com]
Sent: Thursday, August 31, 2006 5:37 AM
To: matthew patton
Cc: focus-ms@securityfocus.com
Subject: RE: Whole disk encryption
Forensically speaking, full disk encryption is the only way to address
all aspects of data remnants. Stuff sits in the page file, this isn't
encrypted. Temp files usually are all over the place, unless directory
structure ACL's are very strict.. One can use the workstation security
templates for high security and lock down the directories, but there are
still writable locations on the disk that users can save stuff to.
Unless all you do is use MS office, folder redirection isn't going to do
you much good. These strict ACL's break many applications, especially
all the home grown ones, and the older junk that's in all of our
corporate environments. Volume encryption, such as EFS, TrueCrypt is
MORE secure than nothing, but do you really trust your users, and would
you be willing to put your job on the line when your CIO walks in and
says, we had a laptop stolen, do we have to disclose this to the public?
Full disk encryption has it's problems, most of the larger company's
products like PointSec, Safeboot and Utimaco have methods for
administrative/support logins and key escrow/recovery. They all have
methods to deal with supporting software deployments, i.e. scripting a
number of automatic logins without requiring pre-boot authentication.
All of them have support for SSO, and tokens etc. Only large problems
relate to multi-boot configurations, lilo, hidden partition backup
solutions etc, as these solutions shim the Master Boot Record or
Partition Boot record..
-----Original Message-----
From: matthew patton [mailto:pattonme@yahoo.com]
Sent: Tuesday, August 29, 2006 11:23 AM
To: focus-ms@securityfocus.com
Subject: Re: Whole disk encryption
I am not arguing against whole-disk, but why would you hand a user a
computer/laptop that allows them to write ANYWHERE but in one directory,
their homedir?
__________________________________________________
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com
------------------------------------------------------------------------
---
------------------------------------------------------------------------
---
************************************************************************
*
This communication, including attachments, is
for the exclusive use of addressee and may contain proprietary,
confidential and/or privileged information. If you are not the intended
recipient, any use, copying, disclosure, dissemination or distribution
is
strictly prohibited. If you are not the intended recipient, please
notify
the sender immediately by return e-mail, delete this communication and
destroy all copies.
************************************************************************
*
------------------------------------------------------------------------
---
------------------------------------------------------------------------
---
------------------------------------------------------------------------
---
------------------------------------------------------------------------
---
------------------------------------------------------------------------
---
------------------------------------------------------------------------
---
---------------------------------------------------------------------------
---------------------------------------------------------------------------
