Last Updated: June 2008
Whole Disk Encryption Evaluation and Deployment
Baylor University has spent two years working on a large scale deployment of whole disk encryption (WDE).
A large number of confidential data breaches in 2006 were the result of the loss or theft of a technology asset. Baylor University like many colleges and universities has made an unprecedented effort to secure the technology infrastructure. During this same time period we have seen a strong shift to portable technology. Baylor’s campus started deploying more laptops than desktops to faculty and staff in 2006. The primary identifier for all faculty, staff and students was changed from SSN to a random number in 2004. Unfortunately that did not eliminate the large stores of SSNs across campus. The breaches by loss brought these stores of information into the spotlight. It was determined that Baylor would pursue an encryption solution to secure confidential information stored on technology assets.
Encryption technologies cover a broad range of applications. For Baylor the focus was to secure data at rest on technology assets. We reviewed three technologies. File encryption allows a user to select a file or group of files and encrypt them. Solutions exist to help move this technology to a centralized enterprise solution. The downfall comes in that it depends on the user to determine what data needs to be encrypted. In all likelihood temporary, spool and hibernation files will not be encrypted and still offer exposure of data. The second option evaluated was folder encryption. Using embedded file system options or additional software one can designate that one or multiple folders on a drive be dynamically encrypted. This allows for any files added to the folder to be encrypted. This solution suffers from similar downfalls in that temporary, spool, and hibernation files are typically untouched by the folder solution.
The solution that Baylor University chose to move forward with was whole disk encryption. Previously whole disk encryption was not realistic without additional hardware due to the performance impact. Technology has accelerated to a level that the whole disk encryption only has a minor impact on performance for a modest computer. Users are not burdened with selecting what files to encrypt in this solution. Rather the entire hard disk is encrypted including the OS and white space. Once installed the solution will be transparent to the user; less an additional login to access the encrypted volume.
There are a number of vendors who offer products that provide whole disk encryption. We developed a list of criteria to help weed through the options and prioritize. Baylor stills maintains a heterogeneous OS environment and wanted a solution that would be able to work on those multiple platforms. A key issue when working with encryption is key escrow. Since we would be encrypting the entire hard disk we needed a simple solution to recover from a lost password. The performance impact to the user needed to be minimized by the software. Any solution would need to integrate with Active Directory and provide for an easy means of deployment. The previous two criteria dictated the solution would also need to be centralized. This centralized solution would be in the form on a management console that provides enterprise level functionality. Last and in most cases one of the highest priorities was cost. The solution needed to meet as many of the criteria as possible while economical in a risk benefit analysis.
Baylor University selected the whole disk solution provided by PGP Corporation. The real work then began with deployment of the new solution. Even after selecting the vendor Baylor University went through additional testing to verify that the solution would not interfere with normal operating procedures. This included install and repairing computers. During this time a few issues were discovered that were unique to our education environment that had to be resolved. At this time it was also decided that only two individuals on campus would have access to the recovery tokens to unlock a hard drive. While increasing the support burden this allows us to illustrate security of the key escrowing.
At this point we believe that the hardest part of the project had been completed. Little did we realize that the most difficult task would be identifying the systems that contained confidential data requiring the encryption software. While not cost prohibitive, we did not want to install the software on computer that did not contain confidential data. The end result was a quasi data inventory project to help identify the systems that needed the software. This required surveying many departments on campus and compiling that information to build a list of computers to install the software on.
Given the impact of encrypting an entire users hard drive it was decided to manually install the software on each users computer. Installation is a relatively quick procedure and provides an opportunity to discuss security issues with the user. Finding face time with many of the individuals receiving software can prove daunting so we wanted to use the opportunity to its fullest. During installation not only is the whole disk encryption software installed but the functionality of the backup software is verified. Complete data loss is much more likely when having an encrypted hard drive fail. When a user has PGP installed the policy applied to their computer via active directory is also changed. We forced a password screensaver to enable after five minutes of inactivity. Whole disk encryption would not provide protection is the system is left on and unlocked for anyone to access.
In retrospect, there some things we would have changed going into and during the project. First and foremost would be to have a separate data inventory project that provided the list of computer requiring the software. We are to go back and perform a more formal survey to supplement the quick survey that was done during deployment. This process would accelerate deployment and help to avoid the waste of deploying unnecessary licenses. Timelines for the entire project needed to be longer. The data inventory, process analysis and general testing took much longer than expected. As in many technology projects this forced time slippage throughout the project.
Whole disk encryption is becoming much more common place. Enterprise and Ultimate versions of Windows Vista include a whole disk encryption client. This may provide an even cheaper way to provide this increased level of security for confidential data. Hard drives are beginning to ship with embedded encryption. This allows for the encryption to take at the hardware rather than software level. Ultimately, we will see regulations and compliance force the use of more encryption technologies. Meeting the new criteria without impeding productivity and usability will be the real challenge.
Able to mitigate the risk presented by mobile computers containing personally identifiable information.
Implementation depends on operating system.
Originally attempting to find which systems had information to encrypt proved trying and more expensive than just encrypting all systems.
We are continuing our deployment currently at almost 500 systems. In the end we will have over 800 systems encrypted.
Security ROIs are difficult to calculate. Given the cost of the software and resources we believe that avoiding one moderate breach would offset the cost incurred on this project.
5 (on a scale of 1 to 5, where 5 is Highly Replicable)
4 (on a scale of 1 to 5, where 5 is Highly Effective)