Full Disk Encryption Dos and Don'ts

1 2 Page 2
Page 2 of 2

DO look into the vendor's method of key recovery. Vendors offer varying approaches to key recovery, Maiwald says, for users who forget their password. These range from self-service portals for password reset, to help desk support with a challenge-response mechanism or a one-time password or token that a support tech can provide over the phone. "Look for an approach that nicely meshes with your help desk procedures," he says.

DO consider Active Directory integration. Systems that integrate with Active Directory simplify management exponentially, users say. "When a machine is added to the Active Directory domain, we can see it in the console and move encryption keys around," Patterson says. "It's a huge help for key escrow."

Ward says AD integration enabled him to do a one-way pull to populate the McAfee database, saving a great deal of time and providing assurance that the database was structured correctly. "It was important that we not put an additional burden on administrators," he says.

Also see Network Security: The Basics

DO look into reporting capability. Ease of reporting is another key selection criteria, Patterson says, to prove laptops are encrypted, especially when one goes missing. Other common reports include whether users had any issues with encryption, whether they called the help desk and whether it was resolved, Gatewood says.

DO check on which platforms are supported. There are far fewer Macintosh-based encryption platforms than Windows, Lambert says. Gatewood's choice of PGP was partly due to its cross-platform support of many versions of Windows, as well as Mac OSX.

DON'T overlook key management. Without strong key management, Gatewood says, you're better off not having encryption at all. This is what enables you to restore, revoke and manage keys in any way. Lack of a strong key management system is one reason he bypassed any of the open-source systems he considered. PGP's Universal Server, on the other hand, allows him to not only manage its own keys, but also keys from other systems, as well. "Some management consoles can be a little kludgey," he says. You should also be able to back up the key escrow database.

DO consider lock-out. This feature locks the machine if someone hasn't logged on to the network for a certain period of time, typically several weeks. At Connecticut, Ward says network-connected machines ordinarily check in five or six times a day to send logs to the encryption server. If that doesn't happen within the configured lock-out period, the machine won't allow the user to authenticate, and an administrator will need to unlock the machine. "It enforces discipline so that you're getting client logs on a continual basis, and the machines are constantly updated with new software and any changes in policy," Ward says.

This story, "Full Disk Encryption Dos and Don'ts" was originally published by CSO.

Copyright © 2009 IDG Communications, Inc.

1 2 Page 2
Page 2 of 2
7 inconvenient truths about the hybrid work trend
Shop Tech Products at Amazon