Enterprise Software Thread, Encryption and Auditing - How do you do it? in Technical; Hi,
At the moment the school has no kind of encryption in place. Years ago they did have Sophos encryption ...
5th March 2014, 12:00 PM #1
Encryption and Auditing - How do you do it?
At the moment the school has no kind of encryption in place. Years ago they did have Sophos encryption but that is long gone. I am investigating different methods and have pretty much settled on BitLocker until today.
We had our account manager from the local council out going through the pricrs for different services they offer and encryption came up. He was saying that as an encryption product BitLocker was fine but it offered no auditing capability for devices that had been lost/stolen. IE, we had no way of proving that Laptops or memory sticks were encrypted or what files on that device were actually encrypted.
So, does your encryption service offer auditing to this level? If so what do you use?
5th March 2014, 12:33 PM #2
- Rep Power
We use bitlocker-to-go on all staff memory sticks, and have it enforced in group policy and tied in to AD.
That way we know that they have encrypted any data they put onto a memory stick, and we can also recover it easily if they forget the password (Although it's not great for auditing, you could prove that their computer had been used to encrypt X amount of devices, and what times they were encrypted).
As far as proving that your devices were encrypted, I'd personally encrypt with Bitlocker before the device is issued out (either manually, or during deployment using MDT or similar), and have the policies in place for removable devices. As long as you prevent them from being able to turn off bitlocker, then you know that your clients are safe.
I can't comment on how effective this will be in practice, as OS encryption seems a bit overkill for us currently, but we've had no problems with Bitlocker-to-go, so it's likely that we'd keep to bitlocker if we ever do go down that path.
I imagine (and really hope) that this has been resolved by now as it was a long time ago, but when I used to work at a local authority they introduced McAfee's full drive encryption. I only had user privileges, but I could see the tray icon, and got a bit curious. I clicked onto it and found it was copying across and listing every username in plain text and a (presumably) encrypted password for everyone on the domain! Hardly seemed to be a secure thing for it to be doing!
9th March 2014, 05:20 PM #3
We use SafeGuard, works fine and you can prove with the console that a laptop is encrypted.
For memory sticks we use Rohos Mini Drive as it's free and has it's own file view/editing application. Did not use SafeGuard as our 50 teaching assistants received the memory sticks, but did not have laptops so they couldn't be encrypted with Sophos SG.
One thing I will say for SafeGuard is please replace the HDD with an SSD. On older CPUs such as Gen 1 i3s with no CPU hardware encryption with a spinning rust disc is is dreadfully slow. Swapping for an SSD dramatically improves performance (better than unencrypted spinning rust).
9th March 2014, 06:21 PM #4
My instinct is that bitlocker is the "best" encryption solution for windows, but I haven't been able to try it as we have pro edition os and you need enterprise. However, we do use Sophos SG, managed through the Sophos enterprise console. One of the options I noticed in the console is that you can use it to manage Bitlocker deployments - key management and I think audit too.
13th March 2014, 03:11 PM #5
- Rep Power
You can get some form of auditing for Bitlocker via MBAM (Microsoft Bitlocker Administration & Monitoring).
It can be used stand-alone, but here we've got it integrated into SCCM. You can generate compliance reports with some basic information straight out the box (computer name, domain name, device type, OS, compliance status, cipher strength, policy: OS drive, policy: data drives, policy: removable drives, device user, last contact, etc) but as it's built on SQL Server Reporting Services you can create your own reports fairly straightforwardly.
It doesn't help too much if a device has been lost/stolen unless you've got a fairly recent report already. Unless you have implemented DirectAccess, in which case you could keep an eye out for when the device connects remotely and run the report then.
13th March 2014, 03:24 PM #6
We use the version of Sophos Safeguard that's built into the Enterprise Console. As said above it can be used to show what devices have been encrypted.
We use memory sticks with built in encryption.
13th March 2014, 04:10 PM #7
Our security is policy driven - policy to say no saving personal data, accompanied by awareness training and audit trail of process...the ICO say this would be regarded favourably??
By fiza in forum How do you do....it?
Last Post: 17th March 2013, 11:09 AM
Last Post: 1st June 2012, 06:46 PM
By anne1 in forum MIS Systems
Last Post: 28th January 2011, 10:18 AM
By RobFrain in forum How do you do....it?
Last Post: 21st October 2010, 02:18 PM
Users Browsing this Thread
There are currently 1 users browsing this thread. (0 members and 1 guests)