+ Post New Thread
Page 2 of 3 FirstFirst 123 LastLast
Results 16 to 30 of 33
How do you do....it? Thread, Encrypt the Server??? in Technical; Originally Posted by AngryTechnician I await correction from another member, but I have never encountered a single school that encrypts ...
  1. #16
    InspireICT's Avatar
    Join Date
    Dec 2010
    Location
    North London
    Posts
    108
    Thank Post
    17
    Thanked 5 Times in 5 Posts
    Rep Power
    7
    Quote Originally Posted by AngryTechnician View Post
    I await correction from another member, but I have never encountered a single school that encrypts their onsite servers. There would certainly be a performance hit, and disk maintenance on servers is hard enough due to RAID complexities without throwing encryption in as well. Most encryption systems will require a password to be entered at the server on reboot, with the exception of BitLocker.

    If the governor is concerned about physical theft, the cage and normal building/server room security should be more than sufficient. If it isn't, you need to think about why the building security is so bad. Who do they think is going to go to that much trouble to steal the server? They are harder to fence than projectors, desktops, and laptops, most of which will be far easier to remove by the car-full before they even get near the server room.

    I suspect the governor may think that encrypting the server will prevent against remote intrusion, which of course it won't.

    To be blunt, a governor should not be able to make this sort of operational policy decision without (at the very least) strong evidence to back up the need for it.
    In fairness to the governor, the borough have had a couple of primary school servers nicked in the last year which is a really frightening prospect because, as you mentioned you can't easily sell a server down the pub which means they are after the data (there aren't many types of people who would value data from a primary school server - so the over-reaction regarding encryption is understandable). Still doesn't really make it a viable option IMO.

  2. #17
    InspireICT's Avatar
    Join Date
    Dec 2010
    Location
    North London
    Posts
    108
    Thank Post
    17
    Thanked 5 Times in 5 Posts
    Rep Power
    7
    Quote Originally Posted by pete View Post
    Based on "the server" (singular) and "security cage", I would say the governor has valid security concerns regarding the safety of the data, but his proposed solution will have a hardware and training cost. Is this a "server sat in a classroom / random office" scenario?

    Having the data stored in a secure manner (locked server room with audited and limited access) meets data protection obligations.

    Having the data sat unencrypted in a classroom / office where anyone can walk in and touch the server doesn't. If I can poke it with a finger, I can get your data if it isn't encrypted.

    Talk to the bloke and ask about his concerns.
    Bear in mind that this is a fairly small primary school, a dedicated server room isn't really a possibility. It's kept in an admin office in the centre of the school (ie, as many locked doors between it and the outside world as humanly possible and not too much foot traffic either). We have bolted it to the ground and employ fairly strict password policies.

  3. #18
    InspireICT's Avatar
    Join Date
    Dec 2010
    Location
    North London
    Posts
    108
    Thank Post
    17
    Thanked 5 Times in 5 Posts
    Rep Power
    7
    Quote Originally Posted by jamesfed View Post
    It sounds like you have pretty good physical security in place already - (better than many others in fact).

    Using Bitlocker would require a TPM chip in your server (in an ideal situation at least) and this would prevent the need for a password on boot - all the same you would have a small (few percent) drop in disk performance.
    Backup shouldn't be a problem as your backup system will be backing up the files/folder while the server is running and as such just sees the data a normal.

    Once you run into any kind of issues with your server (say the OS won't boot and you need to use Windows PE to change something) encrypting it will case MASSIVE problems in getting anything fixed.

    So as others have said I would speak to your Governor and find out what he is actually looking to achieve - the way I see it SMTs/ect are there to give you problems to solve/ideas to implement but are not there to decide how you do it.

    One other thing to throw into the mix would be notebook PC encryption - they are a lot more portable than any server and as such present a much greater risk to data loss.
    All of the laptops/notebooks in all of our schools are encrypted as are Flash drives which is where the idea came from I guess but it's a pain in the a**e if anything goes wrong with them, you either have 1 - to decrypt from DOS (approx 16 hours), rebuild/repair and then re-encrypt (between 3 and 6 hours) or 2 - Rebuild from a full disk image (with the chance of losing any local data).

    Encryption is a good idea for clients generally but it does come with some serious headaches.

  4. #19
    p858snake's Avatar
    Join Date
    Dec 2008
    Location
    Queensland
    Posts
    1,487
    Thank Post
    37
    Thanked 175 Times in 151 Posts
    Blog Entries
    2
    Rep Power
    50
    Quote Originally Posted by InspireICT View Post
    In fairness to the governor, the borough have had a couple of primary school servers nicked in the last year which is a really frightening prospect
    So they should be putting money forward making sure they are all physically secured properly. I'm sorry but a server isn't something that you can pick up with one hand and walk out of a school with...

    If the people were that determined with the data, They could have just accessed it whilst it was on in the school since they apparently had enough time to steal it.

    Quote Originally Posted by InspireICT View Post
    Bear in mind that this is a fairly small primary school, a dedicated server room isn't really a possibility.
    So there isn't a cleaning closet or storeroom anywhere in the school that they could secure to store it? The one at my primary school was a old toilet room in the admin building.
    Last edited by p858snake; 14th November 2011 at 10:58 PM.

  5. #20

    Join Date
    Nov 2006
    Posts
    8
    Thank Post
    0
    Thanked 0 Times in 0 Posts
    Rep Power
    0
    I'd be gearing up for a fight if any governor tried to stick their oar in with such a suggestion.

    I'd gather as much agreement as possible (such as you are doing here), then submit it to them with the view that it would be bad practice, and nobody else is doing it.

  6. #21

    Join Date
    Jun 2007
    Location
    London
    Posts
    894
    Thank Post
    64
    Thanked 171 Times in 140 Posts
    Rep Power
    54
    Quote Originally Posted by InspireICT View Post
    In fairness to the governor, the borough have had a couple of primary school servers nicked in the last year which is a really frightening prospect because, as you mentioned you can't easily sell a server down the pub which means they are after the data
    I think this is flawed logic. You may not be able to sell it down the pub but there are plenty of other ways you could raise cash from a nicked server, e.g. sell it on ebay, strip it and sell the parts, etc. Apparently, I hasten to add.

  7. #22

    GrumbleDook's Avatar
    Join Date
    Jul 2005
    Location
    Gosport, Hampshire
    Posts
    9,881
    Thank Post
    1,316
    Thanked 1,738 Times in 1,087 Posts
    Blog Entries
    19
    Rep Power
    563
    Quote Originally Posted by hathor View Post
    I'd be gearing up for a fight if any governor tried to stick their oar in with such a suggestion.

    I'd gather as much agreement as possible (such as you are doing here), then submit it to them with the view that it would be bad practice, and nobody else is doing it.
    Sorry ... encryption of servers where appropriate is not bad practice ... it is just that it is unlikely to be the best practice in this case. As soon as you start saying something is bad practice you are on dodgy grounds when it is not. If that governor happens to have previously been a Data Centre designer for MOD then he is likely to know far more than you, but if they are just someone with a strong personal interest but no specialism then it is simply that they don't understand the impact in this specific case.

    As I've mentioned already ... knocking Governors when you don't know the full background or making generalisations is out of order. I'd love to see you do it to @witch ... that *would* be a sight to see.

  8. #23

    dhicks's Avatar
    Join Date
    Aug 2005
    Location
    Knightsbridge
    Posts
    5,499
    Thank Post
    1,185
    Thanked 745 Times in 647 Posts
    Rep Power
    228
    Quote Originally Posted by InspireICT View Post
    All of the laptops/notebooks in all of our schools are encrypted as are Flash drives which is where the idea came from I guess but it's a pain in the a**e if anything goes wrong with them
    Things should be rather simpler server-side, though, especially if you are using virtual machines. The host OS would simply boot from a standard, unencrypted disk and mount the encrypted storage volume that contains your VM images. You would only need to enter a key/passcode when you rebooted the physical host server, which should hopefully be very rarely. It should make no difference to any performance gain / reliability of a RAID array and should hopefully just result in higher processor usage and some file I/O latency as the processor has to encrypt/decrpyt data. You just need to make really sure you don't loose the encryption key. Having multiple copies in safe places would probably be a good idea (including physical printouts in a fireproof safe - typing it in after a disaster might be tedious but better than loosing your data), and you could even put a small, single-function server somewhere around the school (a plug PC, maybe) that could provide the encryption key to the server on boot (so your server could boot and mount the encrypted volume automatically as log as it was on your LAN).

  9. #24
    Pottsey's Avatar
    Join Date
    Apr 2006
    Location
    Nottinghamsire
    Posts
    734
    Thank Post
    3
    Thanked 43 Times in 36 Posts
    Rep Power
    28
    I once encrypted one of the storage drives with photos on but never a whole server. One good reason to not use encryption is anything that cause’s a reboot or power loss will stop the server from powering backup till the encryption password is typed in. This also stops you doing updates via remote access that require reboots.

  10. #25

    GrumbleDook's Avatar
    Join Date
    Jul 2005
    Location
    Gosport, Hampshire
    Posts
    9,881
    Thank Post
    1,316
    Thanked 1,738 Times in 1,087 Posts
    Blog Entries
    19
    Rep Power
    563
    Quote Originally Posted by Pottsey View Post
    I once encrypted one of the storage drives with photos on but never a whole server. One good reason to not use encryption is anything that cause’s a reboot or power loss will stop the server from powering backup till the encryption password is typed in. This also stops you doing updates via remote access that require reboots.
    Or you use a lights out KVM or similar offerings.

  11. #26
    enjay's Avatar
    Join Date
    Apr 2007
    Location
    Reading, Berkshire, UK
    Posts
    4,461
    Thank Post
    279
    Thanked 196 Times in 167 Posts
    Rep Power
    75
    You may already have done this, and just not posted it in public for obvious reasons, however I would start by questioning the Governor's motives - how much do they know about IT? What has made them ask about encryption? When you have answers to those, then start to address what alternatives there are which a) don't have the performance hit, and b) allow midnight restarts. Then present the Governors with the options and your advice. There will be some performance hit as a result, but that isn't a reason not to do it, it may be felt that the hit is worth it.

    Don't - as others have suggested - get protective over "your" server, it is well within the role of the Governors to question such things. Yes, it is your job to have an answer/solution and to implement said solution, however it is their job to ask questions. Ultimately, if the server were to get nicked and lots of data go public (or worse), it is the Governors who catch the fall-out, not you; therefore, they have every right to ask.

  12. #27

    dhicks's Avatar
    Join Date
    Aug 2005
    Location
    Knightsbridge
    Posts
    5,499
    Thank Post
    1,185
    Thanked 745 Times in 647 Posts
    Rep Power
    228
    Quote Originally Posted by Pottsey View Post
    One good reason to not use encryption is anything that cause’s a reboot or power loss will stop the server from powering backup till the encryption password is typed in.
    But encryption is no problem if your servers are virtual machines - if the original poster's server isn't already a physical machine running a bunch of virtual servers then maybe the ability to encrypt storage volumes is a good enough reason for the govenors to approve an upgrade?

  13. #28

    Join Date
    Nov 2006
    Posts
    8
    Thank Post
    0
    Thanked 0 Times in 0 Posts
    Rep Power
    0
    Quote Originally Posted by GrumbleDook View Post
    Sorry ... encryption of servers where appropriate is not bad practice ... it is just that it is unlikely to be the best practice in this case. As soon as you start saying something is bad practice you are on dodgy grounds when it is not. If that governor happens to have previously been a Data Centre designer for MOD then he is likely to know far more than you, but if they are just someone with a strong personal interest but no specialism then it is simply that they don't understand the impact in this specific case.

    As I've mentioned already ... knocking Governors when you don't know the full background or making generalisations is out of order. I'd love to see you do it to @witch ... that *would* be a sight to see.
    Clearly you can take the situation out of context for the purpose of diminishing my point if you like. That's your choice to make. But we're talking about a primary school server, are we not?
    Last edited by hathor; 18th November 2011 at 07:44 AM.

  14. #29

    witch's Avatar
    Join Date
    Nov 2005
    Location
    Dorset
    Posts
    10,421
    Thank Post
    1,109
    Thanked 2,097 Times in 1,477 Posts
    Rep Power
    652
    Quote Originally Posted by enjay View Post
    You may already have done this, and just not posted it in public for obvious reasons, however I would start by questioning the Governor's motives - how much do they know about IT? What has made them ask about encryption? When you have answers to those, then start to address what alternatives there are which a) don't have the performance hit, and b) allow midnight restarts. Then present the Governors with the options and your advice. There will be some performance hit as a result, but that isn't a reason not to do it, it may be felt that the hit is worth it.

    Don't - as others have suggested - get protective over "your" server, it is well within the role of the Governors to question such things. Yes, it is your job to have an answer/solution and to implement said solution, however it is their job to ask questions. Ultimately, if the server were to get nicked and lots of data go public (or worse), it is the Governors who catch the fall-out, not you; therefore, they have every right to ask.
    Thank you - yes, it IS within the remit of governors to question such things. Some of us are IT governors and that is why we do know what we are talking about. Perhaps, as @elsigee40 said, it shouldnt be *one* governor but in my experience governors who know about such things tend to ask the questions or they don't get asked.
    The governors are responsible for security - and asking about encrypting the server is actually a reasonable question given that we are all being hassled to encrypt encrypt encrypt all the time.
    There's no mystery or problem - the question has been asked - answer it with your reasoning and all will be well
    Governors are actually your friends - THEY are the ones who will approve big spends - not SLT, so it is in your interest to keep them informed.
    Personally I would be happy to see a goveror in either of my schools to discuss IT, anytime, but sadly it hasn't happened yet

  15. Thanks to witch from:

    GrumbleDook (18th November 2011)

  16. #30
    enjay's Avatar
    Join Date
    Apr 2007
    Location
    Reading, Berkshire, UK
    Posts
    4,461
    Thank Post
    279
    Thanked 196 Times in 167 Posts
    Rep Power
    75
    Quote Originally Posted by hathor View Post
    But we're talking about a primary school server, are we not?
    Yes, we're talking Primary School servers and Grumbledook mentioned military servers, but what you're overlooking is that Governors are expected to bring their experience and knowledge from their industries into education (this is why governing bodies aren't 100% teachers, and let's not forget are volunteers so need to be working somewhere else), so it is right and proper for a Governor with a working knowledge of one IT system to ask about its practicality and suitability in the school context.

  17. Thanks to enjay from:

    GrumbleDook (18th November 2011)

SHARE:
+ Post New Thread
Page 2 of 3 FirstFirst 123 LastLast

Similar Threads

  1. Replies: 15
    Last Post: 18th June 2013, 11:55 AM
  2. Profile located on the servers system drive?
    By techyphil in forum Windows
    Replies: 3
    Last Post: 27th March 2007, 06:53 PM
  3. Replies: 3
    Last Post: 23rd February 2007, 12:49 PM
  4. Students accessing the Servers through Word
    By ninjabeaver in forum Windows
    Replies: 33
    Last Post: 3rd February 2006, 04:43 PM
  5. Replies: 10
    Last Post: 10th October 2005, 06:46 PM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •