ML
    • Recent
    • Categories
    • Tags
    • Popular
    • Users
    • Groups
    • Register
    • Login

    Software HDD Encryption: Poll

    Scheduled Pinned Locked Moved IT Discussion
    symantecmcafeesophos
    112 Posts 8 Posters 48.5k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • gjacobseG
      gjacobse @scottalanmiller
      last edited by

      @scottalanmiller
      So - Hard drives would be simpler than using a managed console? Where you are able to manage all (x) devices from a central location? Like updating the Admin / User passwords?

      scottalanmillerS 1 Reply Last reply Reply Quote 0
      • scottalanmillerS
        scottalanmiller @gjacobse
        last edited by

        @g.jacobse said:

        @scottalanmiller
        So - Hard drives would be simpler than using a managed console? Where you are able to manage all (x) devices from a central location? Like updating the Admin / User passwords?

        Under what circumstance would you ever manage them or change anything?

        1 Reply Last reply Reply Quote 1
        • gjacobseG
          gjacobse
          last edited by

          There are a few times;
          HDD password compromised by user (shared with someone that doesn't need it)
          Defined password / security Policy dictates (not set currently)
          IT staff departure

          scottalanmillerS 3 Replies Last reply Reply Quote -1
          • scottalanmillerS
            scottalanmiller @gjacobse
            last edited by

            @g.jacobse said:

            There are a few times;
            HDD password compromised by user (shared with someone that doesn't need it)
            Defined password / security Policy dictates (not set currently)
            IT staff departure

            Why would a user get an HDD encryption password?

            1 Reply Last reply Reply Quote 1
            • scottalanmillerS
              scottalanmiller @gjacobse
              last edited by

              @g.jacobse said:

              IT staff departure

              Why would IT have it? There is no need for that. Use a break glass so that this doesn't happen.

              1 Reply Last reply Reply Quote 1
              • MattSpellerM
                MattSpeller
                last edited by

                Are you looking to have a PW on boot?

                gjacobseG 1 Reply Last reply Reply Quote 0
                • scottalanmillerS
                  scottalanmiller @gjacobse
                  last edited by

                  @g.jacobse said:

                  Defined password / security Policy dictates (not set currently)

                  This should be a key so not covered by a password policy.

                  1 Reply Last reply Reply Quote 1
                  • gjacobseG
                    gjacobse @MattSpeller
                    last edited by

                    @MattSpeller said:

                    Are you looking to have a PW on boot?

                    Yes - Required password on boot. We must adhere to FIPs 140-2 for HIPPA and other compliance items.

                    MattSpellerM scottalanmillerS 2 Replies Last reply Reply Quote 0
                    • MattSpellerM
                      MattSpeller @gjacobse
                      last edited by

                      @g.jacobse Ahhh ok now we're talking the same language.

                      I'd opt for a BIOS pw - you can set them up with Dells, not sure what you're running. They can also be setup to completely wipe the drive after (10?) failed attempts.

                      1 Reply Last reply Reply Quote 0
                      • MattSpellerM
                        MattSpeller
                        last edited by

                        HDD encryption is separate from the pw - thats where we were all confused.

                        1 Reply Last reply Reply Quote 0
                        • DashrenderD
                          Dashrender @scottalanmiller
                          last edited by

                          @scottalanmiller said:

                          Drive encryption is only to protect against hardware theft - of someone pulling drives and running away with them. It has zero protection against compromise.

                          What about cases where the whole laptop is stolen? What prevents someone from just powering on the unit and trying to log in? Or is this not what drive encryption is for either?

                          MattSpellerM scottalanmillerS 2 Replies Last reply Reply Quote 0
                          • scottalanmillerS
                            scottalanmiller @gjacobse
                            last edited by

                            @g.jacobse said:

                            @MattSpeller said:

                            Are you looking to have a PW on boot?

                            Yes - Required password on boot. We must adhere to FIPs 140-2 for HIPPA and other compliance items.

                            HIPAA does not require that.

                            Are you sure that FIPs requires that? How is it stated?

                            1 Reply Last reply Reply Quote 1
                            • MattSpellerM
                              MattSpeller @Dashrender
                              last edited by

                              @Dashrender If the whole laptop was stolen with full drive encryption then there is nothing to stop them powering it on and trying to log in. You'd need a BIOS / pre-OS password for that. FDE will make it so the drive is un-readable when you remove it from the laptop.

                              scottalanmillerS 2 Replies Last reply Reply Quote 0
                              • scottalanmillerS
                                scottalanmiller @MattSpeller
                                last edited by

                                @MattSpeller said:

                                @Dashrender If the whole laptop was stolen with full drive encryption then there is nothing to stop them powering it on and trying to log in. You'd need a BIOS / pre-OS password for that. FDE will make it so the drive is un-readable when you remove it from the laptop.

                                Not really. You only need a post-OS encryption of the data. The OS is like the BIOS here. Just more robust. No need to encrypt that.

                                MattSpellerM 1 Reply Last reply Reply Quote 0
                                • scottalanmillerS
                                  scottalanmiller @MattSpeller
                                  last edited by

                                  @MattSpeller said:

                                  You'd need a BIOS / pre-OS password for that. FDE will make it so the drive is un-readable when you remove it from the laptop.

                                  Other ways to do that.

                                  1 Reply Last reply Reply Quote 0
                                  • scottalanmillerS
                                    scottalanmiller @Dashrender
                                    last edited by

                                    @Dashrender said:

                                    What about cases where the whole laptop is stolen? What prevents someone from just powering on the unit and trying to log in? Or is this not what drive encryption is for either?

                                    This is a misconception of value. Likewise to someone "trying to log in", if the entire drive is encrypted what is to prevent someone from "just trying to unencrypt the drive?" All you are doing is exchanging the word used, not the action. You've prevented nothing in this case.

                                    1 Reply Last reply Reply Quote 0
                                    • MattSpellerM
                                      MattSpeller @scottalanmiller
                                      last edited by MattSpeller

                                      @scottalanmiller Sorry, I wasn't clear - there is nothing to stop them powering on the laptop with FDE and trying to log into the OS. FDE is for protection from removal.

                                      scottalanmillerS 1 Reply Last reply Reply Quote 1
                                      • scottalanmillerS
                                        scottalanmiller @MattSpeller
                                        last edited by

                                        @MattSpeller said:

                                        @scottalanmiller Sorry, I wasn't clear - there is nothing to stop them powering on the laptop with FDE and trying to log into the OS. FDE is for protection from removal.

                                        Gotcha, so we are of one accord then. It's not for protection from a running system, it's for protection against physical separation from the chassis.

                                        1 Reply Last reply Reply Quote 1
                                        • Reid CooperR
                                          Reid Cooper
                                          last edited by

                                          I guess then the question would be.... is there a certification requirement that states what to do or just one that states an end goal.

                                          And what is the end goal?

                                          1 Reply Last reply Reply Quote 0
                                          • DashrenderD
                                            Dashrender
                                            last edited by

                                            Great Question/request @Reid-Cooper .

                                            I'm guessing the intent of HIPAA's encryption clause is more for protecting stolen machines than for lost/stolen drives.

                                            So if FDE does not provide any protections against a whole laptop that is stolen, I'd argue that FDE on a laptop is near useless.

                                            FDE on a memory stick or server drives or copier drives, etc on the other hand are very useful because the chances are you don't have the entire chassis that first encrypted it.

                                            MattSpellerM scottalanmillerS 2 Replies Last reply Reply Quote 0
                                            • 1
                                            • 2
                                            • 3
                                            • 4
                                            • 5
                                            • 6
                                            • 2 / 6
                                            • First post
                                              Last post