Software HDD Encryption: Poll

scottalanmiller

@Dashrender said:

I'm guessing the intent of HIPAA's encryption clause is more for protecting stolen machines than for lost/stolen drives.

HIPAA requires encryption of data at rest. That doesn't imply FDE.

MattSpeller

@Dashrender Yup, plus you disable displaying the last logged in user name. Now the attacker is extra boned.

scottalanmiller

@MattSpeller said:

@Dashrender It provides quite a bit of protection. When you think of how you would break into a bone stock Win machine, my first move is a boot disk to nuke the local admin - denied. Boot a linux live cd to troll the files - denied.

FDE isn't needed for that, though. Just encrypt the data.

Dashrender

@scottalanmiller said:

@Dashrender said:

I'm guessing the intent of HIPAA's encryption clause is more for protecting stolen machines than for lost/stolen drives.

HIPAA requires encryption of data at rest. That doesn't imply FDE.

Unless the law was updated, I don't think even that is required, but considered actionable.

How is data on a laptop that is turned off not considered 'at rest'?

scottalanmiller

@Dashrender said:

@MattSpeller said:

@Dashrender It provides quite a bit of protection. When you think of how you would break into a bone stock Win machine, my first move is a boot disk to nuke the local admin - denied. Boot a linux live cd to troll the files - denied.

Sure, but you've left a pretty big door open by allowing the OS to be attacked directly. But maybe that's not considered a real risk assuming you're requiring long passwords ?

Not in the least. If your data is encrypted you have no more risk than if you do FDE. Cracking the OS makes no difference if it is properly set up with data encryption.

MattSpeller

@scottalanmiller You mean with a local file encryption software thing? I wouldn't trust a user to do that correctly.

scottalanmiller

@MattSpeller said:

@scottalanmiller You mean with a local file encryption software thing? I wouldn't trust a user to do that correctly.

Would you rather trust them with FDE where the password is normally shared!??!

scottalanmiller

Here is a bigger question.... why is HIPAA data being allowed onto laptops at all?

gjacobse

Kentucky House Bill #5

(3) "Encryption" means the conversion of data using technology that:
(a) Meets or exceeds the level adopted by the National Institute of Standards Technology as part of the** Federal Information Processing Standards**: and
(b) Renders the data indecipherable without the associated cryptographic key to decipher the data;
(2) (a) For agreements executed or amended on or after January 1, 2015, any agency that contracts with a nonaffiliated third party and that discloses personal information to the nonaffiliated third party shall require as part of that agreement that the nonaffiliated third party implement, maintain, and update security and breach investigation procedures that are appropriate to the nature of the information disclosed, that are at least as stringent as the security and breach investigation procedures and practices referenced in subsection (1)(b) of this section, and that are reasonably designed to protect the personal information from unauthorized access, use, modification, disclosure, manipulation, or destruction.

(9) "Security breach" means:
(a) 1. The unauthorized acquisition, distribution, disclosure, destruction, manipulation, or release of unencrypted or unredacted records or data that compromises or the agency or nonaffiliated third party reasonably believes may compromise the security, confidentiality, or integrity of personal information and result in the likelihood of harm to one (1) or more individuals; or
2. The unauthorized acquisition, distribution, disclosure, destruction, manipulation, or release of encrypted records or data containing personal information along with the confidential process or key to unencrypt the records or data that compromises or the agency or nonaffiliated third party reasonably believes may compromise the security, confidentiality, or integrity of personal information and result in the likelihood of harm to one (1) or more individuals.
(b) "Security breach" does not include the good-faith acquisition of personal information by an employee, agent, or nonaffiliated third party of the agency for the purposes of the agency if the personal information is used for a purpose related to the agency and is not subject to unauthorized disclosure.

We are also governed by Department of Local Governments -

Dashrender

@MattSpeller said:

@Dashrender It provides quite a bit of protection. When you think of how you would break into a bone stock Win machine, my first move is a boot disk to nuke the local admin - denied. Boot a linux live cd to troll the files - denied.

This is not true - not if you don't use a BIOS level password that enables/disables the FDE. Which was my whole point. If you don't require a password to unlock the drive, then the drive is being unlocked automatically when the BIOS/UEFI boots, so using your tools will probably work.

Only removing the drive in this case would offer you any protection.
So again I ask, what's the point in FDE is the whole laptop is stolen and no password is required to unlock the drive.

A Former User

@Dashrender said:

@MattSpeller said:

@Dashrender It provides quite a bit of protection. When you think of how you would break into a bone stock Win machine, my first move is a boot disk to nuke the local admin - denied. Boot a linux live cd to troll the files - denied.

This is not true - not if you don't use a BIOS level password that enables/disables the FDE. Which was my whole point. If you don't require a password to unlock the drive, then the drive is being unlocked automatically when the BIOS/UEFI boots, so using your tools will probably work.

Only removing the drive in this case would offer you any protection.
So again I ask, what's the point in FDE is the whole laptop is stolen and no password is required to unlock the drive.

BIOS passwords are trivial to remove.

Dashrender

@scottalanmiller said:

@MattSpeller said:

@scottalanmiller You mean with a local file encryption software thing? I wouldn't trust a user to do that correctly.

Would you rather trust them with FDE where the password is normally shared!??!

This gets back to the OP's original line of thought. The OP does not want to have to manage unique passwords for each machines FDE or shared ones (in what world is that safe or wise?), but instead wants a centralized solution that allows for password resets when the user forgets the password.

A Former User

@scottalanmiller said:

Here is a bigger question.... why is HIPAA data being allowed onto laptops at all?

Indeed! It's asking for trouble!

Dashrender

@scottalanmiller said:

@Dashrender said:

@MattSpeller said:

@Dashrender It provides quite a bit of protection. When you think of how you would break into a bone stock Win machine, my first move is a boot disk to nuke the local admin - denied. Boot a linux live cd to troll the files - denied.

Sure, but you've left a pretty big door open by allowing the OS to be attacked directly. But maybe that's not considered a real risk assuming you're requiring long passwords ?

Not in the least. If your data is encrypted you have no more risk than if you do FDE. Cracking the OS makes no difference if it is properly set up with data encryption.

So you're proponent of encrypting the data only. You're right you have little to no risk if the data is encrypted on top of the FDE, but I don't think that most people go that route. They probably choose one or the other, not both.

A Former User

@g.jacobse said:

Kentucky House Bill #5

(3) "Encryption" means the conversion of data using technology that:
(a) Meets or exceeds the level adopted by the National Institute of Standards Technology as part of the** Federal Information Processing Standards**: and
(b) Renders the data indecipherable without the associated cryptographic key to decipher the data;
(2) (a) For agreements executed or amended on or after January 1, 2015, any agency that contracts with a nonaffiliated third party and that discloses personal information to the nonaffiliated third party shall require as part of that agreement that the nonaffiliated third party implement, maintain, and update security and breach investigation procedures that are appropriate to the nature of the information disclosed, that are at least as stringent as the security and breach investigation procedures and practices referenced in subsection (1)(b) of this section, and that are reasonably designed to protect the personal information from unauthorized access, use, modification, disclosure, manipulation, or destruction.

(9) "Security breach" means:
(a) 1. The unauthorized acquisition, distribution, disclosure, destruction, manipulation, or release of unencrypted or unredacted records or data that compromises or the agency or nonaffiliated third party reasonably believes may compromise the security, confidentiality, or integrity of personal information and result in the likelihood of harm to one (1) or more individuals; or
2. The unauthorized acquisition, distribution, disclosure, destruction, manipulation, or release of encrypted records or data containing personal information along with the confidential process or key to unencrypt the records or data that compromises or the agency or nonaffiliated third party reasonably believes may compromise the security, confidentiality, or integrity of personal information and result in the likelihood of harm to one (1) or more individuals.
(b) "Security breach" does not include the good-faith acquisition of personal information by an employee, agent, or nonaffiliated third party of the agency for the purposes of the agency if the personal information is used for a purpose related to the agency and is not subject to unauthorized disclosure.

We are also governed by Department of Local Governments -

That only address mostly the WHO should be able to access it and that it should be protected in some manner. Not the HOW.

scottalanmiller

@Dashrender said:

So you're proponent of encrypting the data only. You're right you have little to no risk if the data is encrypted on top of the FDE, but I don't think that most people go that route. They probably choose one or the other, not both.

Performance would just get worse and worse.

scottalanmiller

@thecreativeone91 said:

@g.jacobse said:

Kentucky House Bill #5

(3) "Encryption" means the conversion of data using technology that:
(a) Meets or exceeds the level adopted by the National Institute of Standards Technology as part of the** Federal Information Processing Standards**: and
(b) Renders the data indecipherable without the associated cryptographic key to decipher the data;
(2) (a) For agreements executed or amended on or after January 1, 2015, any agency that contracts with a nonaffiliated third party and that discloses personal information to the nonaffiliated third party shall require as part of that agreement that the nonaffiliated third party implement, maintain, and update security and breach investigation procedures that are appropriate to the nature of the information disclosed, that are at least as stringent as the security and breach investigation procedures and practices referenced in subsection (1)(b) of this section, and that are reasonably designed to protect the personal information from unauthorized access, use, modification, disclosure, manipulation, or destruction.

(9) "Security breach" means:
(a) 1. The unauthorized acquisition, distribution, disclosure, destruction, manipulation, or release of unencrypted or unredacted records or data that compromises or the agency or nonaffiliated third party reasonably believes may compromise the security, confidentiality, or integrity of personal information and result in the likelihood of harm to one (1) or more individuals; or
2. The unauthorized acquisition, distribution, disclosure, destruction, manipulation, or release of encrypted records or data containing personal information along with the confidential process or key to unencrypt the records or data that compromises or the agency or nonaffiliated third party reasonably believes may compromise the security, confidentiality, or integrity of personal information and result in the likelihood of harm to one (1) or more individuals.
(b) "Security breach" does not include the good-faith acquisition of personal information by an employee, agent, or nonaffiliated third party of the agency for the purposes of the agency if the personal information is used for a purpose related to the agency and is not subject to unauthorized disclosure.

We are also governed by Department of Local Governments -

That only address mostly the WHO should be able to access it and that it should be protected in some manner. Not the HOW.

I agree, that didn't tell me anything new. It leaves us with "why is FDE" seen as needed. If anything it supports not using FDE.

scottalanmiller

Why is there data on laptops to protect? Why not just keep data from going to them altogether and completely fix the problem?

Dashrender

@thecreativeone91 said:

BIOS passwords are trivial to remove.

Sure, but HDD passwords aren't, which is what my point was. If you reset the HDD password you loose the key and might as well just format the drive and start over.

Dashrender

@scottalanmiller said:

Why is there data on laptops to protect? Why not just keep data from going to them altogether and completely fix the problem?

Do this is expensive and potentially difficult.

If I was to try to do this in my environment I'd have to start by building either RDS servers or VDI.