Endpoint Encryption
-
My first question to people asking about an encryption solution is: Do you need a centrally managed solution or are you good with a version that is managed on a machine-by-machine basis?
Here, we use a centrally managed solution. We use McAfee Endpoint Encryption. Yes, it is a McAfee product. It's pretty straightforward. The only issue we've had with it is we changed one group to a single sign-on after we deployed and it wound up corrupting the token. Big deal? Nope. Still works. Just have to perform a recovery operation with them on the phone that takes about 15 minutes.
Plus, when the person is no longer employed by us and we receive their laptop, we can decrypt the laptop and back up everything we need to for long term storage.
-
@Bud Their encryption is commonly pre-loaded on a lot of new HP Probooks/Elitebooks. It's okay. Never used the fully managed version though.
-
Windows 7 pro. Medical office with 20 laptops. Hippa. Sorry this so choppy I'm on my cell.
-
@Hubtech said:
Windows 7 pro. Medical office with 20 laptops. Hippa. Sorry this so choppy I'm on my cell.
Ok. 7 Ultimate does have Bitlocker but again, what is getting corrupted on the HDD when using that? What's the pattern? Is it after a certain amount of time? A certain program? I have seen where encryption programs will conflict, even at different levels. So while the HDD may be encrypted, if there is something else INSIDE Windows with its own encryption that can do it.
Another example I saw once was an HP laptop that encryption kept screwing things up. The machine was one BIOS update behind and it happened to be that that BIOS update had fixed encryption issues. Look there.
-
Laptops will not boot. I assume the file system corrupts. That's why I was recuva Ing this weekend. Central management would be nice.
-
@Hubtech said:
Laptops will not boot. I assume the file system corrupts. That's why I was recuva Ing this weekend. Central management would be nice.
Do they POST or not even to that point? What is the model/are the models?
-
@Hubtech said:
Laptops will not boot. I assume the file system corrupts. That's why I was recuva Ing this weekend. Central management would be nice.
McAfee, Symantec, Sophos, all have centrally managed solutions. I'm sure that Kapersky and others do as well.
If the laptops post, but the login screen does not launch, it sounds as if the partition that has Bitlocker may be corrupted. It could also be something within the file that got screwed up.
CAVEAT - I've never used Bitlocker, so I'm just trying to make some assumptions based on other things I've used. Is it integrated with AD? If so, did users reset their passwords while off the network and does that affect Bitlocker? What mode does Bitlocker run (my understanding is that there are various modes)? -
they are currently running vdi and local computers aren't on a domain. Something I'm changing soon. I'm not really looking for troubleshooting, just products. Thanks
-
@Hubtech said:
they are currently running vdi and local computers aren't on a domain. Something I'm changing soon. I'm not really looking for troubleshooting, just products. Thanks
Ok, my bad. Then yea, several options are out there but I'm far from an expert on the matter of centrally managed encryption.
-
Here's a decent comparison chart: http://en.wikipedia.org/wiki/Comparison_of_disk_encryption_software
Depending on which A/V solution you are using, you might want to go with that. Our philosophy here is to not put all our eggs in the same basket, so we use McAfee for encryption and Symantec for A/V. YMMV.
-
I'm using Vipre via GFI Max at this particular client. I've been asking them to add endpoint encryption to their offering. they really listen to their subscribers. just a waiting game though
-
@Hubtech said:
I'm using Vipre via GFI Max at this particular client. I've been asking them to add endpoint encryption to their offering. they really listen to their subscribers. just a waiting game though
That's pretty cool. Will they be offering centralized management when they do?
-
@scottalanmiller said:
@Hubtech said:
I'm using Vipre via GFI Max at this particular client. I've been asking them to add endpoint encryption to their offering. they really listen to their subscribers. just a waiting game though
That's pretty cool. Will they be offering centralized management when they do?
that's the plan. I've been riding them for a little while now asking to be on their beta team:) i'm such a gfiFanboi
-
@Hubtech Using Symantec PGP since before it as Symantec's.
Backend is not for the faint of heart. Not inexpensive overall. Central management and policy enforcement was a mandatory component for the clinical users/HIPAA. Has a reasonable wrapper for multiple logins to access the encrypted HDD, can do remote revocation, tracks usage/callbacks, and makes our OCR monitor happy. Have an agreement for data recovery & encryption key exchange if/when that needs to occur. Has a CD boot option to decrypt drives. Works for external HDDs. Policy has high number of options, which we have much limited for manageability.
Generally have problems with:
- new laptop models,
- new OSes,
- dual boot machines, and
- firmware/BIOS/UEFI updates.
Some I.T. admins have got it on dual boot machines, but most in the organization make do with VMs for those users. Can take 3-6 months for a PGP update to catchup to the "new" OS or laptops.
-
BeCrypt DiskProtect is worth looking at - used heavily in defence and government (with higher grade approved encryption).
-
@Bud said:
Here's a decent comparison chart: http://en.wikipedia.org/wiki/Comparison_of_disk_encryption_software
Depending on which A/V solution you are using, you might want to go with that. Our philosophy here is to not put all our eggs in the same basket, so we use McAfee for encryption and Symantec for A/V. YMMV.
Always a good move. Of course all us vendors want everyone using every product but come on...we know that diversity in applications keeps you safe.
If you need anything w/r/t your SEP, hit me up.
-
Long time follow up here. But for those stumbling on there, VeraCrypt would be an important tool to consider today.