There are various requirements to encrypt computers to comply with policy or the law
Tendency for administrators and security professionals to encrypt everything
- as an IT administrator, we see a cost around implementing this where others may not see it
There is a cost around encryption
simply having encryption increases the cost of support
how much is this cost?
how do we reduce these costs?
is encryption across the board really the answer?
- alternative is to not store the data on the end user's machine
- currently the solution to dealing with restricted data is encryption
- perhaps the default action could be to store the data on a server instead of workstations
What brought about the question of defining the cost?
bad experiences with PGP, particularly with Apple
Is this an issue with the vendor that we are using?
don't want to invest resources in a vendor that's not reliable
multiple vendor problem - Apple interacting with PGP, Microsoft interacting with PGP, etc.
Tracking time around dealing with encryption issues
not currently officially tracking time
could use Remedy to track time spent on these issues
If you can mandate the type of encryption, why can't you mandate the type of computer?
platform-specific software
user training
Ever since University has rolled out PGP, hard drive failures have increased
ITS is insisting that this is not due to PGP
There are extra failures and this requires extra investment in hardware
Can't always do things the way they should be done, sometimes just need to be what can be done
no matter what the encryption solution, there is going to be an extra cost involved
Auditability of PGP is a major factor of the service.
You know that a machine is safe
Other solutions may not provide that feature
In the WDE area, there aren't a whole lot of solutions available for encryption
Only other offer that appears viable is McAfee encryption
Until we come up with a permanent solution and/or a replacement to PGP, we should focus on reducing the support costs.
bootable environment to access/decrypt drives
share experiences amongst the IT professionals around addressing issues relating to encryption
- e.g. don't have Connected Backup back up the PGPWDE files that are in the root of the hard drive
have a solution to encrypt hard drives before deploying them to a user
Possibly using Windows and Mac integrated WDE options
when looking into encryption solutions initially, there was no option for Windows
PGP was the best option there
both major platforms now do have WDE options
the major issue is key management
if the integrated solutions have key management, then those would be viable solutions
Windows 7 machines would need to be Enterprise in order to support BitLocker
The easiest solution is to encrypt everything, in order to reduce all risk
Do we need to get to some ideal state where everything is encrypted?
Is it better to get to some state that is better than no encryption
The motivation for encryption is that it is a get-out-of-jail-free card to comply with the language of the law
Encryption needs to be supportable and easy to adopt. This is an important concern for the ISO
Wrap up and next steps
There is a cost and we would like to start being able to track that
We can start tracking this through Remedy and time spent on WDE kinds of tickets
