School of Medicine is in the planning stages of doing a school-wide encryption project.
Overview of project:
All end-user computers and mobile devices of SoM community members that have access to classified data.
A centralized backup solution is being implemented to support the effort using CrashPlan Appliances
~ 6000 systems are targeted between 11/10-12/10
Automation through IT Services and Big Fix for deploying backup and other aspects.
Pulling data through NetDB and IPM to determine the uses of the systems.
Expecting all iOS devices to be enrolled in MDM. The policy currently will be that non-iOS devices will be restricted from using them for classified data.
Survey the entire user community to understand number of systems, type of information being accessed and how are they being used.
Are other groups doing this or have information to share?
FMS previously went through the effort of installing PGP on all the laptops and desktops. Paid the price for "bricking" a lot of systems over time. A lot of support time was invested to deal with technical issues that have surfaced.
There are clear advantages for using native encryption wherever possible with FileVault2 and BitLocker. McAfee is being used for systems that cannot take advantage of native solutions. Only about 5-10 Microsoft systems on campus are native encryption capable. IT Services is working with Schools and Departments to try and get support for a Campus Wide Microsoft License in order to easily upgrade systems to get to native enryption.
If anybody has any current spend information (last 2 months or less) within their departments, please send to Debbi Barley (debbib@stanford.edu) or Stacy Lee (sbl@stanford.edu).
ISO has now released a recommendation with information on the SWDE website.
What are the organizations' responsibilities for key escrow and preventing faculty and staff from "bricking" their system?
The new SWDE installer for BitLocker and FileVault 2 (with Mac 10.8) will provide key escrow (on the Big Fix servers) for users. Next step is to build delegative services.
What is the authentication method for proving my identity to you so I can get my key recovered.?
Existing process - help desk will ask the client their "personal question" tied to them for the SunetID reset.
One of the key parts of the SWDE program is the auditability process. If a system is lost, there is a way to audit whether or not the system was encrypted and have reasonable assurance that nobody had access to the data.
For the SoM, what about the grad student downloading email locally to their system at home?
Yes, we would want it encrypted or use a webclient and do not download attachments.
Goal is to have anything that has Stanford data on it is encrypted.
Do you anticipate users being upset and posing problems with rollout?
Users seem to be very aware of the effort and understand the reasons why we need them to comply. Should compliance not be happening network access and other measures will take place.
Are there any groups that are rolling out MDM aggressively? If not, why not?
It is believed that School of Engineering is aggressively rolling out.
Concern that it is difficult to "force" anybody who uses their personal device to use MDM.
Business Affairs will be mandating, for its organization, that anybody using an iOS device for Stanford business, need to enroll in MDM.
Members of the group were really interested in the effective method of turning off SuNET access when users do not complete their security awareness training. Can we use this for other types of policy?
The service used to provide this can be used in other methods. Jon Pilat can share more information if you are interested.
