1. Jon Allen Information Security Officer Baylor University Adam Sealey Information Security Analyst Baylor University Bob Hartland Director of Security, IT Servers, and Networks Baylor University Copyright Baylor University 2008. This work is the intellectual property of the author. Permission is granted for this material to be shared for non- commercial, educational purposes, provided that this copyright statement appears on the reproduced materials and notice is given that the copying is by permission of the author. To disseminate otherwise or to republish requires written permission from the author.

2.  Chartered in 1845  Largest Baptist University in the world  14,000 Students  2,225 Full Time Employees  6,500 Baylor owned computers Including labs, checkouts, etc.  Approx. 800 Faculty/Staff assigned laptops 2

3. 3

4.  Background on Encryption  Types of Encryption  Selection Process  Implementation  Retrospective  The Future  Q & A 4

5. 5

6.  Offices have now become mobile Increasing move to laptops Large percentage of data losses involve laptop theft/loss  34 states have enacted privacy legislation requiring notification if breached data is not encrypted  Migration from using SSN did not eliminate old stores of information 6

7.  Spring Semester (www.privacyrights.org)www.privacyrights.org Average 50% of reported breaches involved laptop theft  Numerous examples exist in higher education 7 CompanyType of LossAmount of Loss LifeBloodSSN’s of Donors321,000 Horizon Blue CrossSSN’s of Customers300,000 CollegeInvestPII of Customers200,000 Harley DavidsonCC#’s, Drivers Licenses60,000 AgilentSSN’s of Customers51,000

8.  Texas Privacy Legislation Social Security Number Driver’s License number Credit card number Bank account number  FERPA records  PCI (Payment Card Industry) 8

9. 9

10.  Manual Tools that allow users to manually encrypt and decrypt files and folders  Ex: GnuPGP, TrueCrypt, AXCrypt  Automatic (Folder Level) Tools that allow users to define folders or virtual drives that are automatically encrypted  Ex: Windows EFS, PGP  Whole Disk Boot time software that provides real-time encryption/decryption below the OS level. Encrypts the entire volume or disk  Ex: PGP, PointSec, SafeBoot, BitLocker, TrueCrypt 10

11. Manual Automatic (Folder Level) Whole Disk Cost Performance User Education User Interaction Temporary Files Multi-Platform Disaster Recovery Central Management 11 Meets requirementPartially meets requirementDoes not meet requirement

12.  Software based tools that allow users to manually encrypt and decrypt files and folders  Advantages Cost Performance (Only necessary files are encrypted/decrypted)  Disadvantages Requires the user to remember to encrypt User must be educated about what information is sensitive User must know the information is there Does not cover virtual memory, spool, or temporary files User must securely delete unencrypted sensitive files  Examples GnuPGP, TrueCrypt, AXCrypt 12

13.  Software based tools that allow users to define folders or virtual drives that are automatically encrypted  Advantages No user interaction required Performance (Only necessary files are encrypted/decrypted)  Disadvantages Does not cover virtual memory, spool or temporary files User must be educated about what information is sensitive and trained to store it in the secure location  Examples Windows EFS, PGP 13

14.  Software that loads at boot time, providing real-time encryption/decryption below the OS level. Encrypts the entire volume or disk  Advantages Completely transparent to the user; requires no decision to encrypt Covers all files including virtual memory, spool, and temporary files  Disadvantages Performance impact for all read and writes to the hard disk Impossible to recover data if hard disk fails Impacts IT servicing the computer Varied support for Macintosh, Linux, and Multi-Boot Computers  Examples PGP, PointSec, SafeBoot, BitLocker 14

15.  Whole Disk Encryption 15

16. Performed Fall 2005 16

17.  These weights are for our situation. They need to be re-evaluated for each University’s unique requirements. WeightCriteria 5Whole Disk 5Limited system performance impact 4Centralized management 4Passphrase recovery 3Ease of deployment 3Cost 1OS Platform ( Support for multiple OS, Windows assumed) 17

18.  PointSec(www.checkpoint.com)www.checkpoint.com Recently acquired by Checkpoint. Was independent at the time of the evaluation.  Vista BitLocker(www.microsoft.com)www.microsoft.com Available only on Vista Ultimate and Enterprise, which was not in production at time of product selection. Requires TPM  PGP (www.pgp.com)www.pgp.com Good centralized management, solid reputation, and low system impact led to us choosing PGP as our solution.  SafeBoot(www.safeboot.com)www.safeboot.com Added to product space after vendor selection. 18

19. 19

20.  Installation Manual vs. Automatic  Setting up central server Work through DR scenarios as well Migrated to VM September 2007  Internal Q/A procedure Working PGP into our system workflow Only disk encryption, not mail for most users 20

21.  Workstation Configuration Backups Screensavers Hibernation vs. Standby  Authentication Method Single Sign-on Unified authentication Separate Credentials  Administrative Tasks Handling forgotten passphrases Identifying which workstations require encryption 21

22.  Administration Buy-in  Thorough testing to up front  Respond quickly to concerns  Exhaustively test new versions do not feel compelled to upgrade until testing is complete 22

23. 23

24.  Over 540 clients deployed Of those over 90% are laptops  Requirements have evolved Require all faculty/staff laptops be encrypted  Over 800 laptops Goal: Include both Mac and Linux installations  Full time employee dedicated to PGP rollout and maintenance 24

25.  Do we think we made the right choice? Whole disk PGP  What would we have done differently Better process for identifying who needs encryption  Data Inventory More resources  QA resources  Deployment resources More realistic timelines  Deployment timeline Leverage Asset Management tools to identify target computers sooner 25

26.  Encryption included with software OS Databases  Further legislation mandating encrypted storage PCI HIPAA Federal Legislation  Data Classification and Inventory Let the policy drive the security effort 26

27. 27

28. Jon Allen Information Security Officer Jon_Allen@baylor.edu Bob Hartland Director of Security, IT Servers, and Networks Bob_Hartland@baylor.edu Adam Sealey Information Security Analyst Adam_Sealey@baylor.edu 28 Derek Tonkin Information Security Analyst Derek_Tonkin@baylor.edu