IMPLEMENTING DEVICE

ENCRYPTION IN THE ENTERPRISE

George Mason’s role out of Utimaco’s SafeGuard Easy

Enterprise

Some History

Whole disk encryption seen as the only solution

Product evaluation in 2005 led to the selection of Utimaco Safeguard Easy

Safeguard Easy stand alone solution was deployed in 2006 to a limited number of laptops

The Environment

MESA – Mason Enterprise Services Architecture The newly deploy Active Directory - Open

Source SMS for deployment and support

Only XP or Vista Clients - At risk systems are exclusively Windows XP or Vista with bitlocker

Project Goals

Leverage existing deployment and management systems

Allow for some delegated control

Provide audit trail

Minimize impact on end clients

Ensure a simple, robust & redundant support structure

Project Scope

At first, it was the laptops….

Policies changed requiring encryption at rest for all sensitive workstation with data stores.

The targets for encryption changed to workstations in all business units that routinely work with sensitive data.

The Technology

SafeGuard Easy Enterprise (SGN) v5.2 The Management Server

VMWare ESX hosted Windows 2003 server MS SQL 2005 IIS for client server communication

The Deployment Vehicle A Scripted install for unmanaged XP clients MSI install packages for managed clients

Administrative Interface- Heavy client connects over MS SQL ports to

server

The Support Roles

Roles Master Security Officer

Manage Roles, Create Security Officer

Security Officer Everything but MSO function

Help Desk Officer Challenge/ Response Process View policies , directories and event logs

Client Recovery Methods

Challenge Response

PE or Bart PE Recovery boot media For in the field recovery

Slaving the Hard drive for OS Recovery Security office supported

Configuration Choices

Policies driven configuration Encryption Protocol AES256 What Key to use for system encryption

The default computer To synchronize pre-boot authentication

with OS authentication or not To allow for additional device encryption To allow for external boot media

for recovery

Communication

Communication pieces for Departmental business and technical leads End Clients Support Center Recovery technicians

Training for Support Staff Technical overview Challenge Response process Device recovery process

Deployment Process

Ringed Deployment

Security Office Debug and verify install

ITU internal group Support testing and client feedback

Pilot external group Easy sell to groups who had experienced

exposure All identified external group

Lessons Learned

Password resets can be confusing Watch Utimaco knowledge base for

known issues. SafeGuard Easy client lags major patch

releases Creates complexity that needs to be

managed and communicated clearly. Clearly written support documentation is

critical

System Overview