security-basics September 2007 archive
Main Archive Page > Month Archives  > security-basics archives
security-basics: Re: Full Disk Laptop Encryption

Re: Full Disk Laptop Encryption

From: Rob Thompson <my.security.lists_at_nospam>
Date: Thu Sep 27 2007 - 21:08:15 GMT
To: "Bob Beringer" <bob.beringer@usa.net>


On 9/27/07, Bob Beringer <bob.beringer@usa.net> wrote:
> Rob,
>
> Thanks for the email, a couple of the issues with PointSec right the last time that I checked is that they didn't offer digital signature support, MAC agents, and don't support encryption for Data-in-Motion. There were other deficiencies that came up during our bake-off, but these are a few to get you started... Don't get me wrong PointSec has a pretty decent offering and a lot of folks like them, but I try to talk about things on list from a technical perspective first.

Didn't get you wrong. Just was curious as PointSec is a product that I'm content with. So if there is a user that is having issues with it, I would like to find out - as this may be a learning experience for me for the future.

Let's see here... Digital Signatures, I'm looking through the help file for the latest release that I'm getting ready to start testing to upgrade to... I do not see any reference to that, so I am under the assumption that that is still not offered. And I know that it is not currently available with the version that I am using.

MAC agents, I do not know what you are referring to with this. I would make a guess, but I am seeing a few too many possibilities... ;p

Data-in-Motion - are you talking about data after it has physically left your hard drive. Ie. e-mail, thumbdrives, network traffic, etc... If that's the case, that is definately one of the problems that we are running into with this software, that is a feature that upper management is looking for. Personally, I figure once you have gotten down to this point with data security by utilizing FDE, you're about as protected as you should need to be. I would try to avoid this (if I'm in the right direction) cost by instead training employees on data security and also hiring employees that I do not have to question their loyalties or ethics. Though I know that this is easier said than done...

>
> An older public bake-off document was released via the link below and it might provide value to the group.
>
> http://www.networkcomputing.com/showArticle.jhtml?articleID=193500189
>

Thank you. I'll take a peak at it.

> My team developed a really cool integrated solution with several of the whole-disk encryption solutions for multi-factor authentication and remote access for some of our government clients and really had to dig into the weeds to find out which solutions played better with others, so my thoughts below are tied closely to what works well in an enterprise, what the goals of the organization might be and what type of integration that each environment needs.
>
> Two last notes, PGP now has a universal server and they have a MAC client with enterprise key management for the MAC's. Lastly, TECSEC has a very flexible and powerful solution for encrypting objects and other data in motion as well protecting as Data at Rest. (mind you in this case that flexible also might mean more initial set up time and effort...)

More setup time and effort is a small price to pay when you have a more efficient and properly configured solution deployed. It is well worth the time, IMO.

I will have to check into this TECSEC. My curiosity is piqued. Thank you for the tip.

>
> I hope that this information helps :-)

Very much so. Thank you kindly for your response. Very well written, by the way. :)

>
> v/r
> Bob
> +12404756858
>
>
> -----Original Message-----
> From: Rob Thompson [mailto:my.security.lists@gmail.com]
> Sent: Thursday, September 27, 2007 1:50 PM
> To: Bob Beringer
> Cc: Lafosse, Ricardo; security-basics@securityfocus.com
> Subject: Re: Full Disk Laptop Encryption
>
> On 9/27/07, Bob Beringer <bob@eor.us> wrote:
> > Ricardo,
> >
> > Pointsec has some limitations, other solutions that are worth looking into
> > are:
>
> Which would be? I'm not trying to be confrontational, I am simply curious.
>
> I have personally used WinMagic, PointSec and PGP. I am not familiar
> with the TecSec, though I am curious as to what limitations you would
> be referring to in regards to PointSec.
>
> IMO I would use either PointSec or SecureDoc, by WinMagic. I would
> stay away from PGP's product like the plague.
>
> They are both extremely thorough. Pointsec with it's current release
> is much faster, and has quite a few handy features, like disabling
> removeable media until authentication, etc... I haven't used
> SecureDoc since it's been Linux compliant, so I can't speak on it's
> newer revisions...
>
> <snip>
>
> --
> Rob
>
>
>
-- Rob