Monday, October 20, 2008

Laptop Encryption

In my recent blog about the new Massachusetts Data Protection regulations, I described Section 17.04 subsection (5) which requires "Encryption of all personal information stored on laptops or other portable devices;" by January 1, 2009.

At BIDMC, we've researched several solutions and have chosen McAfee Endpoint Encryption (formerly SafeBoot Encryption) to ensure we comply with these new regulations.

We've done a comprehensive analysis of the application, which I encourage you to download.

In summary, the impact of encryption on disk write and read is so small that users cannot perceive any change in performance.

How will we implement the product?
Today, we have asset control software which lists all laptops received through IS Inventory Control. These records make it easy to contact customers and schedule to have their laptop hard disk encrypted. During that visit, we will teach them on how to use the system with the encryption software on it. On average, we're experiencing a one time 2.5 hour encryption time. This varies depending upon the speed of the processor, amount of RAM and the size of the hard disk. The encryption can also be removed if necessary, but it will take approximately the same amount of time to decrypt the hard disk as it took to encrypt it. Decrypting must be done by IS.

What about support?
From a support perspective McAfee Endpoint utilizes an enterprise control console and if passwords are forgotten, encryption access can be reauthorized by contacting IS. We've found the support effort to be less than other products we've investigated lately such as Seagate Full Disk Encryption that we looked at recently.

What are the challenges?
Currently there is no McAfee Endpoint solution for Apple products. McAfee is currently working on a solution and they are hoping to have it released some time next year. Since McAfee Endpoint encrypts the entire hard disk and the encryption drivers must be loaded to decrypt the hard disk, Windows emulator solutions for Mac OSX such as Fusion or Parallels will not work.

Thus, based on our research, the McAfee encryption solution addresses our requirements for protecting 1000 laptops to ensure compliance with the new Massachusetts Law by January 2009. We'll complement this software solution with education to ensure users avoid storing protected health/identified information on mobile devices whenever possible.


Stu Parker said...

Has BI ever thought about open source solutions to some software that we run? Things such as Linux or even Open Office could be a Welcome Addition to the enterprise?

jk said...

What about using TruCrypt an excellent open source solution for both Macs and Windows computers. It is also a free open source product that's been around for years.

Alan said...

Truecrypt is a good program but it isn't FIPS 140-2 certified which may be a problem on government contracts when there may be FISMA compliance requirement.

I'd be interested in knowing how you came to select Safeboot over some of the other competing FDE products from companies like PGP, Credant, GuardianEdge (also used in Symantec products through OEM agreement), WinMagic, CheckPoint (former PointSec), Utimaco (now part of of Sophos), etc. All these companies with the exception of PGP are on the GSA's SmartBuy DAR FIPS 140-2 approved software list although I think PGP is FIPS 140-2 certified. I think NIH uses PointSec.

sjf said...

"For Internal Distribution Only".... thanks for sharing, but do you want to remove this tag from the doc first?

It looks like BIDMC may need a DLP solution as well *smile*... give me a call when you are ready.

John Halamka said...

Truecrypt is indeed a good program. I have used it on a number of occasions. The main reason that TrueCrypt was not in consideration is the lack of an enterprise management solution. Operational considerations were second only to the quality and scope of the encryption. High on the requirements list, after the encryption, was the ability to provide support for a centralized secure and trusted method of decrypting the disk should the user forget their key. This was not available with the TrueCrypt solution at the time of the evaluation.

As for the consideration of the other products mentioned. We were focused on obtaining a product that provided safe Harbor status, and ease of operations. The ease of operations component has two sides - ease to the user and ease for the help desk. SafeBoot had a major leg up on all of the others since we are a McAfee shop. The near term plan to roll the management of SafeBoot into the Epo Orchestrator management console made the operational model difficult for others to match. That integration, once complete, provides the help desk with one common interface to support all of our layered endstation security components.

As a result we did an accelerated evaluation of Safeboot. It succeeded in meeting all of the stated goals for the solution we wanted.

Regarding the "Internal Use Only" tag in the evaluation document, I elected to share the document as is, with approval from my staff

Yves said...

What about Lojack For Laptops?

Football Matches said...

I'd be interested in knowing how you came to select Safeboot over some of the other competing FDE products from companies like PGP, Credant, GuardianEdge (also used in Symantec products through OEM agreement), WinMagic, CheckPoint (former PointSec), Utimaco (now part of of Sophos), etc.

Recep Deniz MD

Prescott E. Small said...

We are also consumers of McAfee EE (SafeBoot). We are finding it to be a slight learning curve in terms of our support personnel. However, we are finding it to be a great product with great reliability. We had originally gone with PointSec, which turned out to be such a miserable product that we not only abandoned the deployment after 2,000 systems we ended backing it out and re-deploying McAfee Endpoint Encryption. The reason Most other products are not viable is because they do not have an "enterprise" management interface. We found vendors often advertise an "Enterprise Solution" when what they really have is a solution for 20 to 100 computers in a single subnet in a single location.

Also McAfee's Solution is a suite of software that includes Endpoint Encryption, File & Folder Encryption, USB Device Control and Client Data Loss Prevention all managed by a real management console.