Anyone out there using anything and have any good/sob stories to share or thoughts on the products they find are working well for them? We're looking heavily at Credant Mobile Guardian right now. They have file based encryption, they also offer full disk, which personally I like it more than full disk.
![[H]ard|Forum](/styles/hardforum/xenforo/logo_dark.png){kind=logo}
Hard disk Encryption
- Thread starter QHalo
- Start date
Monkey God
Mangina Full of Sand
- Joined
- May 7, 2007
- Messages
- 6,723
I like truecrypt, simple, easy, reliable, free 
OmegaAvenger
2[H]4U
- Joined
- Sep 25, 2007
- Messages
- 3,240
You're going to want some sort of enterprise solution then. I'd offer one up if I knew of any.
GlobalFear
2[H]4U
- Joined
- Nov 22, 2003
- Messages
- 3,631
Truecrypt really isn't tailored for that kind of deployment. They did just release 6.1 though which adds token support and custom bootloaders.
Monkey God
Mangina Full of Sand
- Joined
- May 7, 2007
- Messages
- 6,723
Look no further than "DataArmor" from "Mobile Armor", they offer file level but the real product is Full Disk.
http://www.mobilearmor.com
We rolled it out where I work to 300+ laptops in 2006 and completed the roll-out in 4 total months from starting production. We tested it for 3 months before that. It's all centrally managed and is a piece of cake to administrate.
http://www.mobilearmor.com
We rolled it out where I work to 300+ laptops in 2006 and completed the roll-out in 4 total months from starting production. We tested it for 3 months before that. It's all centrally managed and is a piece of cake to administrate.
GlobalFear
2[H]4U
- Joined
- Nov 22, 2003
- Messages
- 3,631
Thats pretty slick. Hows pricing, if you don't mind saying?
Monkey God
Mangina Full of Sand
- Joined
- May 7, 2007
- Messages
- 6,723
I'm the SME (Subject Matter Expert) not the number crucher... but I'll tell you in our case it was in the 5 figure range. Considering the fact that if we lost 1 laptop wasn't encrypted that had customer data on it and we had to report that, the fine alone is over 6 figures not to mention the negative press from doing so. It's the right thing to do!
Any questions on it let me know.
Any questions on it let me know.
Yes, but WE didn't know you did. Next time, be more specific.
I thought I was in my OP?
I was really asking to see what others are using and their experiences with them to get some discussion going not really a suggestion thread. Yeah I know I can be rather vague, sorry just trying to get something else talked about rather than another UAC/Vista thread. We're looking at the Credant solution for the simple fact that integrates with our current Altiris solution and offers something other than full disk.
I thought I was in my OP?
We're looking at the Credant solution for the simple fact that integrates with our current Altiris solution and offers something other than full disk.
Why does it sound like you want to avoid a full disk solution?
I helped WaMu deploy Pointsec laptop encryption to 10,000+ laptops before Pointsec was bought by Checkpoint, and before WaMu was raped by the FDIC.
Pointsec worked very well. It has a great security model, integrates with Windows Authentication so their AD username/password is what they enter to boot the laptop, is centrally managed, and has a great data recovery process.
With any complete hard drive encryption solution, be warned that you will encounter hard drives that fail with bad sectors, so make sure your users backup their data prior to getting encrypted, no matter what solution you go with. This part is critical.
Feel free to ask my anything you want about Pointsec, except financials, I wasn't involved in that part.
Pointsec worked very well. It has a great security model, integrates with Windows Authentication so their AD username/password is what they enter to boot the laptop, is centrally managed, and has a great data recovery process.
With any complete hard drive encryption solution, be warned that you will encounter hard drives that fail with bad sectors, so make sure your users backup their data prior to getting encrypted, no matter what solution you go with. This part is critical.
Feel free to ask my anything you want about Pointsec, except financials, I wasn't involved in that part.
My boss and I came from essentially the same company, different companies same parent, and were exposed to full disk encryption with SafeBoot. Quite possibly the worst thing I've ever seen.
The shear amount of time involved from a rollout perspective, to ease of administration, to after-hours support has charged both of us to find a solution for our current employer that gets around these cons. I also do not believe that you could do any drive imaging with that implemented either. And with hard drives being in the hundreds of GB's these days and growing, full disk, which even encrypts free space, is just not a viable solution for us and SafeBoot showed us how awful that process can be.
Now, I know that's one vendor, and I'm not saying that "Full Disk is the devil and no one should go with it ever!", but file based encryption with minimal to no impact on rollout time both initial, out of the box, to production, currently in use, states has distinct advantages over full disk. We had examined Check Point, Credant, Utimaco, and Pointsec solutions. In the end we chose Credant for the fact that we had a choice of how we wanted to secure our data. Please, I'm open to being schooled how full disk has changed and I welcome your thoughts.
One of the downsides to Pointsec/Checkpoint is to recover files from a drive that has been encrypted, you have to decrypt the enitre drive. That's about an 8 hour process. I found that out from a buddy of mine that works somewhere they use that tool.
I know with DataArmor I slap in a utility disc with proper authentication and pull off whatever files I need onto an external storage device.
I have discussed issues with a company that uses PGP and they have several apps they have found that conflict with it.
I know with DataArmor I slap in a utility disc with proper authentication and pull off whatever files I need onto an external storage device.
I have discussed issues with a company that uses PGP and they have several apps they have found that conflict with it.
Oh yeah, they previously had a product called "PC Guardian". It sucked balls. It was not secure because it had the same recovery password on all laptops (not very secure), and the password reset and decryption process were a pain.
Pointsec is much more secure in how it requires you to reset user's passwords and decyrpt drives. For example, in order for someone to reset a pointsec password, they must contact someone who has an account authorized to reset passwords. Accounts that are authorized to reset passwords must either use a hardware token to authenticate, or they can alternatively authenticate to a website to issue a challenge/response to reset the password.
Pointsec is much more secure in how it requires you to reset user's passwords and decyrpt drives. For example, in order for someone to reset a pointsec password, they must contact someone who has an account authorized to reset passwords. Accounts that are authorized to reset passwords must either use a hardware token to authenticate, or they can alternatively authenticate to a website to issue a challenge/response to reset the password.
This is exactly the process we wish to avoid. We had to do it with SafeBoot and it was horrendous.
DataArmor's full disk encryption tool took between 2.5hours for a 40 GB and 3.5hours for a 60GB to full disk encrypt. Of course that's if you're not using the system at all. But you can use it while it encrypts in this case.
Communications with customers to back their data up to servers before they went home at night before I rolled it out remotely to about 30-40 Laptops a night. They would come in the next morning with their laptops sitting at the screen waiting for them to log in and cache their credentials the next morning. It would then encrypt them while they used them that first day.
I have heard horror stories of people that use SafeBoot that they pull an image of EVERY laptop before they install it by HAND... I couldn't imagine doing that to 1000's of laptops...
Essentially, whenever a new laptop went out it had to be encrypted by hand and took ages. So you had to build that time into the build if you were doing a new deploy. I don't think they ever did rollouts to existing users, but more on the hardware refresh schedules they would get newly encrypted machines.
re: Grimmda - It depends on the type of failure that occured to the drive. I know that if a drive that has been encrypted with Pointsec still physically works (ie you can slave it and it shows up), as long as you authenticate to the primary hard drive with an account that is on the slaved drive, you can access the files on the slave without decrypting it. We did this quite a bit for laptops that failed but the hard drive was still good, to get the info to the new laptop. We also did this for employees who left the company and could no longer authenticate to the laptop. Alternatively you could also log into a laptop of a user who left the company with a higher level account, such as a techsupport user or security engineer user. Both such users must have a hard token, so unless those tokens are stolen, nobody else can get in.
However, if the drive encounters a hardware failure to the point where it cannot be slaved at all, getting the data is much harder. It is still possible, but usually costs a lot. This didn't happen a lot because most of the time the users had backed up their data to a server as was company policy.
How secure is DataArmor? Are you saying that anyone with such a utility disc can decyrpt the drive. What kind of authentication is used? Username/password?
However, if the drive encounters a hardware failure to the point where it cannot be slaved at all, getting the data is much harder. It is still possible, but usually costs a lot. This didn't happen a lot because most of the time the users had backed up their data to a server as was company policy.
How secure is DataArmor? Are you saying that anyone with such a utility disc can decyrpt the drive. What kind of authentication is used? Username/password?
In our current environment I built our single Windows XP image to determine if the PC is a Desktop or a Laptop. If it's a laptop it names it appropropriately to our standard and begins to install DataArmor on it. The install is the last piece to load. The technican hands the laptop to the customer, they log in caching their credential locally (in case they go off-network, that way then can still log into it) and it encrypts while they are using it later on. Been working smoothly for over 2 years.
You can configure AES or 3Des encryption. Anyone with the utility disc AND ADMINISTRATIVE RIGHTS WITHIN DATAARMOR can decrypt the drive...
It also has AD integration as far as "single signon" or an independant password or a mix of both if you desire. That's how we roll, for people that are 100% off-site and we don't want them to have to hassle in that case with the single signon but 99% of our users ID's and Passwords are maintained via AD.
Admins can authenticate with just a username and password or you can use SecurID Token integration as well if you so desire. Depends what direction you want to go.
One last thing, we deployed Pointsec via an installshield package with a network software distribution solution. It installed automatically for new builds or existing builds. Prior to encrypting, it would prompt the user to enter their username/password to cache locally (for off network authentication), generate a recovery file, copy it to a file server, and then begin encryption.
Okay, sounds like it is also a good solution.
QHalo [H]ard|Gawd, 6.1 Years
Quote:
Originally Posted by Grimmda
One of the downsides to Pointsec/Checkpoint is to recover files from a drive that has been encrypted, you have to decrypt the enitre drive. That's about an 8 hour process. I found that out from a buddy of mine that works somewhere they use that tool.
This is exactly the process we wish to avoid. We had to do it with SafeBoot and it was horrendous.
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
False
Safeboot provides bootable iso's that will allow you to authenticate to the filesystem (basically mimic the preboot) and gain full access to the file system in an "unencrypted" state. With built in usb and network support its simple to recover data. In fact, this one reason we win deals
Quote:
Originally Posted by Grimmda
One of the downsides to Pointsec/Checkpoint is to recover files from a drive that has been encrypted, you have to decrypt the enitre drive. That's about an 8 hour process. I found that out from a buddy of mine that works somewhere they use that tool.
This is exactly the process we wish to avoid. We had to do it with SafeBoot and it was horrendous.
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
False
Safeboot provides bootable iso's that will allow you to authenticate to the filesystem (basically mimic the preboot) and gain full access to the file system in an "unencrypted" state. With built in usb and network support its simple to recover data. In fact, this one reason we win deals
QHalo [H]ard|Gawd, 6.1 Years
Quote:
Originally Posted by Grimmda
One of the downsides to Pointsec/Checkpoint is to recover files from a drive that has been encrypted, you have to decrypt the enitre drive. That's about an 8 hour process. I found that out from a buddy of mine that works somewhere they use that tool.
This is exactly the process we wish to avoid. We had to do it with SafeBoot and it was horrendous.
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
False
Safeboot provides bootable iso's that will allow you to authenticate to the filesystem (basically mimic the preboot) and gain full access to the file system in an "unencrypted" state. With built in usb and network support its simple to recover data. In fact, this one reason we win deals
Has that always been a feature? If it has, then perhaps the people I know that work there and still use it should know about this.