Mobile Device Security and Encryption Standard and Guidelines



Similar documents
Whitepaper Enhancing BitLocker Deployment and Management with SimplySecure. Addressing the Concerns of the IT Professional Rob Weber February 2015

Disk Encryption. Aaron Howard IT Security Office

How to Encrypt your Windows 7 SDS Machine with Bitlocker

Using BitLocker As Part Of A Customer Data Protection Program: Part 1

Encrypting with BitLocker for disk volumes under Windows 7

DriveLock and Windows 7

ICT Professional Optional Programmes

GoldKey Software. User s Manual. Revision WideBand Corporation Copyright WideBand Corporation. All Rights Reserved.

Bypassing Local Windows Authentication to Defeat Full Disk Encryption. Ian Haken

DriveLock and Windows 8

Encrypted File Systems. Don Porter CSE 506

Course 50322B: Configuring and Administering Windows 7

Manual for Android 1.5

Table Of Contents. - Microsoft Windows - WINDOWS XP - IMPLEMENTING & SUPPORTING MICROSOFT WINDOWS XP PROFESSIONAL...10

Configuring and Administering Windows 7

OS X 10.6 SNOW LEOPARD: KEYCHAIN ACCESS MANAGING & UNDERSTANDING KEYCHAIN

Contents. Getting Started...1. Managing Your Drives Backing Up & Restoring Folders Synchronizing Folders Managing Security...

Using Mac OS X 10.7 Filevault with Centrify DirectControl

10 steps to better secure your Mac laptop from physical data theft

MCTS Guide to Microsoft Windows 7. Chapter 7 Windows 7 Security Features

Do "standard tools" meet your needs when it comes to providing security for mobile PCs and data media?

How To Use Attix5 Pro For A Fraction Of The Cost Of A Backup

Chapter 4. Operating Systems and File Management

When enterprise mobility strategies are discussed, security is usually one of the first topics

Windows Phone 8.1 Mobile Device Management Overview

Home and Shared Folders on Mac OS X Accessing Home and Shared Folders on Active Directory File Servers Using Mac OS X

Windows BitLocker TM Drive Encryption Design Guide

Encryption Made Simple for Lawyers

Trusted Platform Module (TPM) Quick Reference Guide

Two-factor authentication Free portable encryption for USB drive Hardware disk encryption Face recognition logon

Introduction. PCI DSS Overview

Security. TestOut Modules

Guidelines on use of encryption to protect person identifiable and sensitive information

BitLocker Drive Encryption Hardware Enhanced Data Protection. Shon Eizenhoefer, Program Manager Microsoft Corporation

BitLocker Encryption for non-tpm laptops

Deploying EFS: Part 2

CribMaster Database and Client Requirements

Windows 7, Enterprise Desktop Support Technician

FAQ. How does the new Big Bend Backup (powered by Keepit) work?

Installing and Configuring Windows ; 5 Days; Instructor-led

SafeGuard Enterprise User help. Product version: 6.1

CipherShare Features and Benefits

MS Configuring Windows 8.1

Introduction to BitLocker FVE

SAS Data Set Encryption Options

How Drive Encryption Works

Installing and Configuring Windows B; 5 Days, Instructor-led

Encrypting stored data. Tuomas Aura T Information security technology

Managing BitLocker With SafeGuard Enterprise

Online Backup Frequently Asked Questions

"Charting the Course to Your Success!" MOC D Windows 7 Enterprise Desktop Support Technician Course Summary

Hiva-network.com. Microsoft_70-680_v _Kat. Exam A

Managing Applications, Services, Folders, and Libraries

Administering FileVault 2 on OS X Lion with the Casper Suite. Technical Paper July 2012

Online Backup Plus Frequently Asked Questions

Encrypting the Private Files on Your Computer Presentation by Eric Moore, CUGG June 12, 2010

NETWRIX IDENTITY MANAGEMENT SUITE

Chapter Contents. Operating System Activities. Operating System Basics. Operating System Activities. Operating System Activities 25/03/2014

Installing and Configuring Windows 10 MOC

MCSA Windows 8 (Exam )

Interact Intranet Version 7. Technical Requirements. August Interact

Sophos SafeGuard Native Device Encryption for Mac Administrator help. Product version: 7

HP ProtectTools Embedded Security Guide

Microsoft Windows Server 2008: Data Protection

Managing and Maintaining a Windows Server 2003 Network Environment

Windows 7, Enterprise Desktop Support Technician Course 50331: 5 days; Instructor-led

BitLocker/Active Directory Encryption Procedure Department: Information Security Office Version: 1.0 Last Revised: 09/26/2011

Course Description. Course Audience. Course Outline. Course Page - Page 1 of 12

Samsung Drive Manager FAQ

Introweb Remote Backup Client for Mac OS X User Manual. Version 3.20

FileVault 2 Decoded. Rich Trouton Howard Hughes Medical Institute, Janelia Farm Research Campus

BitLocker To Go User Guide

PGP Whole Disk Encryption Training

Acronis Backup & Recovery 11

A+ Guide to Software: Managing, Maintaining, and Troubleshooting, 5e. Chapter 3 Installing Windows

Acronis Backup & Recovery for Mac. Acronis Backup & Recovery & Acronis ExtremeZ-IP REFERENCE ARCHITECTURE

SimplySecure TM Architecture & Security

Setup and Configuration Setup Assistant Migration Assistant System Preferences Configuration Profiles System Information

Xopero Centrally managed backup solution. User Manual

Course 20688A: Managing and Maintaining Windows 8

Joining my MAC laptop to the domain

Firmware security features in HP Compaq business notebooks

How To Restore Your Data On A Backup By Mozy (Windows) On A Pc Or Macbook Or Macintosh (Windows 2) On Your Computer Or Mac) On An Pc Or Ipad (Windows 3) On Pc Or Pc Or Micro

Maintaining a Microsoft Windows Server 2003 Environment

In order to enable BitLocker, your hard drive must be partitioned in a particular manner.

Module 3: Resolve Software Failure This module explains how to fix problems with applications that have problems after being installed.

TPM. (Trusted Platform Module) Installation Guide V for Windows Vista

DATA SECURITY ADVICE FOR RESEARCHERS & THE McMASTER RESEARCH ETHICS BOARD. Table of Contents

White Paper: Whole Disk Encryption

Guidance End User Devices Security Guidance: Apple OS X 10.9

Symantec File Share Encryption Quick Start Guide Version 10.3

NE-2273B Managing and Maintaining a Microsoft Windows Server 2003 Environment

Installing and Upgrading to Windows 7

Course 6292A: Installing and Configuring Windows 7 Client. About this Course. Audience Profile

Eduroam wireless network Windows Vista

How Endpoint Encryption Works

Transcription:

Mobile Device Security and Encryption Standard and Guidelines University Mobile Computing and Device best practices are currently defined as follows: 1) The use of any sensitive or private data on mobile computing devices must be avoided unless absolutely necessary - The recommended mechanism for using such data is to keep the data on a secured system at the University and use the laptop for secure remote access to that system. (For example, ssh or remote desktop to a system on campus used to access and manipulate the data) 2) For situations where 1) is not possible, or if there is any doubt about the nature of the data on mobile devices, then the device must be secured to the following minimal baseline: A. Laptops and mobile devices must run a current, fully patched, and modern Operating System at all times B. Users must store documents on laptops in a single specific area only (such as a home folder or directory) C. The contents of the disk storage area specified in B. must be securely encrypted D. Laptops and mobile devices must be configured to ask for a password after any period of inactivity, including after resume from suspend/standby/sleep/hibernate and on OS start up 3) Additional laptop and mobile computing security measures include: A. PDA devices must have the ability to conduct a remote kill (the ability to remotely and on-command reset the device to factory configurations thereby overwriting any stored or cached data) B. Data Wiping: Laptops and mobile computing devices must follow electronic media disposition and secure wipe (overwriting any stored or residual data even items previously deleted that may be recoverable on the hard drive) in accordance to the electronic media disposition guidelines C. Physical protection controls must be used, such as laptop cable locks and securely storing mobile devices in transit and in locked areas/compartments when not in use D. Wireless security best practices must be followed when connecting to information technology resources through WiFi E. Strong Authentication should be considered if there is an approved and justified business need to access University of Alberta sensitive information using a laptop or mobile device

Laptop Encryption Deployment Guidance For System Administrators 4) The current best practice mechanisms for secure, software-based, disk encryption as described in practice 2C are the following: Microsoft Windows: Configure BitLocker to encrypt all fixed disk drives 1 Apple Mac OS X: Configure FileVault to encrypt all users home folders Different mechanisms may be acceptable to use on other operating systems. This document is intended as a guideline to use for the most common circumstance. If a platform not listed here is not capable of encrypting the stored documents area, it must not be used to store sensitive information (It may be used for secure remote access to a system as in section 1) 5) A deployment plan for disk encryption must be defined and approved in a unit prior to encrypting user systems or data. Minimally, this plan should cover: Identification of affected assets; Definition of established data backup processes Definition of encrypted data recovery management process Definition of encryption deployment process Testing of encryption deployment Reporting on encryption process status Basic Data Recovery Management Process Prototype Each of the tools we recommend for disk encryption has mechanisms to recover data in the event that a user s password becomes unavailable, the simplest mechanism available for data recovery when deploying to individual systems is a recovery password. With BitLocker this password is a unique 48 character numeric code, that the user is given the option of printing during the encryption process, and for FileVault it is the Master Password, set by the user in the System Preferences before actually enabling FileVault. Our minimal recommended process for managing these passwords is to require users to place a paper record of the recovery password in a sealed envelope which they will supply to their Chair, or similar authority, for safe keeping in a physically secured location. Secured in this instance meaning a locked container inside a room with very limited access, such as a departmental safe or a filing cabinet with a strong lock in the Chair s office. 1 Note that BitLocker is only available for the Ultimate and Enterprise editions of Windows 7 and Vista - it is highly recommended that Windows XP not be used on laptops requiring data encryption.

BitLocker for Windows 7 Enterprise/Ultimate Capabilities BitLocker is a security mechanism that provides two primary functions: boot-time operating system integrity verification and full drive data encryption. Once a BitLocker enabled system has bootstrapped itself into the operating system, the file system on the protected drive(s) is unlocked and the drive encryption effectively becomes transparent to any running applications. The security of this mechanism is based on the secrecy of a cryptographic key: the Master Volume Key (MVK). This key material is not related to user authentication and no user passwords are involved in its creation. Configuration Regardless of the deployment method chosen, The University advises that BitLocker must be configured to use the TPM + PIN authentication method. 2 Default setting for other options are acceptable as long as this authentication method is used. Prerequisites Enabling BitLocker requires that the target laptop have hardware for storing the MVK and related integrity data. Microsoft allows this data to be stored in either a Trusted Platform Module (TPM) or on a USB drive. The University advises that BitLocker be enabled only on hardware with a functional TPM, our experiences is that USB drives are too easy to lose or damage when used in this context. Beyond a TPM, deploying BitLocker has a second major technical requirement: the target laptop must have a very specific drive layout, at a minimum the primary system disk must have two NTFS formatted partitions, corresponding to a system drive and a data/os drive respectively. Microsoft documentation provides clear definition of these requirements, we are repeating them here to further emphasize their importance. Backup Considerations The encryption provided by BitLocker is transparent to applications on the running operating system and existing backup schemes should not require technical accommodations in order to be effective as long as the backup is server-based. Backing up a BitLocker protected system to unencrypted removable media, such as a USB drive, is strongly discouraged as it leaves the data mobile while simultaneously removing any benefit of protection provided by the encryption. 2 http://technet.microsoft.com/en-us/library/cc732725(ws.10).aspx#bkmk_s3

Data Recovery Microsoft provides a number of data recovery methods, their availability depends on the deployment scheme chosen. In the basic one-to-one scheme, where BitLocker is configured on each individual system, these recovery mechanisms are either a binary key or a long numeric passphrase. Both of these items are unique to a particular BitLocker protected device, so in the prototype recovery management process, defined in sections above, we ve highlighted the use of the passphrase because it is a more manageable artifact for non-technical users. Significant automation of data recovery management is available when deploying BitLocker via Active Directory DS group policy. This policy is available in Server 2008 by default and in Server 2003 R2 via a schema extension. Due to variations in individual AD environments the University is not providing any specific instructions for this deployment mechanism at this time. FileVault for Apple OS X 10.6 (Snow Leopard) Capabilities FileVault encrypts data is a user s home directory using disk image containers and does not encrypt the whole system disk. This means that any user account that has administrator capability can write data to anywhere on the system they care to, a location than will not be encrypted. For this reason users must keep their data in their home folders and not intermix sensitive data storage with locations used by the Operating System or that are accessible to other users by default. 3 Configuration Options The encryption mechanism provided by FileVault is uncomplicated and at this time the University makes no recommendations beyond the practices described at the beginning of this document and the use of default settings. Prerequisites FileVault does not have any explicit hardware requirements but it is not recommended to deploy it onto older single processor laptops before testing any impact it will have on the usability of the device. For example, enabling FileVault on a late generation PowerPC-based Powerbook running OS X 10.5 creates an unacceptably slow user experience. Backup Considerations 3 Such as the folder /Users/Shared.

FileVault stores a user s home directory inside of an encrypted sparse-bundle disk image container on the system drive, the data is only decrypted when the individual files are accessed and read from the disk into memory by applications during a user s login session. Backup mechanisms reading data off the disk will only have access to the encrypted disk image containers, not their contents. This design means that special accommodations may need to be made for the backup mechanism you employ, so it would also be highly recommended to confirm the effectiveness and operational behaviour of backups prior to encrypting real user systems. Data Recovery The most important system administration consideration for data recovery with FileVault is the management and use of the FileVault Master Identity. In the one-to-one deployment we are recommending as a baseline, this Master Identity is stored in a system Keychain file and is protected by the Master Password as set by the user when FileVault is enabled. This identity is the sole mechanism available for recovery of encrypted data in the event that the user password becomes unavailable. As the majority of Apple laptops in use at the University are currently individually administered, we strongly recommend using the uncomplicated Basic Data Recovery Management Process defined in this document as a basis for addressing recovery requirements. Sophisticated schemes for automated FileVault deployment and recovery management certainly do exist but they all require a central administration mechanism 4 and will not be addressed in this document. References: 1. Best Practices for Using FileVault: Managed encrypted container technology built into Mac OS X, Apple, December 2009, http://www.apple.com/business/resources/ 2. TechNet - BitLocker Drive Encryption, Microsoft, May 2010, http://technet.microsoft.com/en-us/library/cc731549(ws.10).aspx 3. TechNet - BitLocker Drive Encryption Overview, Microsoft, May 2010, http://technet.microsoft.com/en-us/library/cc732774.aspx 4. Data Encryption Toolkit for Mobile PCs, Microsoft, May 2007, http://technet.microsoft.com/en-us/library/cc500474.aspx 4 Such as Open Directory.

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information