07-01-13 | Blog Post
After deep dives into the world of encryption as it relates to privacy, security and compliance and how it functions at the software level, Online Tech’s “Tuesday at 2” webinar series concluded its three-part encryption presentation with a look at encryption at the hardware and storage levels.
Online Tech’s Systems Support Manager Steve Aiello led the conversation and handled aspects of encryption for Microsoft-driven hardware and guest co-host Mark Stanislav of Duo Security took over for the Linux-focused stretch of the presentation. Both explored the variety of places encryption can be employed to mitigate risk of data loss or breach, and some of the considerations for choosing the most appropriate method to employ.
To wrap up the presentation, Aiello covered encryption options for storage media.
What follows is a brief recap of their presentation. If you want to learn more, slides and a video replay of the 57-minute presentation are available here. The slides offer numerous links to suggested reading from Aiello.
While handling a look at both its Encrypting File Systems (EFS) and BitLocker disk encryption offerings, Aiello noted that “Microsoft has generally done a very good job at implementing cryptography in their ecosystem.”
EFS uses AES, a very strong encryption algorithm, to encrypt data at rest on a hard disk. Aiello covered its pros, cons and other highlights; described how it functions and how to enable it.
“The really nice thing about EFS is that it’s completely built into the Windows NT file system,” Aiello said. “There’s no extra you have to add, there’s no performance hit, and it’s a very safe option – as long as you can keep the username and password to that laptop or device private.”
Aiello also covered BitLocker, which he called “Microsoft’s answer to full-disk encryption.” It allows for a customizable level of protection depending on the combination of features used: The Trusted Platform Module (TPM) allows the system to verify the integrity of data, a PIN offers authentication and a USB Key offers two-factor authentication.
“One of the really great things you can do with a full-disk encryption solution is … do a secure wipe,” Aiello said. That ensures you properly “sanitize” drives that may have once held sensitive healthcare of financial data, for instance, on them.
Stanislav took over the Linux disk encryption portion of the event, covering Linux Unified Key Setup (LUKS) and the free, open-source TrueCrypt. He cautioned that while there are parallels to Windows in terms of what the Linux options can do, because Active Directory is the standard in how to manage systems within the scope of a deployment, Linux is not as direct in trying to manage encrypted systems as it would under Windows.
That said, he noted that LUKS – despite its name – is usable with Windows using FreeOTFE software. Most commonly used for enterprise deployment, LUKS is flexible to utilize and allows you to select algorithms, key size and mode of operation for encryption.
Perhaps more familiar to the general public is TrueCrypt, which offers a graphical user interface or command line functionality. As a stand-alone software application, it is stronger and more feature-rich out of the box than other options.
Another highlight of TrueCrypt, said Stanislav, is that it offers the ability to completely hide volumes of data on hardware. “Even if somebody stole a laptop, they wouldn’t know there’s a volume of encrypted data on the device,” he said.
The storage portion of the presentation covered self-encrypting drives (SEDs) and appliances for array-based encryption.
Self-encrypting drives are hard drives that have encryption hardware built in that is completely transparent to the user and comes with software to generate a unique encryption key. Relatively new to the market, these drives come in a limited number of types and sizes.
Aiello also covered numerous encryption appliances that can be built into the storage array that leaves data encrypted on the disk. These options have little performance impact, no drive choice limitations and zero key management issues, but can be expensive.
After a jam-packed, four-presentation schedule in June, the “Tuesday at 2” webinar series takes a couple weeks off before returning on July 16 for Why is it So Hard to Secure a Company, presented by High Bit Security COO Adam Goslin. For details and to register for that free educational session, click here.
