Re: Disk Encryption for remote XP machines.



On Jan 29, 4:53 pm, "nemo_outis" <a...@xxxxxxx> wrote:
Mike <mikere...@xxxxxxxxxxxxxx> wrote innews:1f477947-61f7-4c70-b6d5-661a8d32a063@xxxxxxxxxxxxxxxxxxxxxxxxxxx:

...

LOL. Talk about overstating the case. Unless you have a particularly
high opinion of yourself and think that i'm leaning too hard? This
estate has been active for 20 years or so and has grown to a
particular size due to integration following takovers, migration of O/
Ss  etc. I'm not trying to cobble anything together I'm looking for a
remote distribution of some disk encryption software which will link
the hard disk to the device WITHOUT any extra hardware. Yes, risk and
threat analyses have been made and the single risk/hole call it what
you will is the disk itself. Not that it has any sensetive data, not
that it will allow access to anything compromising but merely for the
reputational risk should the disk end up on ebay and it has BANK OF
XXXXX all over it. My approach is certainly fit for purpose it's just
that I intend on purchasing a Mini to get me from a to b rather than a
Bugatti Veyron.
God I love usnet.

A bit difficult to reconcile with your previous statement: "Mmm don't really want
to go the extra hardware route as there a 9000 of these beasts and that will
require actual man in a van visit (aside from the cost)"

9000 of them, eh?  and like Topsy, they just growed, eh?  Well, OK

Risk and threat amalyses have been made, you say?  And yet it is only now, 20
years on, that the risk of a HD going astray or malfeasance by maintenance men is
noticed and ways to address the matter are being considered.  Hardly an exotic
risk and yet somehow it has been overlooked/ignored until now.  Let's just say I'm
not overwhelmed by either the timeliness or thoroughness of that risk and security
analysis. But better late than never, I guess (So much for timeliness - as for
thoroughness?)

And now all you say you need is disk encryption. The matter of possible
malfeasance by maintenance men has largely disappeared.  You only need to protect
data at rest and not data in use?  Well, good, because the maintenance man problem
is non-trivial and there are no quick fixes.  

Your explanations have now cleared things up.  Your goals are very modest and
limited and can be reduced to one core objective: don't let HDs (or, more
specifically, the data on them) go astray.  

So here're my revised quick fixes to your problem:

1) Since malfeasance by maintenance men has now been discarded as an issue, put
out a memo to all your maintenance men establishing the policy that any "loose"
HDs are to be returned to headquarters and not disposed of otherwise.  While
you're at it, establish protocols and procedure for HD disposal at headquaters
(not as simple as it seems if we're talking many disks over a long period of
time).

or, if you can "push" software installations to each site:

2)  Install any modern full-HD encrypton system.  Truecrypt is one of the better
ones and it's free, so, sure, use it.  
(And note that it won't be a trivial matter to manage the logistics of that
"push" to ensure nothing is missed, no old hardware hangs, and no equipment does
"strange" things.  Or to establsh a backup procedure for data recovery, etc. But
then again there's no need for me to go into all this - after all, you've already
done a risk and threat analysis, right?)

And that's it.  A cheap, easy and quick fix. Just don't kid yourself that you've
"solved" the problem of data security.

However, if you wish to do more than put a band-aid on the problem, let me suggest
that a budget of $10-100 per machine for retrofitting real security would hardly
be extravagant or lavish - it would, in fact, be a "bargain basement" approach.  
IOW, a real security review and refurbishment applied to a 9000-unit hodge-podge
system developed incrementally over 20 years could well cost hundreds of thousands
of dollars.  And I suggest that a goodly chunk of that cost be expended on a
qualified security consultant.  While you're at it, some input from a specialist
in business processes and procedures would also not be amiss.

Regards,

PS  Implementing security on a dispersed 9000-unit system is very different from
encrypting one or two drives on a home system.  The scale introduces a
*qualitative,* not just a quantitative, change in the nature of the problem.  

Hell, it takes a lot of coordination and effort to push out a lousy Windows patch
to  thousands of machines at a single company site - companies must put
considerable effort into making sure there are no foul-ups on gaps.  And your
problem, even in its most reduced form as you've now restated it, is considerably
more difficult.  I suggest you ponder this well before you rely on your cheap and
easy encryption quickfix.

Thanks for your suggestions.
No thanks for your boorish attitude and presumption that I'm a
complete arse.
I came here looking for suggestions for a solution based on my
requirements, not a lecture on the why's and wherefore's of how to
distribute software on 9k remote machines (something we do ALL the
time) , or the hint that no other security exists. Extrapolation based
on what I asked was unnecessary but thanks for the reply.
.