Re: Disk Encryption for remote XP machines.

On Fri, 29 Jan 2010 11:47:40 -0800 (PST), Mike wrote:

On Jan 29, 4:53 pm, "nemo_outis" <a...@xxxxxxx> wrote:
Mike <mikere...@xxxxxxxxxxxxxx> wrote innews:1f477947-61f7-4c70-b6d5-661a8d32a063@xxxxxxxxxxxxxxxxxxxxxxxxxxx:

...

LOL. Talk about overstating the case. Unless you have a particularly
high opinion of yourself and think that i'm leaning too hard? This
estate has been active for 20 years or so and has grown to a
particular size due to integration following takovers, migration of O/
Ss  etc. I'm not trying to cobble anything together I'm looking for a
remote distribution of some disk encryption software which will link
the hard disk to the device WITHOUT any extra hardware. Yes, risk and
threat analyses have been made and the single risk/hole call it what
you will is the disk itself. Not that it has any sensetive data, not
that it will allow access to anything compromising but merely for the
reputational risk should the disk end up on ebay and it has BANK OF
XXXXX all over it. My approach is certainly fit for purpose it's just
that I intend on purchasing a Mini to get me from a to b rather than a
Bugatti Veyron.
God I love usnet.

A bit difficult to reconcile with your previous statement: "Mmm don't really want
to go the extra hardware route as there a 9000 of these beasts and that will
require actual man in a van visit (aside from the cost)"

9000 of them, eh?  and like Topsy, they just growed, eh?  Well, OK

Risk and threat amalyses have been made, you say?  And yet it is only now, 20
years on, that the risk of a HD going astray or malfeasance by maintenance men is
noticed and ways to address the matter are being considered.  Hardly an exotic
risk and yet somehow it has been overlooked/ignored until now.  Let's just say I'm
not overwhelmed by either the timeliness or thoroughness of that risk and security
analysis. But better late than never, I guess (So much for timeliness - as for
thoroughness?)

And now all you say you need is disk encryption. The matter of possible
malfeasance by maintenance men has largely disappeared.  You only need to protect
data at rest and not data in use?  Well, good, because the maintenance man problem
is non-trivial and there are no quick fixes.  

Your explanations have now cleared things up.  Your goals are very modest and
limited and can be reduced to one core objective: don't let HDs (or, more
specifically, the data on them) go astray.  

So here're my revised quick fixes to your problem:

1) Since malfeasance by maintenance men has now been discarded as an issue, put
out a memo to all your maintenance men establishing the policy that any "loose"
HDs are to be returned to headquarters and not disposed of otherwise.  While
you're at it, establish protocols and procedure for HD disposal at headquaters
(not as simple as it seems if we're talking many disks over a long period of
time).

or, if you can "push" software installations to each site:

2)  Install any modern full-HD encrypton system.  Truecrypt is one of the better
ones and it's free, so, sure, use it.  
(And note that it won't be a trivial matter to manage the logistics of that
"push" to ensure nothing is missed, no old hardware hangs, and no equipment does
"strange" things.  Or to establsh a backup procedure for data recovery, etc. But
then again there's no need for me to go into all this - after all, you've already
done a risk and threat analysis, right?)

And that's it.  A cheap, easy and quick fix. Just don't kid yourself that you've
"solved" the problem of data security.

However, if you wish to do more than put a band-aid on the problem, let me suggest
that a budget of $10-100 per machine for retrofitting real security would hardly
be extravagant or lavish - it would, in fact, be a "bargain basement" approach.  
IOW, a real security review and refurbishment applied to a 9000-unit hodge-podge
system developed incrementally over 20 years could well cost hundreds of thousands
of dollars.  And I suggest that a goodly chunk of that cost be expended on a
qualified security consultant.  While you're at it, some input from a specialist
in business processes and procedures would also not be amiss.

Regards,

PS  Implementing security on a dispersed 9000-unit system is very different from
encrypting one or two drives on a home system.  The scale introduces a
*qualitative,* not just a quantitative, change in the nature of the problem.  

Hell, it takes a lot of coordination and effort to push out a lousy Windows patch
to  thousands of machines at a single company site - companies must put
considerable effort into making sure there are no foul-ups on gaps.  And your
problem, even in its most reduced form as you've now restated it, is considerably
more difficult.  I suggest you ponder this well before you rely on your cheap and
easy encryption quickfix.

Thanks for your suggestions.
No thanks for your boorish attitude and presumption that I'm a
complete arse.

Mike, nemo is a very bright guy but any argument you will have with him
will, ultimately, without any chance of deviance, end up with him going
ballistic, his becoming personal and insulting. Expect the "troll"
moniker to come out before the month is over.

As he has aged, he has more and more trouble keeping up with thread
flow.

If you need to swat him, do as I do. Drop hints about his wife, Nepal,
macaroni and sit tight while he goes into orbit.

It's fun to watch but anyway, carry on...
--
A fireside chat not with Ari!
http://tr.im/holj
Motto: Live To Spooge It!
.

Relevant Pages

  • Widely Used Security Solutions Unable To Prevent Data Theft
    ... Innersafe Corporation, a data security company. ... a text editor exposed protected data on a PC running disk ... "Data theft from a PC is surprisingly easy. ... Disk encryption scrambles data on the disk so it cannot be unscrambled ...
    (alt.privacy)
  • Re: Disk Encryption for remote XP machines.
    ... the hard disk to the device WITHOUT any extra hardware. ... reputational risk should the disk end up on ebay and it has BANK OF ... And now all you say you need is disk encryption. ... "solved" the problem of data security. ...
    (alt.computer.security)
  • Re: Disk Encryption for remote XP machines.
    ... the hard disk to the device WITHOUT any extra hardware. ... reputational risk should the disk end up on ebay and it has BANK OF ... "solved" the problem of data security. ... system developed incrementally over 20 years could well cost hundreds of thousands ...
    (alt.computer.security)
  • Re: Disk Encryption for remote XP machines.
    ... the hard disk to the device WITHOUT any extra hardware. ... reputational risk should the disk end up on ebay and it has BANK OF ... And now all you say you need is disk encryption. ... "solved" the problem of data security. ...
    (alt.computer.security)
  • Re: Backup Security Black Hole
    ... If someone has physical access to the disk and the encryption keys are on the disk then they don't need to go through the indirect route of the backup files. ... If your data is sensitive enough that you need to encrypt it then you also have to think about things like physical security, security of backups, where the keys for encryption/decryption are stored, and probably more. ...
    (microsoft.public.windows.server.sbs)