Re: [Fed-Talk] Army to Encrypt Computers
Re: [Fed-Talk] Army to Encrypt Computers
- Subject: Re: [Fed-Talk] Army to Encrypt Computers
- From: Amanda Walker <email@hidden>
- Date: Mon, 28 Aug 2006 12:40:04 -0400
On Aug 28, 2006, at 9:40 AM, Timothy J. Miller wrote:
Amanda Walker wrote:
If a machine is lost or stolen, we'd really like it to be *only*
an inventory problem, not an information or operational security
problem.
You'll have to take all the inventory stickers off, then. Now it
really is an inventory problem. :)
Heh. What I was getting at was that there is nothing visible to a
thief or adversary from which they could deduce the ownership or
purpose of the machine. Just a barcode label with a number, no
organization name. Ideally, the disk itself, in the hands of a thief
or adversary, would be just the hardware, with no usable information
stored on it. Not just no PowerPoint files, but no VPN or LAN
settings, no indication of what authentication mechanisms we use, no
system logs showing server mounts/unmounts, etc.
That's ideally. Right now, we put up with FileVault because it
solves the biggest problem, but there are risks that whole disk
encryption would mitigate (as it does on PCs, despite my distates for
Windows).
Can you say for certain that the incidence of theft is greater than
the incidence of failure?
We've had laptops stolen. We have not, to my knowledge, had whole
disk encryption fail in a way that caused data to be lost (though
drives fail from mechanical failure left and right). The cost is
different: drive failure does not result in accidental disclosure.
We'd like the cost of theft or unauthorized physical access to be
similar to that of drive failure.
Though to be fair, I suspect that human error is our largest cause of
accidental disclosure. No infosec feature or product can solve the
"I forgot to sanitize my PowerPoint presentation before putting it on
the web" problem...
Unfortunately, for the private sector there seems to be no third
party smart card or token system available that provides similar
capabilities to a CAC. CRYPTOCard comes closest, but doesn't live
up to all of its marketing claims.
A CAC is really just a JCOP card with a special applets. You can
buy these anywhere, and ActivIdentity would be more than happy to
supply their applet, which is all you need.
Thanks for the pointer; I'll take a look.
Amanda Walker
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden