1 / 17

Encryption is Evolving

To combat the reality, computer manufacturers are building self-encrypted drives into their devices, providing a standardized, hardware-based method of encryption (based on OPAL specifications) that ships with the computer. Encryption is Evolving.

dessa
Download Presentation

Encryption is Evolving

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. To combat the reality, computer manufacturers are building self-encrypted drives into their devices, providing a standardized, hardware-based method of encryption (based on OPAL specifications) that ships with the computer. Encryption is Evolving Traditional encryption solutions provide inconsistent results and consume significant resources: • End user represents a point of failure, documents are stored improperly, passwords are not safeguarded • Software solutions are expensive and impact the performance of the machine • Dedicated IT resources are required to manage multiple encryption methods and passwords

  2. Encryption is Evolving – Projected Timeline The Coughlin Associates, Inc, Self-Encrypting Drive Market & Technology Report (August 2011) predicts the following growth: : • 2013: SED capability will be included in over 80% of solid-state drives1 (SSDs) on the market • 2014: SED capability will be included in almost 100% of SSDs on the market • 2016: Security adoption for SED SSDs is estimated to reach between 122M – 411M 1 A solid-state drive, also referred to as a solid-state disk or electronic disk, is an emerging data storage device. It uses solid-state memory to store persistent data with the intention of providing access similarly to that of a traditional block input/output hard disk drive.

  3. Encryption is Evolving Encryption is Evolving Encryption will be built into computers …but what about the technology to manage it?

  4. Absolute Secure Drive Absolute® Secure Drive for the management of self-encrypting drives (SEDs) that meet OPAL specifications. • Hardware disc encryption: passwords are eliminated, data is securely protected • Secure file/folder encryption engine: complements OPAL SEDs • Authentication mechanisms: multi-factor authentication methods to unlock OPAL SEDs • Single management console: IT resources and skill sets can be consolidated for efficient administration of the entire encryption process • BitLocker Integration: manage software encryption on BitLocker enabled built-in drives and BitLocker-To-Go enabled removable media via the Absolute Secure Drive console

  5. Absolute Secure Drive – OPAL SED Management Absolute Secure Drive supports the new OPAL SEDs, placing control of this encryption technology in the hands of the organization, versus the end user: Client Edition: Configure and set up OPAL SEDs Manage SED users, policies, system maintenance, and end-of-life Enterprise Edition:

  6. Organizations must control and own each SED to ensure corporate regulations and security policies are properly supported and in place. Set up and configure OPAL SEDs using strong authentication Configure SED security features accessible by multiple users and/or groups of users (per OPAL specifications) Support for S3 (sleep) mode resume without blue screening/crashing Recover credentials in case of system crashes or if the authentication device malfunctions Create a recovery boot disk on a USB key for each OPAL drive Support of multiple authentication devices and mechanisms to unlock the hard disk at pre-boot with SSO options User enabled disk drive and data erase for drive de-commissioning or at PC end-of-life Absolute Secure Drive – OPAL SED Management Configuration & Management

  7. Manage and control authorized users and authentication methods: Unlock OPAL SEDs with the pre-boot authentication (PBA) module that runs from the secure Master Boot Record shadow area Single sign-on is supported to eliminate the need to re-authenticate at GINA / CredProv login Strong authentication mechanisms are supported such as Windows passwords and fingerprint authentication devices Flexible and scalable with a Linux-based PBA; other solutions are not open source and are limited to text-based log-in only with limited customization Control access to devices such as USB, DVD, Serial/Parallel ports, Bluetooth, Modem, PCMCIA/Expresscard, Firewire (IEEE 1394) Controlled via MMC console Absolute Secure Drive – OPAL SED Management Authentication & Access

  8. Absolute Computrace Integration Absolute Secure Drive integrates with Absolute Computrace to provide organizations with endpoint security reporting and alerting capabilities, including encryption status and failed login attempts, for devices on or off the company network. Absolute Secure Drive leverages Computrace BIOS persistence by allowing the Computrace Agent to self-heal onto the encrypted hard drive in the event that the asset is lost, stolen or if Windows is reloaded.

  9. Absolute Secure Drive & Microsoft BitLocker What is BitLocker? • Microsoft’s encryption solution • Bitlocker is a client based solution • Only available on Windows Vista Ultimate or Enterprise , Windows 7 Ultimate or Enterprise, Windows 8 Professional and Enterprise, and Windows 2008 • More terminology • Bitlocker Encryption = encryption of the partition with Windows (OS Volume) • Bitlocker “To-Go” = encryption of other fixed and removable partitions • Remote administration performed via 3rd party software applications

  10. Absolute Secure Drive & Microsoft BitLocker Absolute Secure Drive Management of BitLocker(OS Volume) and BitLocker To Go (Fixed Data Volumes) • MMC based administration of Bitlocker encryption per machine • Allows users to select protection method for Bitlocker • Available options are displayed based on TPM presence and override Group Policy • Encrypt, Decrypt or Suspend Encryption on the client endpoint via MMC • Encryption Status is displayed on the MMC console • Display of recovery password and creation of recovery token supported via MMC

  11. Absolute Secure Drive & Microsoft BitLocker Secure Drive Management of Bitlocker “To-Go” (Removable Data Volumes) • MMC based administration of Bitlocker encryption per user • Allows IT to set policies for Bitlocker “To-Go” Removable Data Volumes as opposed to administration of specific devices. • Can not administer specific devices as users will be using many removable devices • Forces Bitlocker “To-Go” encryption on a removable device when it is inserted into the endpoint

  12. Absolute Secure Drive – Client Block Diagram Absolute Secure Drive – Client Block Diagram GINA/CRED PROV (FOR SSO) CONTROL PANEL /UI ENROLLMENT FILE/FOLDER ENCRYPTION ENGINE WINDOWS USER ENVIRONMENT UI COMPONENTS CORE AUTHENTICATION INTERFACE SED CONFIGURATION SERVICE PRE-BOOT ENVIRONMENT LINUX PBA WINDOWS CORE COMPONENTS LDAP/AD CONNECTOR (POLICY MGMTAND API) SMART CARDS OPAL HDD FINGERPRINT AUTH HW SED HW SEAGATE DRIVETRUST TPM TOKENS

  13. Absolute Secure Drive – Server Block Diagram Absolute Secure Drive – Server Block Diagram ABSOLUTE SECURE DRIVE MANAGEMENT CONSOLE CENTRALIZED MANAGEMENT MICROSOFT MANAGEMENT CONSOLE (Snap-In) CORE AUTHENTICATION INTERFACE SED CONFIGURATION SERVICE WINDOWS CORE COMPONENTS LDAP / AD CONNECTOR (POLICY MGMTAND API) SERVER HW ACTIVE DIRECTORY / NOVELL SERVER

  14. Enterprise Management Console • Management console configures, manages, and deploys OPAL drive and encryption security features on end user machines (administration can be tied to Windows or Novell user accounts & machines) • Setup and configuration of authentication mechanisms / policies • Remote encryption key erase for cryptographic data wipe drive de-commissioning or at PC end of life • Prevent the use of removable media devices such as USB drives • Deploy BitLocker encryption on endpoints • Force removable media encryption using BitLockerTo Go IT administrators can manage all SEDs from within a single console.

  15. Appendix 1 – OPAL Specifications Appendix 1 – OPAL Specifications • OPAL Specifications by the Trusted Computing Group • OPAL specifications from the Trusted Computing Group are a set of storage workgroup specifications that enable stronger data protection, safeguard important information from loss and theft, and help organizations to comply with increasingly tough regulations. • OPAL specifications outline minimum requirements for storage devices used in the PC client and enterprise markets including specifications on how to activate and customize the trusted storage device. • OPAL storage device specifications provide vendors with a blueprint for developing self-encrypting storage devices (SEDs) that lock data and can be immediately and completely erased. • Vendors are already shipping products based on OPAL specifications. • These specifications are available at: http://trustedcomputinggroup.org/developers/data_protection

  16. Appendix 2 – Windows Environment • Windows user level components provide high level OP functionality: • GINA / Credential Provider chaining: SSO to desktops and synchronization of user credentials with the Linux pre-boot environment • Control Panel / UI enrollment: UI to enable the SED, enroll users and manage policies / settings • File/Folder Encryption Engine: Explorer extension provides file and folder encryption with strong authentication to access data in motion • Windows Core Components provide an interface between the user level components, OPAL and authentication hardware, the pre-boot environment, and the LDAP based server (AD, Novell, ADAM): • Core Authentication APIs: Policy management support and interface to hardware for authentication as well as communication between the pre-boot and Windows environments • LDAP/AD Connector: Infrastructure to communicate with LDAP server for user information and policy storage (may be customized and replaced to support other databases) • SED Configuration Service: Interface to different SED technologies (currently supports OPAL; Seagate DriveTrust support available in February 2011)

  17. Appendix 3 – Linux Environment • Linux based pre-boot environment • 8-10MB in space, loads in under 5 seconds (current ~3 seconds) • Graphical UI for customizable background screens • Supports Windows / Novell password and UPEK fingerprint scanner authentication methods • Interfaces with SED to unlock drive • Communicates with Windows Core Components to perform SSO to the desktop. • Can be configured to enable other services (network support) and 3rd party applications (Computrace products, Absolute Manage, etc.)

More Related