informa
4 MIN READ
News

Crypto Makes the Grade at Baylor

University taps PGP to protect faculty, staff laptops - and to comply with state laws in the event of data loss

Annual license cost for full-disk encryption? Less than $30 a head. Keeping regulators and auditors at bay? Priceless.

That, in a nutshell, was the business justification Jon Allen used to gain approval for his plan to implement encryption at Baylor University.

As information security officer for the 162-year old school in Waco, Texas, Allen had started to become nervous about new compliance laws. Like many other states, the Lone Star State had adopted data handling laws that require organizations to notify those affected when personally identifiable information has potentially been lost.

But that state law lets organizations off the hook if their data is encrypted. "Encryption supersedes notification -- that was a pretty big motivator for us," Allen told Dark Reading.

One option that was briefly considered was a hardware recovery system, like LoJack for laptops. Allen rejected it. "We realized that if we lose the laptop, we still have the notification requirement. If it was out of our control, we'd have no way to know if data was copied or accessed. So that still left us with the notification requirement."

Laptop loss or theft is big news, as public and private institutions report embarrassing losses due to employee carelessness or a thief's malice. (See Assume Your Laptop Will Be Stolen, Merrill Lynch ID Theft May Affect 33,000, and VeriSign Worker Fired After Laptop, Employee Info Are Stolen.)

In the fall of 2005, Allen came up with a shortlist of vendors that included PGP Corp. , Pointsec Mobile Technologies (since acquired by Check Point Software), and a third company he wouldn't name. Pointsec was "not as clean" where passphrase recovery was concerned; PGP stood out for its overall robustness, and the fact it didn't suck up lots of CPUs on users' machines. "We see about a 2 to 3 percent CPU hit," Allen said, a far cry from the days of Pentium III and sub-1 GHz chips that made any kind of encryption unattractive.

In October 2005, Baylor bought a 500-user license for PGP's Whole Disk Encryption product, as well as the vendor's Universal Server platform for managing its encrypted applications. Allen declined to specify what the university paid; List pricing for a 1,000-seat PGP Whole Disk Encryption with PGP Universal Management Server annual subscription runs $28,600, according to the vendor.

Baylor's original plan was to deploy encryption on faculty and staff laptops, where there was "a strong belief" that the user had personally identifiable information.

"That became a cumbersome task, to say the least," Allen said. "What we found out was that people we didn’t think had any personal information had a grade roll or a personnel review. So now we'll put [encryption] on all laptops within our organization."

Already, Baylor's equipped 260 laptops with full-disk encryption; Allen estimates about 800 laptops will have it by the time the university is done. "We've done some desktops too -- like in the cashier's office and places that dealt with highly sensitive information," he added.

Installation is pretty basic, and the PGP encryption operates in a way that's completely transparent to the user. "When PGP's installed, it encrypts the hard drive and installs a boot loader in front of the OS," Allen said. Encryption takes place at the driver level, with upgrades pushed from server.

At startup, users must enter a passphrase to access the laptop's contents; they get prompted again if the computer goes into "hibernate" mode, a feature for Windows that Baylor helped develop. Allen has become a big believer in passphrases over passwords, which can contain figures and numbers that spell out goobledygook. "Users remember passphrases better than a word, or a word with symbols and caps and lowercase letters," he said. The university is also exploring other applications where it can use phrases instead of words -- Active Directory access is a likely place for that, Allen explained.

At startup, each laptop also synchs with the server and gets a one-time token that's stored on the server. Once used up, the laptop re-synchs and creates a new token; Allen reports each session is fully audited in the background, noting who accessed what data and when.

One small caveat where encryption is concerned: Data backups become much more important once encryption gets activated, according to Allen. "It used to be that you could ghost some sectors if you dropped them, but now you need full backup as part of your plan," so that users don't lose data and have the latest versions of their files," he said.

— Terry Sweeney, Special to Dark Reading

Editors' Choice
Haris Pylarinos, Founder and CEO, Hack The Box
Robert Lemos, Contributing Writer, Dark Reading