Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Perimeter

8/23/2007
08:07 AM
Connect Directly
Facebook
Twitter
RSS
E-Mail
50%
50%

Crypto Makes the Grade at Baylor

University taps PGP to protect faculty, staff laptops - and to comply with state laws in the event of data loss

Annual license cost for full-disk encryption? Less than $30 a head. Keeping regulators and auditors at bay? Priceless.

That, in a nutshell, was the business justification Jon Allen used to gain approval for his plan to implement encryption at Baylor University.

As information security officer for the 162-year old school in Waco, Texas, Allen had started to become nervous about new compliance laws. Like many other states, the Lone Star State had adopted data handling laws that require organizations to notify those affected when personally identifiable information has potentially been lost.

But that state law lets organizations off the hook if their data is encrypted. "Encryption supersedes notification -- that was a pretty big motivator for us," Allen told Dark Reading.

One option that was briefly considered was a hardware recovery system, like LoJack for laptops. Allen rejected it. "We realized that if we lose the laptop, we still have the notification requirement. If it was out of our control, we'd have no way to know if data was copied or accessed. So that still left us with the notification requirement."

Laptop loss or theft is big news, as public and private institutions report embarrassing losses due to employee carelessness or a thief's malice. (See Assume Your Laptop Will Be Stolen, Merrill Lynch ID Theft May Affect 33,000, and VeriSign Worker Fired After Laptop, Employee Info Are Stolen.)

In the fall of 2005, Allen came up with a shortlist of vendors that included PGP Corp. , Pointsec Mobile Technologies (since acquired by Check Point Software), and a third company he wouldn't name. Pointsec was "not as clean" where passphrase recovery was concerned; PGP stood out for its overall robustness, and the fact it didn't suck up lots of CPUs on users' machines. "We see about a 2 to 3 percent CPU hit," Allen said, a far cry from the days of Pentium III and sub-1 GHz chips that made any kind of encryption unattractive.

In October 2005, Baylor bought a 500-user license for PGP's Whole Disk Encryption product, as well as the vendor's Universal Server platform for managing its encrypted applications. Allen declined to specify what the university paid; List pricing for a 1,000-seat PGP Whole Disk Encryption with PGP Universal Management Server annual subscription runs $28,600, according to the vendor.

Baylor's original plan was to deploy encryption on faculty and staff laptops, where there was "a strong belief" that the user had personally identifiable information.

"That became a cumbersome task, to say the least," Allen said. "What we found out was that people we didn’t think had any personal information had a grade roll or a personnel review. So now we'll put [encryption] on all laptops within our organization."

Already, Baylor's equipped 260 laptops with full-disk encryption; Allen estimates about 800 laptops will have it by the time the university is done. "We've done some desktops too -- like in the cashier's office and places that dealt with highly sensitive information," he added.

Installation is pretty basic, and the PGP encryption operates in a way that's completely transparent to the user. "When PGP's installed, it encrypts the hard drive and installs a boot loader in front of the OS," Allen said. Encryption takes place at the driver level, with upgrades pushed from server.

At startup, users must enter a passphrase to access the laptop's contents; they get prompted again if the computer goes into "hibernate" mode, a feature for Windows that Baylor helped develop. Allen has become a big believer in passphrases over passwords, which can contain figures and numbers that spell out goobledygook. "Users remember passphrases better than a word, or a word with symbols and caps and lowercase letters," he said. The university is also exploring other applications where it can use phrases instead of words -- Active Directory access is a likely place for that, Allen explained.

At startup, each laptop also synchs with the server and gets a one-time token that's stored on the server. Once used up, the laptop re-synchs and creates a new token; Allen reports each session is fully audited in the background, noting who accessed what data and when.

One small caveat where encryption is concerned: Data backups become much more important once encryption gets activated, according to Allen. "It used to be that you could ghost some sectors if you dropped them, but now you need full backup as part of your plan," so that users don't lose data and have the latest versions of their files," he said.

— Terry Sweeney, Special to Dark Reading

Terry Sweeney is a Los Angeles-based writer and editor who has covered technology, networking, and security for more than 20 years. He was part of the team that started Dark Reading and has been a contributor to The Washington Post, Crain's New York Business, Red Herring, ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
News
FluBot Malware's Rapid Spread May Soon Hit US Phones
Kelly Sheridan, Staff Editor, Dark Reading,  4/28/2021
Slideshows
7 Modern-Day Cybersecurity Realities
Steve Zurier, Contributing Writer,  4/30/2021
Commentary
How to Secure Employees' Home Wi-Fi Networks
Bert Kashyap, CEO and Co-Founder at SecureW2,  4/28/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-31755
PUBLISHED: 2021-05-07
An issue was discovered on Tenda AC11 devices with firmware through 02.03.01.104_CN. A stack buffer overflow vulnerability in /goform/setmac allows attackers to execute arbitrary code on the system via a crafted post request.
CVE-2021-31756
PUBLISHED: 2021-05-07
An issue was discovered on Tenda AC11 devices with firmware through 02.03.01.104_CN. A stack buffer overflow vulnerability in /gofrom/setwanType allows attackers to execute arbitrary code on the system via a crafted post request. This occurs when input vector controlled by malicious attack get copie...
CVE-2021-31757
PUBLISHED: 2021-05-07
An issue was discovered on Tenda AC11 devices with firmware through 02.03.01.104_CN. A stack buffer overflow vulnerability in /goform/setVLAN allows attackers to execute arbitrary code on the system via a crafted post request.
CVE-2021-31758
PUBLISHED: 2021-05-07
An issue was discovered on Tenda AC11 devices with firmware through 02.03.01.104_CN. A stack buffer overflow vulnerability in /goform/setportList allows attackers to execute arbitrary code on the system via a crafted post request.
CVE-2021-31458
PUBLISHED: 2021-05-07
This vulnerability allows remote attackers to execute arbitrary code on affected installations of Foxit Reader 10.1.1.37576. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the handlin...