Software HDD Encryption: Poll
-
@g.jacobse said:
@MattSpeller said:
Are you looking to have a PW on boot?
Yes - Required password on boot. We must adhere to FIPs 140-2 for HIPPA and other compliance items.
HIPAA does not require that.
Are you sure that FIPs requires that? How is it stated?
-
@Dashrender If the whole laptop was stolen with full drive encryption then there is nothing to stop them powering it on and trying to log in. You'd need a BIOS / pre-OS password for that. FDE will make it so the drive is un-readable when you remove it from the laptop.
-
@MattSpeller said:
@Dashrender If the whole laptop was stolen with full drive encryption then there is nothing to stop them powering it on and trying to log in. You'd need a BIOS / pre-OS password for that. FDE will make it so the drive is un-readable when you remove it from the laptop.
Not really. You only need a post-OS encryption of the data. The OS is like the BIOS here. Just more robust. No need to encrypt that.
-
@MattSpeller said:
You'd need a BIOS / pre-OS password for that. FDE will make it so the drive is un-readable when you remove it from the laptop.
Other ways to do that.
-
@Dashrender said:
What about cases where the whole laptop is stolen? What prevents someone from just powering on the unit and trying to log in? Or is this not what drive encryption is for either?
This is a misconception of value. Likewise to someone "trying to log in", if the entire drive is encrypted what is to prevent someone from "just trying to unencrypt the drive?" All you are doing is exchanging the word used, not the action. You've prevented nothing in this case.
-
@scottalanmiller Sorry, I wasn't clear - there is nothing to stop them powering on the laptop with FDE and trying to log into the OS. FDE is for protection from removal.
-
@MattSpeller said:
@scottalanmiller Sorry, I wasn't clear - there is nothing to stop them powering on the laptop with FDE and trying to log into the OS. FDE is for protection from removal.
Gotcha, so we are of one accord then. It's not for protection from a running system, it's for protection against physical separation from the chassis.
-
I guess then the question would be.... is there a certification requirement that states what to do or just one that states an end goal.
And what is the end goal?
-
Great Question/request @Reid-Cooper .
I'm guessing the intent of HIPAA's encryption clause is more for protecting stolen machines than for lost/stolen drives.
So if FDE does not provide any protections against a whole laptop that is stolen, I'd argue that FDE on a laptop is near useless.
FDE on a memory stick or server drives or copier drives, etc on the other hand are very useful because the chances are you don't have the entire chassis that first encrypted it.
-
@Dashrender It provides quite a bit of protection. When you think of how you would break into a bone stock Win machine, my first move is a boot disk to nuke the local admin - denied. Boot a linux live cd to troll the files - denied.
-
@MattSpeller said:
@Dashrender It provides quite a bit of protection. When you think of how you would break into a bone stock Win machine, my first move is a boot disk to nuke the local admin - denied. Boot a linux live cd to troll the files - denied.
Sure, but you've left a pretty big door open by allowing the OS to be attacked directly. But maybe that's not considered a real risk assuming you're requiring long passwords ?
-
@Dashrender said:
I'm guessing the intent of HIPAA's encryption clause is more for protecting stolen machines than for lost/stolen drives.
HIPAA requires encryption of data at rest. That doesn't imply FDE.
-
@Dashrender Yup, plus you disable displaying the last logged in user name. Now the attacker is extra boned.
-
@MattSpeller said:
@Dashrender It provides quite a bit of protection. When you think of how you would break into a bone stock Win machine, my first move is a boot disk to nuke the local admin - denied. Boot a linux live cd to troll the files - denied.
FDE isn't needed for that, though. Just encrypt the data.
-
@scottalanmiller said:
@Dashrender said:
I'm guessing the intent of HIPAA's encryption clause is more for protecting stolen machines than for lost/stolen drives.
HIPAA requires encryption of data at rest. That doesn't imply FDE.
Unless the law was updated, I don't think even that is required, but considered actionable.
How is data on a laptop that is turned off not considered 'at rest'?
-
@Dashrender said:
@MattSpeller said:
@Dashrender It provides quite a bit of protection. When you think of how you would break into a bone stock Win machine, my first move is a boot disk to nuke the local admin - denied. Boot a linux live cd to troll the files - denied.
Sure, but you've left a pretty big door open by allowing the OS to be attacked directly. But maybe that's not considered a real risk assuming you're requiring long passwords ?
Not in the least. If your data is encrypted you have no more risk than if you do FDE. Cracking the OS makes no difference if it is properly set up with data encryption.
-
@scottalanmiller You mean with a local file encryption software thing? I wouldn't trust a user to do that correctly.
-
@MattSpeller said:
@scottalanmiller You mean with a local file encryption software thing? I wouldn't trust a user to do that correctly.
Would you rather trust them with FDE where the password is normally shared!??!
-
Here is a bigger question.... why is HIPAA data being allowed onto laptops at all?
-
(3) "Encryption" means the conversion of data using technology that:
(a) Meets or exceeds the level adopted by the National Institute of Standards Technology as part of the** Federal Information Processing Standards**: and
(b) Renders the data indecipherable without the associated cryptographic key to decipher the data;
(2) (a) For agreements executed or amended on or after January 1, 2015, any agency that contracts with a nonaffiliated third party and that discloses personal information to the nonaffiliated third party shall require as part of that agreement that the nonaffiliated third party implement, maintain, and update security and breach investigation procedures that are appropriate to the nature of the information disclosed, that are at least as stringent as the security and breach investigation procedures and practices referenced in subsection (1)(b) of this section, and that are reasonably designed to protect the personal information from unauthorized access, use, modification, disclosure, manipulation, or destruction.(9) "Security breach" means:
(a) 1. The unauthorized acquisition, distribution, disclosure, destruction, manipulation, or release of unencrypted or unredacted records or data that compromises or the agency or nonaffiliated third party reasonably believes may compromise the security, confidentiality, or integrity of personal information and result in the likelihood of harm to one (1) or more individuals; or
2. The unauthorized acquisition, distribution, disclosure, destruction, manipulation, or release of encrypted records or data containing personal information along with the confidential process or key to unencrypt the records or data that compromises or the agency or nonaffiliated third party reasonably believes may compromise the security, confidentiality, or integrity of personal information and result in the likelihood of harm to one (1) or more individuals.
(b) "Security breach" does not include the good-faith acquisition of personal information by an employee, agent, or nonaffiliated third party of the agency for the purposes of the agency if the personal information is used for a purpose related to the agency and is not subject to unauthorized disclosure.We are also governed by Department of Local Governments -
