ML
    • Recent
    • Categories
    • Tags
    • Popular
    • Users
    • Groups
    • Register
    • Login

    Local Encryption ... Why Not?

    IT Discussion
    15
    357
    173.8k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S
      scottalanmiller @BRRABill
      last edited by

      @BRRABill said:

      @scottalanmiller said:

      You can show a process and that it would be a bit of a pain. But if I get one of your laptops, take it to Staples and ask them to upgrade the drive for me... would I not get a laptop, with zero technical knowledge, encryption removed, fully migrated?

      No, the drive is not readable without the password. In fact, you can't even reformat the thing. It's useless.

      If I pull the drive, the only way to access it in another machine is to install the ESC software, and unlock it with the username and password.

      But I don't need to do that, right? Just back it up from inside the running OS unencrypted and the encryption isn't on at the time of the data being pulled. right?

      B 1 Reply Last reply Reply Quote 0
      • S
        scottalanmiller @BRRABill
        last edited by

        @BRRABill said:

        @scottalanmiller said:

        (Apple pegs such cracking attempts at 5 1/2 years for a random 6-character password consisting of lowercase letters and numbers. PINs will obviously take much less time, sometimes as little as half an hour. Choose a good passphrase!)

        That's assuming you don't have your device set up to wipe after 10 attempts.

        The article was demonstrating (I think?) that you cannot do anything to the drive if you pull it from the iPad or iPhone. Isn't that was we were wondering about?

        That was, I thought, the time to decrypt after you pulled it from the device. That's your "uncrackable" time.

        B 1 Reply Last reply Reply Quote 0
        • B
          BRRABill @scottalanmiller
          last edited by

          @scottalanmiller said:

          But I don't need to do that, right? Just back it up from inside the running OS unencrypted and the encryption isn't on at the time of the data being pulled. right?

          The server is protected by a strong password. How are you going to get access to it?

          S 1 Reply Last reply Reply Quote 0
          • S
            scottalanmiller @BRRABill
            last edited by

            @BRRABill said:

            @scottalanmiller said:

            But I don't need to do that, right? Just back it up from inside the running OS unencrypted and the encryption isn't on at the time of the data being pulled. right?

            The server is protected by a strong password. How are you going to get access to it?

            We are talking about end user devices, right? Or servers too?

            If we are talking about a server and assuming that it cannot be accessed, what is the purpose of the encryption?

            B 1 Reply Last reply Reply Quote 0
            • B
              BRRABill @scottalanmiller
              last edited by

              @scottalanmiller said:

              That was, I thought, the time to decrypt after you pulled it from the device. That's your "uncrackable" time.

              I read that as you could not do any encryption without the device itself.

              From Apple:
              "The UID allows data to be cryptographically tied to a particular device. For example,
              the key hierarchy protecting the file system includes the UID, so if the memory chips
              are physically moved from one device to another, the files are inaccessible. The UID is
              not related to any other identifier on the device."

              1 Reply Last reply Reply Quote 0
              • B
                BRRABill @scottalanmiller
                last edited by

                @scottalanmiller said:

                We are talking about end user devices, right? Or servers too?

                If we are talking about a server and assuming that it cannot be accessed, what is the purpose of the encryption?

                Well, we could be talking about either.

                End users devices I say should always be encrypted.

                Devices we can lock down, I can see your argument a little bit more. In that it was behind three locked door with a security system.

                But there are still ways around it. For example, our landlord has keys to every door in my office. THey might let a cledaning crew it, etc. etc., etc..

                B 1 Reply Last reply Reply Quote 0
                • B
                  BRRABill @BRRABill
                  last edited by

                  @BRRABill said:

                  Well, we could be talking about either.

                  Though like I think I said I agree 100% they are definitely different use cases here.

                  1 Reply Last reply Reply Quote 0
                  • B
                    BRRABill
                    last edited by

                    I read through that Apple security document. Man, is there a lot of stuff in there that they do. No wonder it costs so much!

                    S 1 Reply Last reply Reply Quote 1
                    • D
                      Dashrender @scottalanmiller
                      last edited by

                      @scottalanmiller said:

                      @BRRABill said:

                      @scottalanmiller said:

                      Judge: "If the system was secure, why was it encrypted?"
                      You: "Just in case our users started storing data locally."
                      Judge: "And you don't feel that encrypting the drive suggests that you support that action and enable it by making it seem like you intend for them to put PHI there?"
                      You: "Ummm... but I didn't tell them to put it there."

                      Judge: Were you aware that sensitive data was on the machine?
                      Me: Yes, that is why we installed a self-encrypting drive. As you know, sir, drives with this technology that are lost are not considered breaches.
                      Judge: Oh, that's right. Thank you and have a nice day!

                      That's fine except for one thing - since when is lost data not considered a breach when encrypted? That's news to me and I'm sure would be big news to most of the American public. Why is encryption considered an exception to security and privacy norms?

                      Pretty sure the OCR has stated that it is not considered a breach when encrypted drives are lost.

                      B S 2 Replies Last reply Reply Quote 0
                      • B
                        BRRABill @Dashrender
                        last edited by BRRABill

                        @Dashrender said:

                        Pretty sure the OCR has stated that it is not considered a breach when encrypted drives are lost.

                        That is what our HIPAA specialists have told us.

                        A golden ticket, as you (or someone) said.

                        For $39 (or probably MUCH less in bulk) it's a "why wouldn't we" type of decision.

                        But ML doesn't feel that way. Hence the purpose of this thread!

                        S 1 Reply Last reply Reply Quote 0
                        • S
                          scottalanmiller @BRRABill
                          last edited by

                          @BRRABill said:

                          I read through that Apple security document. Man, is there a lot of stuff in there that they do. No wonder it costs so much!

                          I have connections to the head of security at Apple too 😉 We've had drinks together but don't regularly hang out. A friend of a friend. Apple does some things great, some things okay and some things poorly. Device security is something that they rock on. Interfaces is where I find them to be poor.

                          B 1 Reply Last reply Reply Quote 1
                          • S
                            scottalanmiller @Dashrender
                            last edited by

                            @Dashrender said:

                            @scottalanmiller said:

                            @BRRABill said:

                            @scottalanmiller said:

                            Judge: "If the system was secure, why was it encrypted?"
                            You: "Just in case our users started storing data locally."
                            Judge: "And you don't feel that encrypting the drive suggests that you support that action and enable it by making it seem like you intend for them to put PHI there?"
                            You: "Ummm... but I didn't tell them to put it there."

                            Judge: Were you aware that sensitive data was on the machine?
                            Me: Yes, that is why we installed a self-encrypting drive. As you know, sir, drives with this technology that are lost are not considered breaches.
                            Judge: Oh, that's right. Thank you and have a nice day!

                            That's fine except for one thing - since when is lost data not considered a breach when encrypted? That's news to me and I'm sure would be big news to most of the American public. Why is encryption considered an exception to security and privacy norms?

                            Pretty sure the OCR has stated that it is not considered a breach when encrypted drives are lost.

                            If it data is exposed and compromised? How would they explain that one? "Well there has been a breach, but we don't consider it a breach so screw you people who had your data stolen."

                            B 1 Reply Last reply Reply Quote 0
                            • B
                              BRRABill @scottalanmiller
                              last edited by

                              @scottalanmiller said:

                              I have connections to the head of security at Apple too 😉 We've had drinks together but don't regularly hang out. A friend of a friend. Apple does some things great, some things okay and some things poorly. Device security is something that they rock on. Interfaces is where I find them to be poor.

                              I think you would have to admit though, that there are MANY safeguards built into the device to protect the local data.

                              S 1 Reply Last reply Reply Quote 0
                              • S
                                scottalanmiller @BRRABill
                                last edited by

                                @BRRABill said:

                                @Dashrender said:

                                Pretty sure the OCR has stated that it is not considered a breach when encrypted drives are lost.

                                That is what our HIPAA specialists have told us.

                                A golden ticket, as you (or someone) said.

                                For $39 (or probably MUCH less in bulk) it's a "why wouldn't we" type of decision.

                                But ML doesn't feel that way. Hence the purpose of this thread!

                                $39 for one type of golden ticket. Not putting data there is a free one as well.

                                Judge: "How much data was on there."
                                You: "None"
                                Judge: "So why are we here?"

                                B 1 Reply Last reply Reply Quote 0
                                • D
                                  Dashrender @scottalanmiller
                                  last edited by

                                  @scottalanmiller said:

                                  @BRRABill said:

                                  I did a few quick Google searches, and it appears you cannot use the password to decrypt it if the drive is not in the device. It has to be in the device.

                                  I wonder how that works. What aspect of the device makes it work that way. Complex encrypted salt on another chip?

                                  TPM

                                  1 Reply Last reply Reply Quote 0
                                  • S
                                    scottalanmiller @BRRABill
                                    last edited by

                                    @BRRABill said:

                                    @scottalanmiller said:

                                    I have connections to the head of security at Apple too 😉 We've had drinks together but don't regularly hang out. A friend of a friend. Apple does some things great, some things okay and some things poorly. Device security is something that they rock on. Interfaces is where I find them to be poor.

                                    I think you would have to admit though, that there are MANY safeguards built into the device to protect the local data.

                                    Oh yes! but none as effective as not putting the data at risk at all.

                                    1 Reply Last reply Reply Quote 0
                                    • B
                                      BRRABill @scottalanmiller
                                      last edited by

                                      @scottalanmiller

                                      I edited this. 🙂

                                      Judge: "How much data was on there."
                                      IT Person: "None"
                                      Judge: "Are you sure? How can you prove that?"
                                      IT Person: "Uhhhhhhh"

                                      D 1 Reply Last reply Reply Quote 1
                                      • B
                                        BRRABill @scottalanmiller
                                        last edited by

                                        @scottalanmiller said:

                                        If it data is exposed and compromised? How would they explain that one? "Well there has been a breach, but we don't consider it a breach so screw you people who had your data stolen."

                                        The data is inaccessible.

                                        Unless you portend to be able to crack 256-bit encryption.

                                        S 1 Reply Last reply Reply Quote 0
                                        • D
                                          Dashrender @BRRABill
                                          last edited by

                                          @BRRABill said:

                                          @scottalanmiller

                                          I edited this. 🙂

                                          Judge: "How much data was on there."
                                          IT Person: "None"
                                          Judge: "Are you sure? How can you prove that?"
                                          IT Person: "Uhhhhhhh"

                                          There are a few things to consider - you'd only be there if you self reported or there was a release of data that was linked back to your company about a breach larger than 500 individuals. So if you didn't already think there was data on there, why are you in front of the judge?

                                          B S 2 Replies Last reply Reply Quote 0
                                          • B
                                            BRRABill @Dashrender
                                            last edited by

                                            @Dashrender said:

                                            There are a few things to consider - you'd only be there if you self reported or there was a release of data that was linked back to your company about a breach larger than 500 individuals. So if you didn't already think there was data on there, why are you in front of the judge?

                                            Surely you aren't implying you wouldn't report a breach!

                                            Of course you wouldn't need to with a SED. 😉

                                            1 Reply Last reply Reply Quote 0
                                            • 1
                                            • 2
                                            • 13
                                            • 14
                                            • 15
                                            • 16
                                            • 17
                                            • 18
                                            • 15 / 18
                                            • First post
                                              Last post