ITS Systems will perform regular monthly maintenance on the MySQL CAT1 and non-CAT1 environments on Wednesday, June 18, 2014 from 6:30 AM to 8:30 AM. The University Wikis Service is dependent on the MySQL CAT1 database and may be unavailable for up to 15 minutes during this 2 hour time frame.
Skip to end of metadata
Go to start of metadata

The Information Secure Office (ISO) has approved several methods of complying with policy for encrypting sensitive data on removable media.  The preferred method of accomplishing this is using WinMagic SecureDoc, the enterprise whole disk encryption product available through ITS.

Note that SecureDoc can be used to encrypt removable media (e.g. USB flash drives, DVDs, etc.) without requiring encryption of internal storage in cases where whole-disk encryption is not desired.

The ISO strongly believes that the following features are important in an encryption product:

  1. Industry-standard, well-tested encryption algorithms.
  2. Encryption key escrow/recovery in case the keys are lost, forgotten, or otherwise unavailable to a department.
  3. Support for multiple platforms, especially Windows and Mac (both of which currently make up the majority of portable devices on campus).
  4. The ability to demonstrate the device was encrypted in the event it is lost or stolen, in order to better comply with the Texas Identity Theft Protection and Enforcement Act and other related laws.

SecureDoc best satisfies all of these requirements.  There may, however, be cases where it is not possible to use SecureDoc.  In such instances, end-users, in consultation with their local IT support staff, can choose from another approved product in Table 1.  For products that do not support their own method of escrow/recovery, the ISO recommends the use of Stache.

If you have questions about these products, or satisfying policy, please do not hesitate to contact the ISO at security@utexas.edu.

Table 1: Approved Encryption Methods

Encryption Technology

Escrow Method

Operating System(s) Supported

Encrypts entire media?

Cost

More Information

WinMagic SecureDoc

SecureDoc Enterprise Server

Windows, Linux

Yes

None

http://www.utexas.edu/its/encrypt/

Microsoft Bitlocker To Go (1)

Active Directory (in some cases), Stache

Windows 7 / Windows 2008 R2

Yes

None

http://technet.microsoft.com/en-us/library/dd630628%28WS.10%29.aspx

Apple FileVault 2

Stache

Mac OS X 10.7+

Yes

None

http://support.apple.com/kb/HT4790

Apple Encrypted Disk Images

Stache

Mac OS X

No

None

http://support.apple.com/kb/TA21118?viewlocale=en_US

TrueCrypt 7.1a (2)

Stache

Windows 7/Vista/XP, Mac OS X, and Linux

No

None

No longer approved for new deployments after May 2014. See footnote (2) below.

FIPS 140-2 Level 3 certified hardware-encrypted USB drives (3)

Stache

Varies

Varies

Yes

Examples of FIPS 140-2 Level 3 certified devices:
Imation IronKey S250/D250
MXI Stealth Key
Kingston DataTraveler 6000
Lok-it SDG003FM- FIPS Edition
Aegis Secure Key

(1) BitLocker To Go is only available with Windows 7 and Windows 2008 R2, however Windows XP SP3 and above can be used with BitLocker To Go encrypted removable media in read-only mode when the BitLocker To Go Reader application is installed. The BitLocker To Go Reader is packaged on BitLocker To Go protected removable media automatically.

(2) As of May 2014, TrueCrypt has been officially abandoned by the developers. Version 7.1a (no longer available from the official site) is the last version capable of encrypting data. Usage of TrueCrypt is approved only for existing deployments, contingent upon the outcome of the ongoing third-party audit of the product. TrueCrypt is not approved for and must not be used with new deployments, starting May 2014.

(3) FIPS 140-2 Level 2 compliance only requires that devices use a known good encryption algorithm and be resistant to tampering.  It does not address how the encryption is implemented, keys are managed, or users are authenticated.  Ultimately, this means that the standard covers very little of what actually makes a device secure (or not).  FIPS Level 2 compliant devices from SanDisk and Kingston have been compromised in the past due to improper key handling and poor user authentication mechanisms.  FIPS 140-2 Level 3 is far more rigorous and comprehensive.

Copyright © 2001-2011 Information Technology Services. All rights reserved.

  • No labels