Security Adviser | Roger A. Grimes » More feedback on ny hard disk encryption column

April 12, 2006 | Comments: (0)

More feedback on ny hard disk encryption column

TAGS: None

More information, and guestions, from readers regarding my encryption column,

Encryption for All http://www.infoworld.com/article/06/03/31/76920_14OPsecadvise_1.html

--------------
From: Albert

Roger,

I heard a year or two ago about on hard disk manufacturer, Seagate http://www.pcworld.com/news/article/0,aid,121522,00.asp that was incorporating hardware encryption capabilities into it's notebook hard disks. I assumed at the time that other manufacturers would follow and government customers especially would be enthusiastic buyers.(Including me.)

About the same time NSA was demonstrating it's classified solution for USB hard disk enclosures and desktop full disk encryption products (encrypts in-line on the IDE bus - transparent to the operation of the disk from the motherboard).

I assumed that the NSA capability would be incorporated in the hard disk controller electronics on the drive. I haven't heard any more about it.

We are now in the market for some drives. Any idea where I can get some encryption capable disks?
--------------
Readers??
--------------

From: Victor Roberts

Your column is directed toward computer professionals. Therefore, I do wonder about your suggestion that the free version of PGP is an option for your readers. You state:

"If you need commercial support, PGP Corp. provides products for Windows, Mac, and BlackBerrys."

However, support is not the only issue. The free versions of PGP are licensed only for use in non-commercial environments. It would be a violation of the license agreement for Free PGP to use these products in any commercial business. Since most of your readers probably work for a commercial business, this limitation should have been mentioned.

Victor Roberts, Ph.D.
Roberts Research & Consulting, Inc.
-----------------

From: Dooley, Patrick M

There are federal guidelines for the use of Federal Data. I would at least advise folks to use encryption that is compliant with NIST 140-2.
http://csrc.nist.gov/publications/fips/fips140-2/fips1402.pdf
http://csrc.nist.gov/publications/fips/fips140-2/fips1402.pdf
Patrick M. Dooley
Wisconsin Department of Revenue

---------------------

From: Calkin, Warwick

Roger,

I agree with everything in your article however archiving of encrypted email actually causes complications in the compliance equation.

A problem which we are currently grappling with is that if an email is encrypted at the desktop (encrypting away from the desktop is not an option) and then archived, indexing becomes a lot less meaningful.
Using the smime header we are able to index the to, from, and subject.
However in the event of a "discovery event" where we need to recover large volumes of mail (usually based on something in the content which we can't see), this lack of indexing becomes a real overhead and almost forces us into a position where we need to recover all encrypted emails,de-encrypt all, and index all. Obviously this creates several compromises.

Your views on how others are tackling this problem would be appreciated.

---------
This has got to be a common issue. Readers??

Posted by Roger Grimes on April 12, 2006 10:44 AM

RATE THIS ARTICLE: