FDE

[JLogan3o13]

I debated where to put this, as it is something of a broad topic. I am currently preparing a quote for a customer looking to do full disk encryption for their environment (all 8,000 seats, HIPAA compliance). I just wanted to see what others are using, and what your experience has been, specifically with Symantec, Trend, Sophos, and Kaspersky (pulled from the 2016 Gartner Magic Quadrant). I have experience deploying some, but not all, and everyone's experience varies enough I thought it would be beneficial.

Some caveats for this customer - Windows 7 Professional, a year at least from upgrading to Windows 10. When they do, they will be going to Windows 10 Pro; no interest in an Enterprise License Agreement. Until they're on 10, that rules out BitLocker altogether.

Here are the comparison criteria I am working up, for reference. I'd be interested to hear anyone's take, especially in larger environments (1,000 or above)

I. Compatibility with the OS
• Is the product able to secure Windows Pro machines?

• Does the product use a proprietary encryption engine, or does it sit on top of a service such as BitLocker?

II. Deployment Options:
• Is the product capable of deploying to endpoints through a native console, or must another method be used?

• How long will it take to convert the disk from unencrypted to encrypted on a 500GB mechanical disk? Solid State?

• What level of productivity degradation can be expected during this time?

III. Centralized Management:
• How intuitive is the management interface for the product?

• Single management console?

• How does the management console of this product handle:
        o   Forgotten Passwords/Lost Keys
        o   Client Patch/Upgrade Management
        o   Changes to Key Sizes/Algorithm Changes
        o   Delegation of rights to Help Desk or other staff to assist users with forgotten password/lost key
        o   Self-service recovery of Keys

IV. Security and Compliance:
• What steps does the product take to mitigate attacks such as brute force password attacks (suspend for x minutes, suspend until admin logs in, device wipe, etc.)?

• What is the algorithm in use? 

• Are any keys stored locally? If so, where (TPM, devices without TPM)?.

 

Edited August 17, 2016 by JLogan3o13

[orbs]

we're (international banking corporation) using CheckPoint Endpoint Security Full Disk Encryption.

this was dictated by the global compliance and security teams, so i guess it's compliant with whatever standards they choose to comply with. being on the more technical side, i cannot add any info on that aspect (except what is published in the product specifications, of course).

on the up side, it is very easy to deploy and manage. no downtime and no performance degradation.

on the down side, it has a very poor solution for installation/patching processes which include multiple reboots. if you do that a lot, i would not recommend this product.

it also mandates the involvement of the IT when it comes to forgotten passwords, i.e. there is no automatic process that users can perform on their own (which actually makes sense, for both the security aspect and the common use case).

[JLogan3o13]

@orbs I managed a CheckPoint rollout some years ago, when they were Pointsec. I remember trying to train the HelpDesk staff on using the little challenge/response fobs when someone forgot their pre-boot auth password, what a nightmare