U.S. Gov't To Use Full Disk Encryption On All Computers 371
To address the issue of data leaks of the kind we've seen so often in the last year because of stolen or missing laptops, writes Saqib Ali, the Feds are planning to use Full Disk Encryption (FDE) on all Government-owned computers. "On June 23, 2006 a Presidential Mandate was put in place requiring all agency laptops to fully encrypt data on the HDD. The U.S. Government is currently conducting the largest single side-by-side comparison and competition for the selection of a Full Disk Encryption product. The selected product will be deployed on Millions of computers in the U.S. federal government space. This implementation will end up being the largest single implementation ever, and all of the information regarding the competition is in the public domain. The evaluation will come to an end in 90 days. You can view all the vendors competing and list of requirements."
Allies (Score:2, Interesting)
PS... (Score:4, Interesting)
This is my job... (Score:4, Interesting)
The June 23 White House memo had a 45-day deadline. Everyone has already blown the deadline.
Big props to WinMagic for their marketing. They've been all over the government computer press for the last 1-2 years with press releases and random mentions that make it appear they are the only workable solution. As a result, the agencies that jumped on the bandwagon in time to meet a (seemingly common) end of year deadline have grabbed their SecureDoc software and started installing. My experience with it has been semi-OK. Given that the software is touching every single file on every machine that leaves our physical space, the number of screwups has been acceptable at less than 2%. Our most widespread problems have mostly been a result of insufficient server capacity to deal with all the machines being encrypted at the same time within the last couple of weeks. Whether that was a result of us going cheap on the server side or WinMagic promising that the servers could handle a bigger load than is actually the case, I don't know. I suspect it's a bit of both. Still, things are slowly working out, even if our frontline support staff is going to wind up losing, literally, a month of productivity to the project.
A bunch of the requirements on that DOD checksheet are being ignored by civilian agencies. With no PKI infrastructure in lots of places, plenty of things have to be done "hands on" and the ability to do things like silent installs is out the window.
A bunch of the names on that vendor list are just resellers and of little interest to the slashdot crowd. What's more interesting is the list of products that do the job. THAT list is much, much shorter.
I haven't heard of anyone doing their encryption in hardware, which irritates me. I use hardware-encrypted drives at home and I was looking forward to doing the same thing at work. There is a widespread rumor in my agency that 2 or 3 generations of computer refreshment down the road, we'll transition to encryption in hardware. I hope so.
A stake through the heart of non-commerical linux (Score:5, Interesting)
Now the hackles being raised are that this means we can't use Macs and maybe not linux since there are no acceptable enterprise-worthy full disk encryption systems. If you know of some, expecially for macs please reply with details below. But the term "acceptable" and "enterprise-worthy" matter a great deal. You can't just go installing full disk encryption based on some open source solution that might or might not get updated to work with the next version of say debian or fedora in a timely way. It has to have a method of key escrow that is usable. etc...
Hence people are looking to windows.
Another raging argument is what full disk encryption means. Surely something like mac's built in encryption of home directories and if need be combined with secure virtual memory would be sufficient to protect anything but very critical information. The answer we are hearing is No and "maybe". We are beinf pushed to use Entrust which all users I have heard from say is a disaster. There's going to be huge data recovery issues. And I don't see it as likely that Entrust will always be assured of working across OS upgrades
Personally I'd prefer to see encryption done in a transparent hardware layer.
In the long run this going to be good for the branded commerical OS, and the Linuxes backed by commerical vendors. The reason is that in the end you'd have to be pretty stupid to encrypt your whole disk with anything not supplied by the OS vendor because it simply has to work right under all circumstances and there simply has to be one person you can call when it fails. It woul dbe intolerable to have to have the OS vendor say well it's not our problem and the encryption vendor saying they are trying to work with the OS vendor to figure out why the kernel upgrade broke it.
And when it does break after you hit the "Software update" button or worse corporate HQ pushes the update overnight to your computer there is no failsafe mode! the computer won't boot. Corprorate HQ can't even contact your computer to undo the problem after the reboot. you can't even donwload a patch from the vendor or let them know it was broken. You can't even look up their phone number. Nor can you go to your neighbors computer to download a patch since his machine is broken too.
Other arguments people are unsure of
1) is home directory encryption enough
2) what about removable media?
3) what about FAT tables?
4) boot tracks?
5) virtual memory?
The fact that this order is zero tolerance with no asseement of risk seems to prove it is ill conceived.
It's a stake through the heart for all non-comercial linux
start your own company (Score:5, Interesting)
I work for a multinational corporation with more than 10 K laptops
Just wanted to give you a reality check:
If you work for a company like that and know this technology to the level you are describing in this post, you should leave your employer to start your own company providing this solution. There's no way you're getting paid at a multinational corporation as much as you would make in your own (successful) company. If you had launched your company back when you had performed the aformentioned evaluation, you'd probably have enough progress with your own product to pitch it in this govt. bidding process.
Not trying to criticize you. Just trying to inspire people.
Seth
Re:Eh. (Score:3, Interesting)
If you work as a low-level US diplomat in Peru, do you really need to carry around the complete medical records of 20 million veterans?
Additionally, you can get a tolerable bandwidth connection anywhere on the planet - We now have these things circling the Earth far above, sort of artificial "satellites", if you will. Some of them have the purpose of facilitating bidirectional data communication between two points on the planet - Such as a cottage in the middle of nowhere, and a datacenter in the US.
A decent satellite net connection doesn't come cheap, but keep in mind the target audience here - The single most fiscally-irresponsible entity on the planet.
Re:start your own company (Score:5, Interesting)
Before taking a one-year sabbathical (91-92) which I spent in the US, writing networking code, I had a company that sold terminal emulation/file transfer software. I sold enough licenses to make it one of the top 5 bestselling norwegian programs. During the last year the norwegian IRS grabbed 83% of every Krone I invoiced my customers.
At that point I realized that I'd much rather work less and spend more time with my wife & kids, so I closed the company.
I still write/optimize code, but always because I enjoy it, not to make money. (Sometimes I do get paid as well (in addition to my regular salary), but that's not the important part.)
Re. "know this (crypto) technology": I want to know a lot more than just crypto, and the job I have, which is a sort of IT Fire Brigade Chief, means that I get to work on all sorts of interesting technology, including everything that's new, as well as everything that doesn't perform as well as it has to. The Full Disk Encryption requirements I mentioned in my first post were obvious to me at the time, but not to most of the vendors unfortunately.
I spend my leisure time on orienteering http://orienteering.org/ [orienteering.org], which is the perfect thinking person's sport.
I'm also the Scandinavian coordinator of the Confluence project http://confluence.org/ [confluence.org]
Check google for my other interests!
Terje
Re:A stake through the heart of non-commerical lin (Score:3, Interesting)
Not necessarily. You're assuming that this gigantic government-mandated undertaking is going to work. I think that is a mistake.
Ask yourself how many times such major overhauls have ever worked right, when the Feds are in charge. The FBI botched a big upgrade, the IRS is still botching theirs, the FAA botched theirs
When all is said and done Linux. branded or otherwise, will be damned lucky not to be too heavily involved, and may come out looking pretty good.