1.0    Introduction1.1         Data
Encryption SolutionFull
disk encryption (FDE) also known as Whole Disk encryption (WDE) is a security
safeguard that protects all data stored on a hard drive from unauthorized
access using disk-level encryption 1. To protect sensitive university data,
encryption is necessary and should be implemented appropriately by combining
appropriate access controls. When FDE is employed, all data is encrypted by
default, taking the security decision out of the hands of the user 11.  A good encryption software solution should be
able to do a wide range of tasks including drive encryption, file and removable
media protection and also be able to manage native encryption functionality
offered by Apple’s FileVault 2 on Mac OS X and Microsoft’s BitLocker on Windows
platform 10.The
purpose of this report is to provide directions and ideas for implementing a
full disk encryption in a college department setting, and also identify bad
practices when it comes to securing confidential data. The following topics are
covered in this report: ·     
An Overview of BitLocker Encryption (Windows).·     
An Overview of FileVault 2 Encryption (Mac).·     
Finding a Good Encryption Solution.·     
WinMagic’s SecureDoc Enterprise.·     
What I think of Using SecureDoc by WinMagic.·     
Barriers to Finding a Good Encryption Solution. This
document applies to all devices and computers storing or transmitting college
or departmental data belonging to the university. 1.2       When Storing Sensitive Data  (i)                 
Full
Disk Encryption Sensitive
university data must be encrypted (using whole disk encryption when technically
feasible) if stored on a portable device such as, i.e., laptops, iPads, phones,
etc. (ii)               
File
Level EncryptionThis
level of encryption is appropriate when storing sensitive university or
institutional data on portable media such external drives and USB drives. Employing
any kind of encryption program or software like BitLocker or FileVault 2 is
bound to be a very daunting task and process. In this report, I will explain
the benefits of the proposed solutions, and present the risks so as to help all
those trying to make a decision in finding a better solution for encrypting
computer drives both on Mac and Windows platforms. This
report will also look at the risks of BitLocker and FileVault 2 encryption and
how they can be resolved by presenting a number of solutions that can be
implemented. It will also look at a hybrid solution where other encryption
software programs or solutions can be used to manage or facilitate the native
encryption programs already available in Mac OS and Windows operating systems.  2.0    Overview of BitLocker Drive Encryption (Windows)In this section I will present an overview of two of the commonly
used encryption programs – one for each computer platform (Mac OS and Windows).
Therefore, I will first describe BitLocker in its most obvious Windows setting
and then provide an overview of FileVault 2 on the macOS platform.Windows 10 operating system and other Windows OS editions contain
an encryption feature called BitLocker drive encryption, which encrypts all
data on the system volume. As all other encryption software, BitLocker imposes
some security requirements when one tries to encrypt a system drive. Sometimes
this may create or cause real problems and headaches when it comes to making a
decision to encrypt a drive. 2.1 What Does BitLocker DoBitLocker
technology, like other encryption technologies, targets a very specific
security situation –that of trying to lower the probability of having a
computer containing confidential or sensitive data getting stolen or lost.
Statistically, the Federal Bureau of Investigation reports that on average a
laptop is stolen every 53 seconds and that 1 in 10 individuals will have their
laptop stolen at some point 6. The recovery statistics of stolen laptops is
even worse, with only 3% ever being recovered. This means 97% of laptops stolen
will never be returned to their rightful owners. Most laptops belonging to the college
departments contain confidential information, in the form of documents,
presentations, emails, cached data, and network access credentials. This
institutional data is typically far more valuable than the computer hardware
itself, and it is worth protecting it. The university can easily replace a lost
laptop at a moderate cost, but the cost of a compromised information can be way
greater than that. So when deployed, BitLocker can make it difficult for any
unauthorized people to access this confidential data on a lost or stolen
laptop. One
advantage of BitLocker is that IT administrators can deploy it easily on
university laptops and without much user resistance. On the other hand, as a
drawback, hardware-based attacks can hence cripple the configuration of BitLocker
program. BitLocker’s
continuous improvements and features can eliminate many previously existing
concerns, which were centered around exploitable vulnerabilities and a lack of
centralized management.  2.2 BitLocker’s Main FeaturesHere
is a list of BitLocker’s main features: 1.      Direct Memory
Access (DMA) port controls that help prevent the long-standing cold boot attack
against encrypted drives.2.      Microsoft’s
Active Directory (Azure AD) which allows admins to encrypt recovery keys for
Windows 10 systems that are joined to Azure AD domains.3.      XTS-AES
encryption support that helps prevent known cipher text attacks and assists
organizations looking to be compliant with Federal Information Processing
Standards.4.      These features
are nice, but it’s Microsoft BitLocker Administration and Monitoring (MBAM), a
System Center Operations Manager management pack, that puts BitLocker squarely
in the enterprise conversation. MBAM provides admins with a centralized tool
for configuring, administering and enforcing encryption policies. There are
also numerous group policies and PowerShell cmdlets admins can use to manage
BitLocker protected endpoints.  2.3 BitLocker’s Security ConcernsTaking
into consideration that BitLocker makes use of a tamper-resistant TPM security
chip which is now incorporated in most computers, encryption using BitLocker
cannot be a software-only technology. Making BitLocker as a software-only
solution would make it more vulnerable to software-only attacks. It
cannot protect a computer against all possible attacks, i.e., malicious users,
or programs such as viruses or rootkits that have access to the computer before
it is lost or stolen. BitLocker protection can be compromised if the USB
startup key is left in the computer, or if the PIN or Windows logon password
are not kept secret. If university data is considered highly confidential on
laptops, then BitLocker should be deployed with multi-factor authentication on
those laptops. 1)     
If more than one person is going to use the
encrypted machine, then encryption key has to be shared with everyone since
BitLocker officially supports one login.2)     
BitLocker is secure only if you use a pin or
USB stick for authentication.3)     
There is no link between your Windows
credentials and BitLocker credentials. 4)     
BitLocker does not support the concept of more
than one user. An official Microsoft advice tells users to employ a 6+char pin,
plus TPM for authentication and doesn’t recommend TPM-only mode.5)     
BitLocker supports only USB storage devices
and PINs—no integration with any other token.6)     
Active Directory and additional servers are
required to administrate BitLocker in a corporate environment.7)     
You need extra software to prove BitLocker was
enabled and protecting the drive at the time of a theft to claim protection
from personally identifiable information laws. With BitLocker, one will need a
third-party software to give a real time report on the state of protection of a
lost machine.8)      BitLocker
encryption and administration supports only Windows—with no support for other
operating systems, such as Mac or Linux.   3.0    An Overview of
FileVault 2 Encryption (Mac) 3.1       FileVault 2’s Full Disk Encryption SolutionFileVault
2 is an encryption program native to the Mac OS X system, also known as the
second generation of FileVault.  It encrypts
the entire drive on your Mac, protecting your data with XTS-AES 128 encryption,
and can also encrypt any removable drive in addition to securing Time Machine
backups and other external drives. The original FileVault was introduced with
Mac OS X Panther (10.3) 3, and could only be applied to a user’s home
directory, not the startup volume.  Apple
referred to this original iteration of FileVault as legacy FileVault. FileVault
2 protects a whole volume and provides it with a full encryption that can
easily be operated by any users regardless of whether they have a dedicated IT
staff or not. In using Filevault 2, users need not worry about encrypting each
individual file or putting files in specific encrypted containers because all
the data on the entire volume is encrypted 4. MacOS High Sierra and newer
offer APFS encryption which is a significant redesign of FileVault 2 5.  3.2       APFS and Encryption ConcernsIn
October, 2017, Apple fixed a Disk Utility Bug in macOS High Sierra which
exposed passwords of encrypted APFS volumes in plain text 5. This serious
security vulnerability in macOS High Sierra was discovered by a Brazilian
developer by the name Matheus Mariano and it exposed passwords of any encrypted
APFS volumes in plain text. Apple
addressed this bug by releasing macOS High Sierra 10.13 Supplemental Update
that was available from Mac App Store.   Towards
the end of November this year, Apple’s patch to address a serious password bug
on macOS High Sierra was reported to have failed to fix the original problem,
because the flaw had reappeared again for some users. 3.3       Managing Existing Functionality of Native Encryption SystemsSo
there has to be a management solution or system out there that users can depend
on and trust such that it can be able to manage the existing systems employed
by BitLocker (Mac) and FileVault 2 (PC) encryption in case of out of the box
limitations presented by these two. This particular management solution should
directly address the limitations in both Mac and Windows platforms. For
example, a solution or a system that will improve on the functionality of
BitLocker and FileVault 2 in such a way as to allow them to be more secure and
easier to manage.   4.0    Finding a Good
Encryption Solution4.1       What a Good Encryption Solution Should Be Able to DoIn
this section, I am going to present some of the main features that I think a
good encrypting software solution should be able to do. It should take into
consideration the two commonly used platforms to protect data, i.e. using
Microsoft’s native encryption, BitLocker, for Windows and Apple’s active
encryption, FileVault 2 for Mac OS.On
a Windows Platform, a good encryption solution should be able to:a)      Allow an IT
administrator to secure and manage all Windows 10, Windows 7 and PCs that
support Microsoft BitLocker.b)      Manage BitLocker
on Windows platform machines running Windows 10, 7 directly from Third Party
software like SecureDoc (WinMagic), Symantec, etc. without the need for a
separate Microsoft BitLocker Management and Administration (MBAM) server.On
a Mac Platform, a good encryption solution should be able to:a)      Allow an IT
administrator to secure and manage all Mac OS X versions including macOS High
Sierra, and Sierra, El Capitan and Mac that support Apple FileVault.b)      Allow
compatibility with OS X patches, upgrades, and firmware updates.c)      Provide single
sign-on from FileVault’s pre-boot environment directly into Mac OS X.d)      To allow upgrade
from one major Mac OS X version to next without having to decrypt and re-encrypt
the drive. Similar
to BitLocker, FileVault 2 employs Recovery Keys to enable users unlock their
encrypted volumes if the disk is moved to a different device or if no user
account with ‘unlock’ privileges is present in the system. Once FileVault 2 is
enabled, the system creates and displays a recovery key. 4.2       Concerns with FileVault 2The
one problem with FileVault 2 is that it is a “whole disk” encryption, meaning
it is either on or off for the entire volume. When FileVault is on, no users
can access the data unless one enters a password or key to unlock it. Once the
drive is unlocked, the data becomes vulnerable. The new APFS in macOS High
Sierra supports full disk encryption 6, but it can also encrypt individual
files and metadata, with single or multi-key support. This kind of feature
guarantees additional security for your most confidential data.  5.0    WinMagic SecureDoc
Enterprise SolutionThe
WinMagic SecureDoc Enterprise suite of programs is a comprehensive solution
that offers full disk encryption (including support for both BitLocker and File
Vault 2), File encryption, removable media encryption, Mobile Device Management
and a centralized management server. It does this through a number of different
products that are used to fulfill the different feature requirements, including
7:a)     
The SecureDoc Enterprise Server (SES) that
offers a centralized location to manage the other encryption components
including software-based full disk encryption, native full disk encryption
support (BitLocker and FileVault 2), and SED support.b)     
SecureDoc for Windows and SecureDoc for Apple
offer clients that support software encryption native full disk encryption and
SED management, File and Folder Encryption (Windows), and Removable Media
encryption.c)     
PBConnex offers Network-based pre-boot
authentication. 5.1       One Console for Endpoint Protection and Encryption ManagementUse
of a one console 7: This console will be the one stop shop, not only for
protecting your endpoints from malicious software or targeted attacks but also
for compliance reporting and encryption key recovery. Simplicity and ease of
management will enable security personnel to stay focused and work efficiently. 5.1.1    Its Main Features ·        
Encryption management from the same cloud or on-premise console
you are using for endpoint protection·        
Uses proven native encryption for Windows (BitLocker) and Mac
(FileVault 2) and avoids performance issues, no new agent required·        
Simple to deploy Full Disk Encryption to endpoints and manage or
restore keys from the console·        
Encryption specific reports that help the university demonstrate
compliance·        
Pre-boot authentication enforcement. 5.1.2    Encryption Benefits (a)  Comprehensive data
protection for endpoint hard drive·        
Prevents unauthorized access to all data when laptops are lost or
stolen·        
Highest security certifications for compliance—FIPS, Common
Criteria, BITS·        
Comprehensive platform support—including Windows and Mac OS X. (b)  Trusted and proven
security for highly-scalable deployments·        
Proven in data security deployments of more machines in a short
time (c)  Integrated into
Endpoint Security Software Architecture·        
Combine endpoint full disk encryption software with other endpoint
security software, i.e. Windows Defender·        
Highest security certifications for compliance – FIPS, Common
Criteria, BITS·        
Single-console, centrally-managed endpoint solution.  6.0    What I think of Using
SecureDoc by WinMagic1.      Using
WinMagic’s SecureDoc software will involve extra cost for the software.  There is an initial per-device license cost
and a support fee. The support fee covers updates, access to the knowledge
base, and access to support technicians. 
I believe the upper tier of support also covers some online training
materials. 2.      SecureDoc
solution supports Windows, Mac OS X, and Linux in addition to both Domain and
Workgroup machines. SecureDoc can meet all the requirements for these operating
systems. It doesn’t truly support Linux, but you can support Linux installs on
self-encrypting drives that meet the OPAL2 standard. a.      Positives:  Single management console; A consistent
product across on/off domain Windows machines; Excellent support (WinMagic only
does encryption, so their resources are very focused); the client program for
Windows is highly customizable; Has the ability to require encryption on
removable media; Depending on client configuration, it is mostly transparent to
the user. b.      Negatives:  It does not always support OS upgrades
immediately (e.g. Creators Update for Windows 10, macOS High Sierra for Mac);
Management console is complex and not always intuitive (Interface redesign is
due out within the next year); file and Folder encryption is an additional
license. 3.      End users
will not see much of a difference with their configuration. SecureDoc can be
set to automatically boot to Windows similar to how BitLocker performs. The
only time a user sees a SecureDoc pre-boot login is if they enter their Windows
password incorrectly too many times.   IT
staff can encounter some challenges depending on how diverse their environment
is. IT units with consistent purchasing (e.g. similar era Latitudes) would tend
to have very few issues. If maintenance is not done properly (BIOS updates,
etc.) on computers of varying models, manufactures, consumer and business lines,
etc., then users will tend to experience more issues. Here are alternatives
to managing the native encryption:•
MBAM (BitLocker) – Microsoft
BitLocker Administration and Monitoring (MBAM) 2.5 provides a simplified
administrative interface that you can use to manage BitLocker Drive Encryption.
It only supports Windows domain machines and it integrates very well with other
Microsoft management tools such as SCCM. 
For organizations with Microsoft agreements, it is inexpensive to
license.


Jamf (FileVault 2) – Jamf (formerly
Casper) is a fairly comprehensive Mac management tool that can also manage
FileVault 2 encryption.  The Jamf
software allows you to manage FileVault 2 disk encryption on Mac OS computers
by creating and deploying a disk encryption configuration using the Jamf
Software Server (JSS) 5. Here at OSU, Jamf is already licensed and in use on
Macs by our IT technicians.

We Will Write a Custom Essay Specifically
For You For Only $13.90/page!


order now