Chris Edwards IT Services All confidential data must be encrypted where stored on a mobile device Mobile Device Encryption Policy What do we mean by encrypted Password Protected ID: 547353
Download Presentation The PPT/PDF document "Mobile Device Encryption" is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.
Slide1
Mobile Device Encryption
Chris Edwards
IT ServicesSlide2Slide3Slide4Slide5Slide6Slide7Slide8
“All
confidential data
must
be encrypted where stored on a mobile
device”
Mobile Device Encryption PolicySlide9
What do we mean by “encrypted” ??Slide10
Password Protected
Trivially bypassed
Encrypted
Protects data if lost / stolenSlide11
Can we avoid encrypting ?
Could maybe:
avoid
storing confidential data
on
the
laptop
w
ork completely “across
the
network”
But
often
convenient to store locally
anyway
Also:
data
cached on device
temporary
folders
I
n practice,
virtually all laptops contain
confidential data.Slide12
What type of encryption tool ?
Folder encryption – save confidential data in a special encrypted folder
n
eed to remember to do this
o
ne day will forget
a
nd this still doesn’t encrypt:
data
cached on device
temporary folders
Full disk encryption (FDE)
e
ncrypts everything
h
ence much safer!Slide13
Full Disk Encryption
Encrypts everything
Fast
Transparent
Native on common OS platforms
Can be enabled without reinstallSlide14
Full Disk Encryption
Windows
BitLocker
macOS
FileVault
Linux
LUKSSlide15
Standard Staff Desktop (SSD)
BitLocker
default-on
in SSD
(
enabled at build time)Slide16
Other Laptops
Needs to be
organised
in your :
College
School
Research Institute
University ServiceSlide17
Other Laptops
Users should be asked to bring University-owned laptops to their Local IT Support
s
o that
F
ull
F
isk
E
ncryption can be configuredSlide18
Recovery Keys
Data stored on laptops should exist elsewhere
Hard drive could suffer physical failure !
Might forget the encryption password
Prudent to keep a recovery key - somewhere safe
BitLocker
also requires key for certain hardware changes
For SSD, ITS holds recovery keys in campus AD
For non-SSD, local IT teams will want to
organise
their own repository
Keep recovery keys as part of School IT asset register
AD
Create a school “recovery agent” certificateSlide19
How to…
Detailed guides with pictures at:
www.gla.ac.uk/confidentialdata
Click on:
“Laptops”
“Memory sticks”Slide20
How to…
Guides accessible enough for most reasonably tech
savy
users.
However, where possible we recommend IT support staff should do the encrypting.
Precise arrangements need to be determined in your School or College.
IT Services happy to advise.Slide21
Consumer Grade Laptops
May not have TPM chip
Workaround to enable
BitLocker
b
oot time password
m
emory stick (unsafe??)
May come with a “Home” edition of Windows
n
o
BitLocker
!
m
ay be unsuitable for storing confidential data Slide22
Personal Laptops
University cannot mandate FDE for personally-owned laptops
However, requirement to encrypt confidential data stored on a mobile device
still applies
!!
Must encrypt it be some means
FDE might be the easiest (MS “Device Encryption”?)
E
xcellent Plan
-
use a terminal server (or equivalent) to completely avoid storing the data on the laptop in the first place:
SSDremote
Remote Desktop Session (e.g RDP)Slide23
Smartphones / Tablets
Essential to set a PIN, or equivalent protection
Fingerprint check
Swipe pattern
Many devices come with encryption
i
n some cases this is default-on
and the PIN is used to unlock the encryptionSlide24
Memory Sticks
Must be encrypted if confidential data is stored
guides
with pictures at
:
www.gla.ac.uk/confidentialdata
I
n many cases easier to not store confidential data on sticks
u
se the network instead