Forensically speaking, full disk encryption is the only way to address all aspects of data remnants. Stuff sits in the page file, this isn't encrypted. Temp files usually are all over the place, unless directory structure ACL's are very strict.. One can use the workstation security templates for high security and lock down the directories, but there are still writable locations on the disk that users can save stuff to. Unless all you do is use MS office, folder redirection isn't going to do you much good. These strict ACL's break many applications, especially all the home grown ones, and the older junk that's in all of our corporate environments. Volume encryption, such as EFS, TrueCrypt is MORE secure than nothing, but do you really trust your users, and would you be willing to put your job on the line when your CIO walks in and says, we had a laptop stolen, do we have to disclose this to the public? Full disk encryption has it's problems, most of the larger company's products like PointSec, Safeboot and Utimaco have methods for administrative/support logins and key escrow/recovery. They all have methods to deal with supporting software deployments, i.e. scripting a number of automatic logins without requiring pre-boot authentication. All of them have support for SSO, and tokens etc. Only large problems relate to multi-boot configurations, lilo, hidden partition backup solutions etc, as these solutions shim the Master Boot Record or Partition Boot record..
-----Original Message----- From: matthew patton [mailto:[EMAIL PROTECTED] Sent: Tuesday, August 29, 2006 11:23 AM To: [email protected] Subject: Re: Whole disk encryption I am not arguing against whole-disk, but why would you hand a user a computer/laptop that allows them to write ANYWHERE but in one directory, their homedir? __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com ------------------------------------------------------------------------ --- ------------------------------------------------------------------------ --- ************************************************************************* This communication, including attachments, is for the exclusive use of addressee and may contain proprietary, confidential and/or privileged information. If you are not the intended recipient, any use, copying, disclosure, dissemination or distribution is strictly prohibited. If you are not the intended recipient, please notify the sender immediately by return e-mail, delete this communication and destroy all copies. ************************************************************************* --------------------------------------------------------------------------- ---------------------------------------------------------------------------
