You are currently browsing the archives for the Uncategorized category.
| M | T | W | T | F | S | S |
|---|---|---|---|---|---|---|
| « May | ||||||
| 1 | 2 | 3 | 4 | 5 | 6 | |
| 7 | 8 | 9 | 10 | 11 | 12 | 13 |
| 14 | 15 | 16 | 17 | 18 | 19 | 20 |
| 21 | 22 | 23 | 24 | 25 | 26 | 27 |
| 28 | 29 | 30 | 31 | |||
10. April 2009 by Bryan Glancey.
You have all heard me speak of the importance of DARTT (Data at Rest Tiger Team) in bringing much needed standards to the Data at Rest Encryption market. Several people have asked me how it all got started, There is an excelent history of DARTT published by David Hollis in this presentation http://www.infosecaward.com/docs/DARTT_June12_08Briefing_ExecutiveAlliance.ppt - but the inital launch was a result of Office of Management and Budget Memo 06-16 which said:
In an effort to properly safeguard our information assets while using information technology, it is essential for all departments and agencies to know their baseline of activities.
The National Institute of Standards and Technology (NIST) provided a checklist for protection of remote information. (See attachment) The intent of implementing the checklist is to compensate for the lack of physical security controls when information is removed from, or accessed from outside the agency location. In addition to using the NIST checklist, I am recommending all departments and agencies take the following actions:
1. Encrypt all data on mobile computers/devices which carry agency data unless the data is determined to be non-sensitive, in writing, by your Deputy Secretary or an individual he/she may designate in writing;
2. Allow remote access only with two-factor authentication where one of the factors is provided by a device separate from the computer gaining access;
3. Use a “time-out” function for remote access and mobile devices requiring user re-authentication after 30 minutes inactivity; and
4. Log all computer-readable data extracts from databases holding sensitive information and verify each extract including sensitive data has been erased within 90 days or its use is still required.
The original official memo can be found at: http://www.whitehouse.gov/omb/memoranda/fy2006/m06-16.pdf
Posted in Uncategorized | Print | No Comments »
10. April 2009 by Bryan Glancey.
We have all experienced it, you buy something and it’s not exactly the way it looked on TV. One detail or another was glossed over, forgotten, not taken into account.
Security is often just such a gloss over factor. What type of encryption, whose implementation of the cryptography, has the encryption been independently verified, does the system provide management, does the system provide auditing…. ON and on, 500 opinions, spinmasters unite and argue why their coke is better than the others pepsi….. Everyone buys their superbowl ad to promote their exploding pinto and no one knows what to do in the end..
Luckily for us all, The most interested person in security is setting an international and comprehensive standard for this. The US Government has established a team of experts in security to create the definitive list of what is secure and what is not secure in USB encryption.
The Data-At-Rest-Tiger-Team (DARTT) has established a panel to review the myriad of solutions in this area and separate science fiction from science fact. They have already published a ground breaking standard for Data-At-Rest encryption for information on hard disks; and they soon will be extending that guidance to USB Keys.
You can follow the competition, selection criteria, and winners on the US Federal Government Site: (link provided because the google search returns 1000’s on people trying to say they are security technologies) https://www.fbo.gov/index?s=opportunity&mode=form&id=dc9f632a73767835a88495473a1ca2e7&tab=core&_cview=1
They have reviewed all the major technologies in this area and selected a number of technologies that are secure and manageable. My Company, Mobile Armor, was one of them – I’m proud to say (full disclosure given).
If you have any questions about the technology, all of the DARTT information is a great place to start. They already did all their homework and offer it up to you free of charge. You may find it the best guidance as to scalable and secure USB other Data At Rest.
Bryan Glancey
CTO & Co-FOunder Mobile Armor
bryan@mobilearmor.com
Posted in Uncategorized | Print | No Comments »
10. April 2009 by Bryan Glancey.
Welcome to the Data-at-Rest (DAR) web blog. There is no shortage of uninformed opinion on the Internet regarding Data Security, this blog was formed to separate the snake-oil from the science.
Please feel free to share your experiences as well as questions about Cryptography, Data Encryption, Full Disk Encryption, File and Folder Encryption, FIPS, Common Crtieria, DARTT, FDE, FFE, RSM and any other of the myriad of surrounding issues.
Posted in Uncategorized | Print | No Comments »