Whole Server encryption is it done?

[knc]

A financial company is wanting my CPA/Finacial advisor for 128 bit encryption on the network. What do you suppose they are asking for, Server data encrypted, connection to the Server encrypted?

If anyone uses Server encryption software please let me know.

 

[Markverhyden]

You need someone to give you an accurate explanation. Sounds like who ever your spoke to was conveying a message from someone else who was not clear. But I'd guess they are looking at having Full Disk Encryption on everything, server and work station. Connections within closed LAN are not usually encrypted.

 

[knc]

You need someone to give you an accurate explanation. Sounds like who ever your spoke to was conveying a message from someone else who was not clear. But I'd guess they are looking at having Full Disk Encryption on everything, server and work station. Connections within closed LAN are not usually encrypted.

Yes, I asked for a clarification. I would really hate whole disk encryption.

 

[Markverhyden]

Yes, I asked for a clarification. I would really hate whole disk encryption.

Yes FDE is a pain. But I don't loose any sleep over it. Customers have the keys and know the risks, especially if they decline to have a comprehensive backup system.

 

[YeOldeStonecat]

FDE is easier to manage. I prefer it. I really consider just folder encryption to be rather useless.

Why? Because if something is stolen/lost, whatever..and the auditors come and ask about what kind of protection is in place, you're 100% covered if you have a managed FDE system in place. And when I say "managed"...I mean something that is constantly checked. So that you know the state of the disks today, yesterday, 2 days ago, because it's constantly logged. You can "PROVE" that the disk was encrypted at the time it was lost. Just saying "well, I installed True Crypt 14 months ago..so it must have still been encrypted!". If you have a managed system you can PROVE it was encrypted at the time it was lost/stolen.

Next...location of data. Say you just encrypt the WinCSI folder or QData folder on the accounting server. And the server gets stolen. Auditors ask eDiscovery stuff..."Where was data kept?" How can you prove, 100%, that data was not stored in other folders that staff made? Or may have been plopped here, or there..on the server...in folders not within the encrypted folders? How can you prove no info was in temp files that the database engine made in the system partition?
You can sleep well at night with managed FDE, knowing wthout a doubt.."it's covered!, and I can prove it!"

 

[knc]

FDE is easier to manage. I prefer it. I really consider just folder encryption to be rather useless.

What products would you recommend? Also, performance must be degraded considering its decrypting everything on the fly? And how does one perform backups and restores, using ShadowProtect for one?

 

[YeOldeStonecat]

What products would you recommend? Also, performance must be degraded considering its decrypting everything on the fly? And how does one perform backups and restores, using ShadowProtect for one?

Hardware encryption by special disks that support it. Zero performance loss, as there's a daughtercard with dedicated processor on each disk.

BitLocker...FDE. If bare metal install, you'll want remote hardware level access like HP iLO or Dell iDrac or some other IPMI to get local console access...to plug in the password on reboots. Of if it's guests within a hyper-visor..even easier!

Software encryption, all the 3rd party stuff I've worked with, does have a performance impact. Except..to be honest, Bitlocker doesn't...it's very light. I run it on my laptop, FDE, on a Crucial SSD..couldn't even tell the difference when I enabled it.

With FDE, once you're into the OS, stuff like backup software doesn't know the difference.

 

[fencepost]

If the hardware used (most notably the drives) support encryption natively then all encryption/decryption is handled on-the-fly by the drive electronics. This is very common in better SSDs (including most/all of the Samsung drives), search for AES on the spec sheets for the drive.

SAS drives that support encryption are available, you'll probably need to get the precise model number you want using a configurator or spec sheets on the manufacturer sites.

I have no idea if there are non-SSD SATA drives that support encryption natively. At that point you're probably looking more for Bitlocker and the like.

On modern-enough equipment and OSes there are things you can do to let the machines automatically retrieve a key from the network at boot time as long as they're on the internal LAN - while being encrypted and protected if the machine is taken outside. I have a place that I'd like to look at that for, but I think that the tablets they'd like to do it on are probably too old. It's called Network Unlock: https://blogs.technet.microsoft.com/dubaisec/2016/04/14/bitlocker-network-unlock/ and I have no idea if there's a way to do something similar on servers/VMs.

I used to think about the possibilities for encrypted systems that would require a response from a network device (easily hidden) for unlocking, I'm honestly not sure if that predates Windows 8 or not. Certainly it doesn't predate when work would've needed to start on this.

edit Re: system load, at least with modern Intel Core and Xeon processors it shouldn't be an issue as they all have the AES instruction set built in so AES-based encryption should fly. Not sure about the cheaper Pentium/Atom/Celeron/whatever processors or AMD stuff, but on the Xeon side it's been there for probably 7-8 years?

 

[Markverhyden]

Or may have been plopped here, or there..on the server...in folders not within the encrypted folders?

^^^This. Can't say it enough. I learned a long time ago that all OS's sprinkle files all over the place. This, generally speaking, is not controlled by the OS but rather by the app since apps run at system level auth. FDE=no guess work.

What products would you recommend? Also, performance must be degraded considering its decrypting everything on the fly? And how does one perform backups and restores, using ShadowProtect for one?

Depends on the load and requirements. If a forensic trail is needed then you need something controlled like BL. Personally I've used Truecrypt/Veracrypt when dealing with environments with no domain. I've yet to see an performance impact using any well known FDE software, including those. But my clients are all small.

 

[NETWizz]

Okay, so network encryption is fairly common and even spelled out in data classifications like CJIS.

That said the requirements are generally for data leaving the walls of a secured facility. People don't encrypt their LANs usually, but it is not at all uncommon to secure your Wide-Area-Network running an IPSec Tunnel over an existing WAN or even building a Pseudo WAN over the Internet.

As for FDE, Bitlocker is fairly standard in data centers for Microsoft equipment, and it is managed via Active Directory such that the servers boot with a TPM etc, but if stolen the data is not recoverable.

 

[putz]

Look at Sophos Safeguard. If you are needing to implement a more complete scope of data loss prevention, a combination of FDE and File Encryption needs to be used. One helps secure data at rest and the other help secure data in use. We have implemented it for some customers. It can seem daunting at first but once you start using it, its not too difficult.