NASA To Encrypt All of Its Laptops 226
pev writes "After losing another laptop containing personal information, NASA wants to have all of its laptops encrypted within a month's time with an intermediate ban on laptops containing sensitive information leaving its facilities. Between April 2009 and April 2011 it lost or had stolen 48 'mobile computing devices.' I wonder how long it will be before other large organizations start following suit as a sensible precaution?"
i don't understand... (Score:3, Insightful)
truecrypt (Score:2, Insightful)
For the lazy it does the job well. No need spend budget on it.
AAARRRRGHHH (Score:5, Insightful)
NONONNONONONO
This is not how you deal with an incident like this. You have to reexamine your infrastructure and find out *why* that info was on an endpoint to begin with. This is teh same BS kneejerk reaction that makes for bad IT planning. Just go and wallpaper of it with a band-aid and look all betterer.
HULK SMASH!!!!
Re:i don't understand... (Score:5, Insightful)
>Yep, you've got to have a documented practice to keep track of the recovery keys encryption programs generate.
No. I work in a big corp. If I die, my FDE password dies with me and the data is gone. Real data is held on servers and managed. A PC is just an access device.
Re:They waited this long because? (Score:5, Insightful)
Re:They waited this long because? (Score:4, Insightful)
Re:They waited this long because? (Score:5, Insightful)
They have a finite pool of money. Putting something in IT takes money from the finite pool.
The poster is correct, ti's about priorities.
Since that vast majority of information NASA has is useless to anyone not in a space agency, it seems this was a good priority of limited funds.
Re:They waited this long because? (Score:2, Insightful)
Because encrypting data is like putting it in a black hole, from which it might never return. If you lose your password, THAT'S IT! GONE!
For a technically competant user base, like (i'd like to assume) NASA employees probably are, go for it!
But for people who struggle with Microsoft Word and basic e-mail? Well... uh... let's just say an organization might want to perform an analysis of how many times their employees call in for password resets. There will likely be a strong correlation between data loss and password resets.
Sure, the data might not fall into the wrong hands anymore, but with statistics for every lost laptop, add ON TOP OF THAT data that's effectively destroyed by users getting locked out of their own encryption. That could ALSO be very costly in terms of lost man-hours, and possibly an unnecessary risk depending on how much sesnsitive data you REALLY deal with.
Re:They waited this long because? (Score:5, Insightful)
This is not a new policy. The implementation of full disk encryption has been underway for some time. We are doing laptops first, then desktops. The current fire drill is because a laptop with PII was stolen at NASA HQ and it was one that had not yet had full disk encryption installed.
NASA IT staff are as overworked and under appreciated as anywhere. If NASA had wanted full disk encryption done sooner, they could have added the resources to make it happen. And that would have taken resources from missions, like Curiosity and the James Webb telescope. It's all about priorities.
But therein lies the problem. It should not be underway for some time. It should have been in place as an iron-fist de-factor rule a long time ago.
I sympathize with you and the other IT folks. Underfunded and under appreciated IT and dev folks alike. It is shitty, and I know what it's like (been there, don't that.) But, to not have laptops encrypted? To furnish unencrypted laptops? There is some serious break-ups there man. Why? Because, however overworked your team might be, I have a hard time believing that IT will furnish an un-imaged laptop, as-is from the vendor/supplier, to the user. I'm sure IT images the laptops, so it stands to reason that the imaging will include encryption.
If the laptops are being furnished as-is from the vendors, that's a fuck-up.
If the laptops do get imaged, but do not get encryption, that's also a fuck-up.
Any government agency has some type of security and information assurance program and guidelines. And in them, encryption of laptops must be there somewhere. If that is the case, then it is a IT fuck-up. If it is not, then it is a IA fuck-up.
I'm not necessarily blaming you or any specific IT person, but this is a serious crap-o-lah that goes against what is pretty much standard practice with any agency or defense contractor (I work for one), or even for commercial companies. It's simply crazy.
Re:They waited this long because? (Score:5, Insightful)
Well, many want to. There are some issues though that cause inertia. Not just issues with forgetting passwords.
- Older systems that may need upgrading before being able to have encryption, or they're able to encrypt files but not whole partitions, or they don't even run IT approved operating systems. Having some machines that don't fit into a global policy can often often slow down an IT policy to a crawl, especially when the management refuses to make an exception.
- Reliability. Sometimes this encryption is not very stable. Seriously. Our whole department stopped cold on encryption when many of the macbooks started dying and had to be replaced within a month of being encrypted (ie, second IT passwords don't help), with about a week of downtime before the user is back up and running full speed again. Put things on hold until Lion was released (which was it's own freigh train full of breakage, though at least the encryption worked).
- Performance. Maybe the average user doesn't care, or the exec with an expensive computer. But encryption really can slow things down tremendously. Compile times, email searches, etc, can all take a very noticeable hit, sometimes more than twice as long. Do this on an older computer or a production system and it really hurts.
- Scheduling and availability. Not everyone is able to come in and see IT at a moment's notice. Sales people may not even live in the same state or country, and they purchase and install their own computers. IT has a tendency to want to do encryptions or upgrades at exactly the same time as a major product release.