Recommendation for Encryption Software on Corporate Laptops?

Do any of you work for companies which have a standardized solution for encryption on corporate machines?

I like TrueCrypt a lot but my worry is that one of our sales people will call me and say they lost/forgot their password and their data will be forever lost.

Does anybody have any experience with any products that have more of a corporate management backend to them that you can recommend?


Thanks in advance.
Current Certifications:

* B.S. in Business Management
* Sec+ 2008
* MCSA

Currently Studying for:
* 70-293 Maintaining a Server 2003 Network

Future Plans:

* 70-294 Planning a Server 2003 AD
* 70-297 Designing a Server 2003 AD
* 70-647 Server 2008
* 70-649 MCSE to MCITP:EA

Comments

  • veritas_libertasveritas_libertas CISSP, GIAC x5, CompTIA x5 Greenville, SC USAMember Posts: 5,735 ■■■■■■■■■■
    We are using Check Point Full Disk and Media Encryption for our enterprise. I'm upgrading the FDE to latest version right now and planning a roll-out of Media Encryption (lets you lock-down ports and encrypt thumbdrives, CDs, etc.) for next year. This stuff works great and even has a Help Disk

    If you would like we can talk on the phone.
    Currently working on: Linux and Python
  • SrSysAdminSrSysAdmin Member Posts: 259
    We are using Check Point Full Disk and Media Encryption for our enterprise. I'm upgrading the FDE to latest version right now and planning a roll-out of Media Encryption (lets you lock-down ports and encrypt thumbdrives, CDs, etc.) for next year. This stuff works great and even has a Help Disk

    If you would like we can talk on the phone.


    I may take you up on that phone call. I'm going to go take a look at their software now and see what they have to offer, thanks for the advice!
    Current Certifications:

    * B.S. in Business Management
    * Sec+ 2008
    * MCSA

    Currently Studying for:
    * 70-293 Maintaining a Server 2003 Network

    Future Plans:

    * 70-294 Planning a Server 2003 AD
    * 70-297 Designing a Server 2003 AD
    * 70-647 Server 2008
    * 70-649 MCSE to MCITP:EA
  • ClaymooreClaymoore Member Posts: 1,637
    What OS versions do you support?

    If Windows Vista/7 I would stick with BitLocker because of the AD integration and key management. If you are supporting XP, you will need to look at something like PointSec that veritas mentioned.

    If you use a third-party disk encryption software, you will probably have to decrypt the disk prior to a Windows 7 deployment. I have tried a few work-arounds that were either unusual or unsupported, but our recommendation is to decrypt prior to deployment.
  • SrSysAdminSrSysAdmin Member Posts: 259
    Claymoore wrote: »
    What OS versions do you support?

    If Windows Vista/7 I would stick with BitLocker because of the AD integration and key management. If you are supporting XP, you will need to look at something like PointSec that veritas mentioned.

    If you use a third-party disk encryption software, you will probably have to decrypt the disk prior to a Windows 7 deployment. I have tried a few work-arounds that were either unusual or unsupported, but our recommendation is to decrypt prior to deployment.



    BitLocker isn't the solution we are looking for because we are supporting Windows XP and 7, in addition to Mac OS X. We are trying to find a solution that we can use across the board rather than having to support a different solution for each machine.



    Thanks for your input, I appreciate it!
    Current Certifications:

    * B.S. in Business Management
    * Sec+ 2008
    * MCSA

    Currently Studying for:
    * 70-293 Maintaining a Server 2003 Network

    Future Plans:

    * 70-294 Planning a Server 2003 AD
    * 70-297 Designing a Server 2003 AD
    * 70-647 Server 2008
    * 70-649 MCSE to MCITP:EA
  • RTmarcRTmarc Member Posts: 1,082 ■■■□□□□□□□
    Check Point full disk encrpyption is the way to go. Nothing more than a re-badged PointSec.
  • pml1pml1 Member Posts: 147
    We've been using Sophos Full Disk Encryption for about a year now. Deployment is a breeze. I've been very pleased with it.
    Excellence is never an accident; it is always the result of high intention, sincere effort, intelligent direction, skillful execution and the vision to see obstacles as opportunities.
  • veritas_libertasveritas_libertas CISSP, GIAC x5, CompTIA x5 Greenville, SC USAMember Posts: 5,735 ■■■■■■■■■■
    RTmarc wrote: »
    Check Point full disk encrpyption is the way to go. Nothing more than a re-badged PointSec.

    LOL, the name is driving everybody here crazy. Causes a lot of confusion when everything in the suite starts with a similar name...
    Currently working on: Linux and Python
  • joey74055joey74055 Member Posts: 216
    I've used drivecrypt before. It worked pretty good, it had centralized management that ran on a server to manage all encrypted laptops. It is made by SecurStar and you can find it here: SecurStar, Encryption Software Solutions - Products - Disk Encryption
  • neocybeneocybe Member Posts: 79 ■■□□□□□□□□
    My 2 Cents,

    I've had good luck with Checkpoint and Acronis.

    Truecrypt is a also a good cheap solution which forces you to create an unlock CD for each installation.

    Depending on the number of installations this may create a lot of overhead. I had one client with 50 users on truecrypt who burned a CD for each laptop and kept a copy of the ISO on a server.
  • brad-brad- Member Posts: 1,218
    May be worth your time to look at Guardian Edge.
  • colemiccolemic Member Posts: 1,568 ■■■■■■■□□□
    Check out Mobile Armor and/or Data Armor (if it just needs encryption but doesn't travel.) Great product and is used by DoD... ties into AD for user management.
    Working on: CCSP, definitely, maybe. On the twitters: @mcole1008
  • QHaloQHalo Member Posts: 1,488
    I deployed and support Credant Mobile Guardian setup. Deployed to over 800 laptops a file-based hard drive encryption where I can tell the software what file types to encrypt rather than a full disk encryption. It's worked rather well for us over the last year. They support full disk if you'd like, but they excel at file-based encryption. No bricking of a drive here like full disk.

    http://www.credant.com/products/cmg-enterprise-edition.html
  • QordQord Senior Member Member Posts: 631 ■■■■□□□□□□
    Where I work, we use PGP. Good stuff, but the setup in not the most intuitive or user-friendly.
  • Chris:/*Chris:/* Member Posts: 658 ■■■■■■■■□□
    I would go with Check Point, solid product and good support.
    http://www.checkpoint.com/products/datasecurity/pc/
    Degrees:
    M.S. Information Security and Assurance
    B.S. Computer Science - Summa Cum Laude
    A.A.S. Electronic Systems Technology
  • nelnel Member Posts: 2,859 ■□□□□□□□□□
    Whats the performance like on the checkpoint disk encryption?

    We use pgp and the performance seems terrible! well at least on our kit!
    Xbox Live: Bring It On

    Bsc (hons) Network Computing - 1st Class
    WIP: Msc advanced networking
  • Chris:/*Chris:/* Member Posts: 658 ■■■■■■■■□□
    I have not done a comparison between the two but with my knowledge of both I would assume Check Point would be better.
    Degrees:
    M.S. Information Security and Assurance
    B.S. Computer Science - Summa Cum Laude
    A.A.S. Electronic Systems Technology
  • SrSysAdminSrSysAdmin Member Posts: 259
    Check Point seems to be the consensus...I spoke with them and at $110 per license the cost doesn't seem too unreasonable either.


    Thanks for all your help guys!
    Current Certifications:

    * B.S. in Business Management
    * Sec+ 2008
    * MCSA

    Currently Studying for:
    * 70-293 Maintaining a Server 2003 Network

    Future Plans:

    * 70-294 Planning a Server 2003 AD
    * 70-297 Designing a Server 2003 AD
    * 70-647 Server 2008
    * 70-649 MCSE to MCITP:EA
  • veritas_libertasveritas_libertas CISSP, GIAC x5, CompTIA x5 Greenville, SC USAMember Posts: 5,735 ■■■■■■■■■■
    SrSysAdmin wrote: »
    Check Point seems to be the consensus...I spoke with them and at $110 per license the cost doesn't seem too unreasonable either.


    Thanks for all your help guys!

    If you have any questions call me. Be sure to check on getting WebRH up and running. It's great for the Help Desk and for you.
    Currently working on: Linux and Python
  • Bl8ckr0uterBl8ckr0uter Inactive Imported Users Posts: 5,031 ■■■■■■■■□□
    We are moving towards tops for data by Mcafee.
  • subl1m1nalsubl1m1nal Member Posts: 176
    I was trying to remember what I've used in the past.

    I was think about deepfreeze however. Nice admin console to freeze, unfreeze computer.

    Otherwise, for encryption, I just use truecrypt. It's simple for the amount of PC's I support.
    Currently Working On: 70-643 - Configuring Windows Server 2008 Applications Infrastructure

    Plans for 2010: MCITP:EA and CCNA
    70-648 - Done
    70-643 - In progress
    70-647 - Still on my list
    70-680 - Still on my list

    www.coantech.com
    www.thecoans.net
    www.facebook.com/tylercoan
    www.twitter.com/tylercoan
    www.linkedin.com/users/tylercoan
  • subl1m1nalsubl1m1nal Member Posts: 176
    I should mention that deepfreeze is not encryption. Just software to freeze a computers state (I would go M$ steady state now which is free). Used mainly by libraries or public computers. Reboot the computer, and any changes that were made are undone. Including malware, software installs, printer config changes, **** saved to my pictures, etc.
    Currently Working On: 70-643 - Configuring Windows Server 2008 Applications Infrastructure

    Plans for 2010: MCITP:EA and CCNA
    70-648 - Done
    70-643 - In progress
    70-647 - Still on my list
    70-680 - Still on my list

    www.coantech.com
    www.thecoans.net
    www.facebook.com/tylercoan
    www.twitter.com/tylercoan
    www.linkedin.com/users/tylercoan
  • subl1m1nalsubl1m1nal Member Posts: 176
    LOL. They bleeped out ****. What is bleeped out rhymes with corn. Not ****, which rhymes with bit.
    Currently Working On: 70-643 - Configuring Windows Server 2008 Applications Infrastructure

    Plans for 2010: MCITP:EA and CCNA
    70-648 - Done
    70-643 - In progress
    70-647 - Still on my list
    70-680 - Still on my list

    www.coantech.com
    www.thecoans.net
    www.facebook.com/tylercoan
    www.twitter.com/tylercoan
    www.linkedin.com/users/tylercoan
  • Diggs3dDiggs3d Member Posts: 35 ■■□□□□□□□□
    Hello All,


    My company is currently evaluating Check Point R80.10 Endpoint Security for Full Disk Encryption.

    Is there anyone out there currently running this version with the Centralized Management Console? If so, what's your take on the product?

    Thanks your help,

    __________________

    B.A. - Information Technology
    Security + (200icon_cool.gif
    SSCP - In Progress
  • it_consultantit_consultant Member Posts: 1,903
    The FBI raided one my clients recently (consult long enough and you will see a search warrant or two) and while they were doing their thing I asked about full disk encryption. According to them it is fairly easy for them to crack commercial disk encryption mainly because they can locate the private key (for example, admins have an override key in case a user forgot his password), the passwords are too simple, or they got a RAM capture of the computer.

    They specifically mentioned true crypt being difficult to impossible for them to crack. I think this has less to do with the technology but that most people who use true crypt are savvy and it is hard to get away with using a bad password in true crypt. A 30 character or more password will make it very difficult for even federal law enforcement to crack your encryption.
  • afcyungafcyung Member Posts: 212
    Validated 140-1 and 140-2 Cryptographic Modules

    Gives a solid break down of the encryption product as tested by NIST.
  • Forsaken_GAForsaken_GA Member Posts: 4,024
    We are using Check Point Full Disk and Media Encryption for our enterprise. I'm upgrading the FDE to latest version right now and planning a roll-out of Media Encryption (lets you lock-down ports and encrypt thumbdrives, CDs, etc.) for next year. This stuff works great and even has a Help Disk

    Yup, this is what we use as well, though we still call it PointSec :)
  • Repo ManRepo Man Member Posts: 300
    My company will be switching to BitLocker soon. How does it hold up in an enterprise environment?
  • WafflesAndRootbeerWafflesAndRootbeer Member Posts: 555
    Repo Man wrote: »
    My company will be switching to BitLocker soon. How does it hold up in an enterprise environment?

    It holds up alright since it's built into the latest versions of Windows, which makes it somewhat seamless, but like any other solution, you must properly manage it and instruct users on how to use it correctly or your data is scrambled eggs if something goes wrong. Since it's not intended to be compatible with consumer systems (With the exception of Windows Vista or 7 Ultimate) end-users might find it unacceptable if they can't use their personal computers at home with any encrypted drives and that can bite you in the ass if you don't have management backing you up.
  • Diggs3dDiggs3d Member Posts: 35 ■■□□□□□□□□
    Our company is currently using Bit Locker for Win 7 Deployments but were having issues with "AD Integration" and "GP enabling Bit Locker".

    I also have seen two fully encrypted drives allow the user to bypass Pre-boot Authentication "PIN" by simply hitting the "ESC" key.

    icon_lol.gif
  • XantchaXantcha Member Posts: 64 ■■□□□□□□□□
    Thanks for the heads-up about truecrypt. It's good to know that we still have some chance at privacy.
Sign In or Register to comment.