Lest we remember: cold boot attacks on encryption keys
SS'08 Proceedings of the 17th conference on Security symposium
| Hi-index | 0.00 |
The Department of Surgery at the University Of Washington School Of Medicine is faced with the challenge of providing IT security to faculty, researchers, and staff within a clinical hospital environment and at multiple sites. Many departmental faculty and staff use laptops running Windows XP and often find it necessary to travel to multiple locations throughout the day or week. Additionally, regulations such as the Health Insurance Portability and Accountability Act (HIPAA) and the Family Educational Rights and Privacy Act (FERPA) mandate the protection of protected health information (PHI) and student data that many members of the department interact with as a normal part of their work. Such data stored on departmental laptops must be secured. Concerned with data security, the department is deploying PGP Universal in order to protect this fleet of laptops with a centrally managed, whole disk encryption solution. A centrally managed whole disk encryption solution was desired for both Windows XP and a small number of Macintosh laptops, but not available for the latter. The Department of Surgery IT Services Group (ITSG) selected PGP Universal for the Windows-based solution and monitors PGP Corporation's ongoing development of a Mac OS X whole disk encryption solution. ITSG staff tested PGP and a deployment process was developed in the hopes of avoiding technical problems. Minor installation problems that did occur were found to be the result of computing staff's deviation from installation procedures. The amount of time required to deploy the solution across the department was underestimated; the project has taken additional time for several reasons, including the difficulty in coordinating installations with a mobile workforce; a number of competing, large scale products; and possibly the ITSG organizational structure. While the use of PGP whole disk encryption has necessitated a change in behavior for both laptop users and ITSG staff, these changes are minor and can be addressed with careful planning and forethought.