I’ve got a project on at the moment where I need to find some companies that are able to provide HDD encryption for IFA’s.

I work for a network of 1700 IFA’s and we would like to be able to recomend a firm that would be able to provide the service to the financial advisers should they wish to take it.

I have found a few, but wondered if the STW hive mind knew of any firms?

The CESG Approved Products List (accessible online), provides a list of companies government approved for just that sort of thing.
There’s quite a few, i’ve used either Stonewood drives or BeCrypt encryption s/w in the past.

What are you looking for a firm to do? Ie, above and beyond rolling out Truecrypt to everyone? Training / installation services?

Truecrypt would do all you need I imagine.

What are you looking for a firm to do? Ie, above and beyond rolling out Truecrypt to everyone? Training / installation services?

Yep. There are plenty of applications that do this, that could be rolled out no problem by your IT dept.

I used Pointsec for this in an old job. Seemed alright.

We do this for clients but it’s part of a managed service as there’s an on-going need to do recovery etc. when passwords have been forgotten (or more likely gone out of sync with AD assuming the laptops are on a domain). I can see you ending up with a lot of unhappy IFAs if you do an encrypt and forget type thing.

I can’t see why that would be a problem, because you’ve got all their data synchronised to a backed up central location, of course.

Although the IFA’s are part of our network, they have their own hardware, we support the software that they use (but not the OS)

This would be a ‘recommended solution’. i.e. “You should be thinking about encrypting your data, these guys will do it for a good price and will support it too”

I have used Truecrypt before, and its probably a bit too much for the average IFA to implement!

Thanks for your thoughts so far.

N.b – just to clarify – in this instance when I say ‘Network’ – I don’t mean a ‘computer network’

I thought there were legal rules now to force anyone handling the public’s personal to safeguard it, i.e. encrypt it, not just ‘recommended’ – so laptops, etc., HAVE to have something?

The BeCrypt software we use, has 1 username & 2 passwords to login, it runs as soon as the BIOS has loaded up and before the OS. Apart from passwords, it’s easy & unintrusive.

If you need some ideas, there should be some on this magazine’s website: http://www.scmagazine.com

This would be a ‘recommended solution’. i.e. “You should be thinking about encrypting your data, these guys will do it for a good price and will support it too”

Here be dragons. You try to be helpful, it all goes wrong, they then hold you accountable.

Either you support it, or you don’t. If you don’t, don’t get involved; it’s not your problem, keep it that way. Sure, go “hey, you should make sure your data is secure,” but unless it’s your responsibility leave it to the people who are responsible.

Or there’s the stuff baked into your operating system. Not uncrackable but enough for us to pass DD with our private equity owner

We use PGP Whole Disk Encryption

http://www.symantec.com/business/products/sysreq.jsp?pcid=pcat_info_risk_comp&pvid=wd_encryption_1

Once installed then it’s pretty unobtrusive, this is for a user base of about 20,000 employees (in UK and many more overseas) and each employee installs the product themselves.

We use pointsec which so far has been pretty good (earlier versions were a bit buggy though).
Are you going to implement pre boot authentication? Disk encryption without it will only be as secure as windows authentication/log in. So arguably, rubbish 🙂
If you do go for pre boot auth, then how are you going to administer users and accounts? I’m not sure if there are any products out there that will link in to active directory, so you’re looking at individual accounts on each workstation – an administration nightmare.
*edit*: unless of course you have a single common username/password that everyone knows, but then that wouldn’t be very secure at all – you can guarantee that your users are going to Sellotape the credentials to the workstation and laptop like they do at my place :/

PGP owned by Symantec – whatever next!

Agree with a lot of the above, it’s do-able but the devil’s in the detail and can be a proper can of worms ime

If the IFAs are using laptops out in the field then they’ll need local accounts won’t they.

For individual machines without the need for any central management then Trucrypt works well.

If you need to offer services such as remote unlock when users forget their passwords (it happens!) then I would recommend AlertSec. This is PointSec but on a monthly subscription licencing that includes support.