Moderators JLogan3o13 Posted August 17, 2016 Moderators Share Posted August 17, 2016 (edited) I debated where to put this, as it is something of a broad topic. I am currently preparing a quote for a customer looking to do full disk encryption for their environment (all 8,000 seats, HIPAA compliance). I just wanted to see what others are using, and what your experience has been, specifically with Symantec, Trend, Sophos, and Kaspersky (pulled from the 2016 Gartner Magic Quadrant). I have experience deploying some, but not all, and everyone's experience varies enough I thought it would be beneficial. Some caveats for this customer - Windows 7 Professional, a year at least from upgrading to Windows 10. When they do, they will be going to Windows 10 Pro; no interest in an Enterprise License Agreement. Until they're on 10, that rules out BitLocker altogether. Here are the comparison criteria I am working up, for reference. I'd be interested to hear anyone's take, especially in larger environments (1,000 or above) I. Compatibility with the OS • Is the product able to secure Windows Pro machines? • Does the product use a proprietary encryption engine, or does it sit on top of a service such as BitLocker? II. Deployment Options: • Is the product capable of deploying to endpoints through a native console, or must another method be used? • How long will it take to convert the disk from unencrypted to encrypted on a 500GB mechanical disk? Solid State? • What level of productivity degradation can be expected during this time? III. Centralized Management: • How intuitive is the management interface for the product? • Single management console? • How does the management console of this product handle: o Forgotten Passwords/Lost Keys o Client Patch/Upgrade Management o Changes to Key Sizes/Algorithm Changes o Delegation of rights to Help Desk or other staff to assist users with forgotten password/lost key o Self-service recovery of Keys IV. Security and Compliance: • What steps does the product take to mitigate attacks such as brute force password attacks (suspend for x minutes, suspend until admin logs in, device wipe, etc.)? • What is the algorithm in use? • Are any keys stored locally? If so, where (TPM, devices without TPM)?. Edited August 17, 2016 by JLogan3o13 "Profanity is the last vestige of the feeble mind. For the man who cannot express himself forcibly through intellect must do so through shock and awe" - Spencer W. Kimball How to get your question answered on this forum! Link to comment Share on other sites More sharing options...
orbs Posted August 19, 2016 Share Posted August 19, 2016 we're (international banking corporation) using CheckPoint Endpoint Security Full Disk Encryption. this was dictated by the global compliance and security teams, so i guess it's compliant with whatever standards they choose to comply with. being on the more technical side, i cannot add any info on that aspect (except what is published in the product specifications, of course). on the up side, it is very easy to deploy and manage. no downtime and no performance degradation. on the down side, it has a very poor solution for installation/patching processes which include multiple reboots. if you do that a lot, i would not recommend this product. it also mandates the involvement of the IT when it comes to forgotten passwords, i.e. there is no automatic process that users can perform on their own (which actually makes sense, for both the security aspect and the common use case). Signature - my forum contributions: Spoiler UDF: LFN - support for long file names (over 260 characters) InputImpose - impose valid characters in an input control TimeConvert - convert UTC to/from local time and/or reformat the string representation AMF - accept multiple files from Windows Explorer context menu DateDuration - literal description of the difference between given dates Apps: Touch - set the "modified" timestamp of a file to current time Show For Files - tray menu to show/hide files extensions, hidden & system files, and selection checkboxes SPDiff - Single-Pane Text Diff Link to comment Share on other sites More sharing options...
Moderators JLogan3o13 Posted August 19, 2016 Author Moderators Share Posted August 19, 2016 @orbs I managed a CheckPoint rollout some years ago, when they were Pointsec. I remember trying to train the HelpDesk staff on using the little challenge/response fobs when someone forgot their pre-boot auth password, what a nightmare orbs 1 "Profanity is the last vestige of the feeble mind. For the man who cannot express himself forcibly through intellect must do so through shock and awe" - Spencer W. Kimball How to get your question answered on this forum! Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now