The following case study deals with a user's laptop and the encryption needs for it. This is done prior to having an enterprise-scale system available.

Background

  • A user wishes to replace his desktop machine with a laptop to enable portable operation.
  • The user routinely works with confidential and personal data.
  • The user's function is critical to the organization and he needs to be able to perform his functions from alternate locations in the event of emergency situations.
  • The user is experienced with handling confidential data and following security procedures. This reduces the requirements related to create a system where encryption is automatic and fully transparent to the user.
  • The only important local data stored on the user's current desktop machine is his mail archives.
  • The user's machine is part of the VT Active Directory and AD is used to authenticate logins.
  • Critical data files are stored on the department's MS Windows server (e.g. the user's "My Documents" folder).
  • The user's current desktop machine is managed and maintained by departmental system administrators.

Requirements

Remote Access

  • Banner HRIS (Banner and IS&C Reports)
  • PeopleSoft
  • Outlook
  • Various web applications
  • A departmental application
  • Departmental printers

Local Applications

  • Firefox
    • Signature with VT-issued Aladdin eToken.
  • MS Word, Excel, Outlook
  • Visio
  • Adobe Acrobat Std.

Proposal

General Considerations

  • As much as is practical, the laptop and the data on it need to be treated as throw-away, i.e. remember that the laptop may be lost, stolen, or damaged at any point in time.
    • Critical data will be stored on the department's server when network connectivity is available.
  • Offline use
    • The user will have to do his own backups of critical working data.

User Responsibilities

  • Backups of data while operating without network access
  • Use of encrypted folders for confidential data

To consider

Some leftover stuff to be moved elsewhere

  • BIOS password
  • eToken login
  • offline usage
    • working data
    • authentication
    • patching/configuration
  • encryption of data
  • remote system administration
  • encryption of e-mail
  • VPN
  • data recovery/encryption password recovery
  • USB drive applications, maybe bootable.
  • network
    • Modem
    • Wired Ethernet
    • Wireless
    • Others?
  • hibernation images, registry data?
  • how much offline capability?
    • reduced-bandwidth functionality?
  • No labels