1. Lessons learned during Sandia’s encryption implementation NLIT 2009 May 2008 Sam Jones Matt Snitchler Desktop Technology Development Sandia is a multiprogram laboratory operated by Sandia Corporation, a Lockheed Martin Company, for the United States Department of Energy’s National Nuclear Security Administration under contract DE-AC04-94AL85000.

2. Objective Protect sensitive data on all mobile devices Meet NAP 14-2-C Cyber Security Requirement

3. Windows Solution Credant Mobile Guardian FIPS 140-2 Certified Enterprise key management Reporting capability Supports removable media Not a silver bullet

4. Mac Solution FileVault Credant Mac Client (Beta) –Managed by console –Does not support Windows Credant EMS WinMagic Removable media support not integrated

5. Linux Solutions GnuPG RHEL 5.3 –Linux Unified Key Setup (LUKS) Does not support Windows Credant EMS Dual Boot problems Removable media support not integrated Hardware based FDE software support immature

6. Encryption hurts Long encryption times I/O intensive applications affected Flash drives cumbersome Large USB drives experience initial long encryption time System recovery more complex

7. Hardware FDE Works well with I/O intensive applications No initial encryption hit Does not work with all hardware vendors –Dell, HP, Lenovo Enterprise management solutions immature –Key management –Reporting –Wave, Secude, WinMagic Technically not FIPS 140-2 Hardware FDE option on Preferred System List

8. Hardware encrypted flash IronKey –Multi platform Windows, Linux, Mac (Beta) –FIPS 140 certified –Expensive –Enterprise management solutions immature Key management Reporting Does not work well with Credant EMS

9. Questions ? sejones@sandia.gov 505 845-8643 mdsnitc@sandia.gov 505 844-7790