Security: Data Encryption at OCAD U
Updated: 15 September 2015 08:21 PM
What is encryption?
"In cryptography, encryption is the process of encoding messages (or information) in such a way that eavesdroppers or hackers cannot read it, but that authorized parties can." (http://en.wikipedia.org/wiki/Encryption)
Unauthorized access to your computer can expose sensitive student or University data from your hard drive. When your hard drive is encrypted only individuals with explicit authorization can access the data stored on it. This level of security was missing at several higher education institutions and government offices resulting in privacy breaches that caused legal, reputational damage, security and communications issues.
Why does my data need to be encrypted? What is sensitive data?
Information or data generated or received during the course of day-to-day operations is University owned and is an institutional asset. The Data Classification policy outlines responsibilities that members of the University community have with respect to information security and data management.
What encryption software is used at OCADU?
For Mac computers with MacOS 10.7 or higher, the built-in FileVault2 is enabled on all long term Faculty loan laptops and office computers. On the Windows platform, IT Services deploys Sophos SafeGuard Enterprise client to desktops and laptops.
Will the encryption software interfere with my productivity?
All attempts will be made to install the software without any disruption in your workflow. Some users will be contacted for manual installs. If a manual install is necessary IT Services Help Desk staff will contact you to set up an appointment. The installation should take no longer than half an hour. Please make yourself available as this is an important initiative and your cooperation is essential.
Once set up, the software runs in the background and will not interfere with your regular usage.
What is FileVault 2?
FileVault 2 is a tool built-in to Mac OS X, and may be used by anyone running Mac OS X 10.7 (Lion) or later to enable full disk encryption on your Mac. It will stop someone who has physical access to your machine (or even just the storage from your device) from reading any data on it.
Where do I store my password to unlock my FileVault 2 encrypted computer? What happens if I forget my password?
This password is the one from the account you used to enable FileVault 2 – typically your computer’s admin password. It is important (not only for FileVault 2) that you set a secure but easy to memorize password for your main user account before enabling FileVault 2.
When will I use the FileVault 2 Recovery Key?
You will need the recovery key to decrypt the volume if you lose your password or, in the unlikely event that the encryption key associated with the password becomes corrupt. If you elected not to allow Apple to store the recovery key, keep a copy (or several) in a safe place other than your computer (e.g. email the key to yourself, write it down and keep the paper in a safe place).
I use Time Machine to back up my computer. Does using FileVault 2 have any impact on this?
No. But as a reference, expect the initial encryption to take a while to complete (as an example, on a non-SSD, 5400rpm drive, ~5 hours for every 250GB).
Will this impact the amount of space on my hard drive?
No, it will not.
Can I encrypt my non-Time Machine USB drive?
As long as your computer is FileVault 2 capable, yes. The process, however, varies.
Should I enable FileVault 2 on my Mac?
If your computer contains student sensitive or University data, you should enable FileVault 2 on your Mac.
How will this affect/impact my everyday tasks such as logging on and logging off etc?
In real world normal usage, it shouldn’t affect your day-to-day tasks. Once you unlock the computer on initial boot, everything will work the same way as an unencrypted system. Since FileVault 2 uses very little system resources, performance should not be affected.
Sophos SafeGuard Enterprise (Windows)
What is Sophos Safeguard Enterprise?
Sophos Safeguard Enterprise is a modular security suite that enforces security for PCs and mobile devices using administrator-defined policies.
It is comprised of a client installed on your computer that communicates to a server in order to determine what policies and settings should be enforced and applied locally.
What is full disk encryption?
Full disk encryption uses software or hardware to encrypt every bit of data that goes on a disk or disk volume. Disk encryption prevents unauthorized access to data storage at rest in the event that it is lost or stolen.
How do I login?
The username and password are the same as your regular OCAD U login. If prompted you may then need to press CTRL + ALT + DELETE to logon.
Is all locally stored data encrypted when I am logged into the computer?
No, in order for you to login and access your applications and files normally the encrypted drive (at rest when powered off) needs to be decrypted. The data is only protected from unauthorized access in the event that your computer is lost or stolen.
What happens if I forget my password?
We recommend that you contact the IT Services Help Desk to reset your password. The IT Services Help Desk can be reached via email at firstname.lastname@example.org or via telephone at extension 277.
Note: The encryption key used to encrypt your data is based on a specific machine key (not your password) generated when the Sophos client is first installed.
What is the performance impact?
Startup or boot up time will be longer (up to a few minutes) and most noticeable immediately after first installation as settings, policies and data are transferred between the server and client. Upon first login after installation and during the initial encryption a small percentage (<10%) of computing resources will be allocated to encrypting the data stored on disk. After encryption has completed there will be a very negligible impact to performance.
How will this affect/impact my everyday tasks?
There should be no impact to regular operation or use of any applications.
There are now two user login options, which should I choose?
To avoid being prompted for your user credentials a second time select the Sophos branded option.