encrypted at rest - one drive for business / Google Apps for business
-
Anyone look in to encrypting files synced with One Drive for Business or Google Apps that are synced with the local hard drive? Is bit locker pretty much the most straight forward way of dealing with that?
For those that have deployed bit locker, if a hard drive won't boot and you can't repair it, is there any way to get files off the drive if you slave it in another machine?
-
You are only looking to encrypt them locally, not when hosted?
-
Bitlocker is fine if you only want to encrypt them part of the time. VeraCrypt is likely good if you want to encrypt them all of the time.
-
@scottalanmiller said in encrypted at rest - one drive for business / Google Apps for business:
You are only looking to encrypt them locally, not when hosted?
No, I want them encrypted in both locations. This is to meet requirements of HIPAA / insurance companies.
-
@Mike-Davis said in encrypted at rest - one drive for business / Google Apps for business:
@scottalanmiller said in encrypted at rest - one drive for business / Google Apps for business:
You are only looking to encrypt them locally, not when hosted?
No, I want them encrypted in both locations. This is to meet requirements of HIPAA / insurance companies.
Then Bitlocker isn't an option. No whole disk is. You have to encrypt the files, not the disk.
-
@Mike-Davis said in encrypted at rest - one drive for business / Google Apps for business:
@scottalanmiller said in encrypted at rest - one drive for business / Google Apps for business:
You are only looking to encrypt them locally, not when hosted?
No, I want them encrypted in both locations. This is to meet requirements of HIPAA / insurance companies.
No sync service will be encrypted when authenticated.
Is ODfB encrypted on disk? No idea, check the MS documentation. You can optionally set that up with things like NextCloud.
-
I don't think Bitlocker does OneDrive encryption. If you tie bitlocker into AD you can do some recovery but it isn't robust and we had issues getting it to work reliably. We are looking at a different direction right now for endpoint encryption because bitlocker just didn't meet our expectations or needs.
-
@Mike-Davis said in encrypted at rest - one drive for business / Google Apps for business:
@scottalanmiller said in encrypted at rest - one drive for business / Google Apps for business:
You are only looking to encrypt them locally, not when hosted?
No, I want them encrypted in both locations. This is to meet requirements of HIPAA / insurance companies.
HIPAA absolutely does not require that, though. That's misinformation. Insurance, maybe, but not HIPAA. That doesn't make it a bad idea, but just not a hard requirement.
-
@scottalanmiller said in encrypted at rest - one drive for business / Google Apps for business:
@Mike-Davis said in encrypted at rest - one drive for business / Google Apps for business:
@scottalanmiller said in encrypted at rest - one drive for business / Google Apps for business:
You are only looking to encrypt them locally, not when hosted?
No, I want them encrypted in both locations. This is to meet requirements of HIPAA / insurance companies.
HIPAA absolutely does not require that, though. That's misinformation. Insurance, maybe, but not HIPAA. That doesn't make it a bad idea, but just not a hard requirement.
No, just him not understanding what the requirement is, I bet.
-
So use Bitlocker or DiskCryptor or VeraCrypt (I though VC was dropped because of BL) anyways encrypt the files and send them off.
Using BitLocker will decrypt the files when the system boots. Same thing with the alternatives above. Using something like DC or VC you can encrypt the files and send them anywhere to be decrypted.
Bitlocker I don't believe has this kind of ability without the recovery key.
-
@scottalanmiller said in encrypted at rest - one drive for business / Google Apps for business:
HIPAA absolutely does not require that, though. That's misinformation. Insurance, maybe, but not HIPAA. That doesn't make it a bad idea, but just not a hard requirement.
Maybe I wasn't clear. Microsoft says that One Drive files are encrypted in the blob store in the cloud. If my mobile users have those files synced to their laptops, wouldn't I need to have drive encryption or something on, so if the laptop was stolen patient information wouldn't be accessible?
-
@DustinB3403 said in encrypted at rest - one drive for business / Google Apps for business:
So use Bitlocker or DiskCryptor or VeraCrypt (I though VC was dropped because of BL) anyways encrypt the files and send them off.
Microsoft had BL long, long before they started helping with VC.
-
@Mike-Davis said in encrypted at rest - one drive for business / Google Apps for business:
@scottalanmiller said in encrypted at rest - one drive for business / Google Apps for business:
HIPAA absolutely does not require that, though. That's misinformation. Insurance, maybe, but not HIPAA. That doesn't make it a bad idea, but just not a hard requirement.
Maybe I wasn't clear. Microsoft says that One Drive files are encrypted in the blob store in the cloud. If my mobile users have those files synced to their laptops, wouldn't I need to have drive encryption or something on, so if the laptop was stolen patient information wouldn't be accessible?
You can do Bitlocker (Full disk encryption) or you can use something like Veracrypt to do file encryption. Either one would work. If you're doing FDE then you should have a backup mechanism to recover files. It's much easier to just re-image the disk then fight with an encrypted OS.
-
@Mike-Davis said in encrypted at rest - one drive for business / Google Apps for business:
@scottalanmiller said in encrypted at rest - one drive for business / Google Apps for business:
HIPAA absolutely does not require that, though. That's misinformation. Insurance, maybe, but not HIPAA. That doesn't make it a bad idea, but just not a hard requirement.
Maybe I wasn't clear. Microsoft says that One Drive files are encrypted in the blob store in the cloud. If my mobile users have those files synced to their laptops, wouldn't I need to have drive encryption or something on, so if the laptop was stolen patient information wouldn't be accessible?
You SHOULD do that, absolutely. But you should never let patient records go to laptops at all, IMHO. Why do they need to be carrying around sensitive data of that nature? ANd while it's smart, it's not a HIPAA requirement. Would you get in HIPAA trouble for not having it? Yes, but only because you are violating basic industry security, not because HIPAA requires data encrypted at rest. If you fixed having patient data sent to volatile, mobile laptops you'd fix the issue more. If an encrypted laptop was stolen loaded with patient data, you could still be in the same HIPAA predicament depending on the judge and expert witness.
-
@coliver said in encrypted at rest - one drive for business / Google Apps for business:
@Mike-Davis said in encrypted at rest - one drive for business / Google Apps for business:
@scottalanmiller said in encrypted at rest - one drive for business / Google Apps for business:
HIPAA absolutely does not require that, though. That's misinformation. Insurance, maybe, but not HIPAA. That doesn't make it a bad idea, but just not a hard requirement.
Maybe I wasn't clear. Microsoft says that One Drive files are encrypted in the blob store in the cloud. If my mobile users have those files synced to their laptops, wouldn't I need to have drive encryption or something on, so if the laptop was stolen patient information wouldn't be accessible?
You can do Bitlocker (Full disk encryption) or you can use something like Veracrypt to do file encryption. Either one would work. If you're doing FDE then you should have a backup mechanism to recover files. It's much easier to just re-image the disk then fight with an encrypted OS.
OneDrive would presumably be that mechanism.
-
Let's back up. Security is good, but the best security comes from good design. Back up... why is data being sent out for people to take home?
-
They are taking laptops to schools (where they work on site) and occasionally home visits where they don't have good enough wifi to get a stable VPN connection. I have thought about portable hot spots, but there are some locations where those don't work either.
-
@Mike-Davis said in encrypted at rest - one drive for business / Google Apps for business:
They are taking laptops to schools (where they work on site) and occasionally home visits where they don't have good enough wifi to get a stable VPN connection. I have thought about portable hot spots, but there are some locations where those don't work either.
So they are forced to have the data local because there is no means of accessing the data on the servers at the time of use? That's really crappy.
-
Assuming Windows, I'd probably just use bitlocker then and really lock down the machines. The issue is laptop theft in this case, and that works pretty well. Set the laptop to burn if someone tries to break in, no critical data there.
-
You have two basic security vectors to deal with. Someone stealing the laptop and someone stealing the hard drive out of it. If you stop someone from logging in effectively, that protects that vector. If you encrypt the whole hard drive that stops the other. BL should work fine and be transparent to the end user.