Page 451 - (ISC)² CISSP Certified Information Systems Security Professional Official Study Guide
P. 451
is a chip that resides on the motherboard of the device. The TPM
serves a number of purposes, including the storage and
management of keys used for full disk encryption (FDE) solutions.
The TPM provides the operating system with access to the keys,
preventing someone from removing the drive from one device and
inserting it into another device to access the drive’s data.
A wide variety of commercial tools are available that provide added
features and management capability. The major differentiators
between these tools are how they protect keys stored in memory,
whether they provide full disk or volume-only encryption, and whether
they integrate with hardware-based Trusted Platform Modules (TPMs)
to provide added security. Any effort to select encryption software
should include an analysis of how well the alternatives compete on
these characteristics.
Don’t forget about smartphones when developing your
portable device encryption policy. Most major smartphone and
tablet platforms include enterprise-level functionality that
supports encryption of data stored on the phone.
Email
We have mentioned several times that security should be cost
effective. When it comes to email, simplicity is the most cost-effective
option, but sometimes cryptography functions provide specific
security services that you can’t avoid using. Since ensuring security is
also cost effective, here are some simple rules about encrypting email:
If you need confidentiality when sending an email message,
encrypt the message.
If your message must maintain integrity, you must hash the
message.
If your message needs authentication, integrity and/or
nonrepudiation, you should digitally sign the message.
