View
212
Download
0
Embed Size (px)
Citation preview
Ohio Digital Government Summit 2007
1
Laptop Disk EncryptionLaptop Disk EncryptionColorado’s ApproachColorado’s Approach
Laptop Disk EncryptionLaptop Disk EncryptionColorado’s ApproachColorado’s Approach
Presented to:Ohio Digital Government Summit
October 16, 2007
Ohio Digital Government Summit 2007 2
OverviewOverview
Colorado’s Data Security Environment
Acquisition Strategy
The State’s Acquisition Process Trade-Offs
Results
Current Status
What We’ve Learned
Ohio Digital Government Summit 2007 3
Colorado’s Data Security Colorado’s Data Security EnvironmentEnvironment
Background Appointment of CISO House Bill 1157 Laptop Related Incidents
Goals Pre-empt the Problem with a Solution Get It Done Fast Solve it for the Enterprise Make It Comprehensive Provide a Solution With Staying Power
Ohio Digital Government Summit 2007 4
Acquisition StrategyAcquisition Strategy
What’s Available What Does Gartner Think What’s the Scope? RFP? Agency Collaboration/Communications State Employee Teams
Ohio Digital Government Summit 2007 5
Requirements TradeoffsRequirements TradeoffsCapability vs PriceCapability vs Price
TechnicalTechnicalRequirementsRequirements
TechnicalTechnicalRequirementsRequirements
Cost and PricingCost and PricingConsiderationsConsiderations
Cost and PricingCost and PricingConsiderationsConsiderations
Walking the tight ropeWalking the tight ropeWalking the tight ropeWalking the tight rope
Capabilities DesiredCapabilities Desired
FULL DISK ENCRYPTIONFULL DISK ENCRYPTIONFULL DISK ENCRYPTIONFULL DISK ENCRYPTION
CENTRAL PRODUCT MANAGEMENTCENTRAL PRODUCT MANAGEMENTCENTRAL PRODUCT MANAGEMENTCENTRAL PRODUCT MANAGEMENT
CENTRAL KEY MANAGEMENTCENTRAL KEY MANAGEMENTCENTRAL KEY MANAGEMENTCENTRAL KEY MANAGEMENT
PRE-BOOT AUTHENTICATIONPRE-BOOT AUTHENTICATIONPRE-BOOT AUTHENTICATIONPRE-BOOT AUTHENTICATION
PRICEPRICEPRICEPRICE PROF. SERVICESPROF. SERVICESPROF. SERVICESPROF. SERVICES SUPPORTSUPPORTSUPPORTSUPPORT TRAININGTRAININGTRAININGTRAINING
LINUXLINUXLINUXLINUX MACMACMACMAC W95W95W95W95 W98W98W98W98 WNTWNTWNTWNT WMEWMEWMEWME W2KW2KW2KW2K WXPWXPWXPWXP VMVMVMVM
REMOTE USER MGT.REMOTE USER MGT.REMOTE USER MGT.REMOTE USER MGT. LOG MGT.LOG MGT.LOG MGT.LOG MGT. SYSTEM MGT.SYSTEM MGT.SYSTEM MGT.SYSTEM MGT.
FILE FILE ENCRYPTIONENCRYPTION
FILE FILE ENCRYPTIONENCRYPTION
FOLDER FOLDER ENCRYPTIONENCRYPTION
FOLDER FOLDER ENCRYPTIONENCRYPTION
USB / CD / USB / CD / DVDDVD
USB / CD / USB / CD / DVDDVD
PHONE / PHONE / PDAPDA
PHONE / PHONE / PDAPDA
TOKEN TOKEN SUPPORTSUPPORTTOKEN TOKEN
SUPPORTSUPPORTSSOSSOSSOSSO PKI PKI
INTEGRATIONINTEGRATIONPKI PKI
INTEGRATIONINTEGRATION
DIGITAL DIGITAL SIGNATURESIGNATURE
DIGITAL DIGITAL SIGNATURESIGNATURE
S/MIME S/MIME ENCRYPTIONENCRYPTION
S/MIME S/MIME ENCRYPTIONENCRYPTION
CAPI CAPI COMPATIBLECOMPATIBLE
CAPI CAPI COMPATIBLECOMPATIBLE
IDENTITY MANAGEMENT
IDENTITY MANAGEMENT
Ohio Digital Government Summit 2007 7
Capabilities “Proposed”Capabilities “Proposed”
FULL DISK ENCRYPTIONFULL DISK ENCRYPTIONFULL DISK ENCRYPTIONFULL DISK ENCRYPTION
CENTRAL PRODUCT MANAGEMENTCENTRAL PRODUCT MANAGEMENTCENTRAL PRODUCT MANAGEMENTCENTRAL PRODUCT MANAGEMENT
CENTRAL KEY MANAGEMENTCENTRAL KEY MANAGEMENTCENTRAL KEY MANAGEMENTCENTRAL KEY MANAGEMENT
PRE-BOOT AUTHENTICATIONPRE-BOOT AUTHENTICATIONPRE-BOOT AUTHENTICATIONPRE-BOOT AUTHENTICATION
PRICEPRICEPRICEPRICE PROF. SERVICESPROF. SERVICESPROF. SERVICESPROF. SERVICES SUPPORTSUPPORTSUPPORTSUPPORT TRAININGTRAININGTRAININGTRAINING
LINUXLINUXLINUXLINUX MACMACMACMAC W95W95W95W95 W98W98W98W98 WNTWNTWNTWNT WMEWMEWMEWME W2KW2KW2KW2K WXPWXPWXPWXP VMVMVMVM
REMOTE USER MGT.REMOTE USER MGT.REMOTE USER MGT.REMOTE USER MGT. LOG MGT.LOG MGT.LOG MGT.LOG MGT. SYSTEM MGT.SYSTEM MGT.SYSTEM MGT.SYSTEM MGT.
FILE FILE ENCRYPTIONENCRYPTION
FILE FILE ENCRYPTIONENCRYPTION
FOLDER FOLDER ENCRYPTIONENCRYPTION
FOLDER FOLDER ENCRYPTIONENCRYPTION
USB / CD / USB / CD / DVDDVD
USB / CD / USB / CD / DVDDVD
PHONE / PHONE / PDAPDA
PHONE / PHONE / PDAPDA
TOKEN TOKEN SUPPORTSUPPORTTOKEN TOKEN
SUPPORTSUPPORTSSOSSOSSOSSO PKI PKI
INTEGRATIONINTEGRATIONPKI PKI
INTEGRATIONINTEGRATION
DIGITAL DIGITAL SIGNATURESIGNATURE
DIGITAL DIGITAL SIGNATURESIGNATURE
S/MIME S/MIME ENCRYPTIONENCRYPTION
S/MIME S/MIME ENCRYPTIONENCRYPTION
CAPI CAPI COMPATIBLECOMPATIBLE
CAPI CAPI COMPATIBLECOMPATIBLE
IDENTITY MANAGEMENT
IDENTITY MANAGEMENT
Ohio Digital Government Summit 2007 8
The Tight RopeThe Tight Rope
Technical Requirements Full disk encryption Password at boot Secure storage of keys Removable devices User transparency Multiple operating systems Network based solution Key backup/recovery Remote installation Central pass-phrase
management Training
Cost and Pricing Considerations
Firm-fixed-price initial buy Enterprise price agreement Mandatory price agreement Specified size of initial buy License mobility 4-year product support term Optional feature
considerations Total bid price
Ohio Digital Government Summit 2007 9
The State’s Acquisition The State’s Acquisition Process Trade-OffsProcess Trade-Offs
The Tradeoffs were made: IFB – 3 Months, Significant Risks RFP – 8 Months, Less Risk, Too Long
RFP Selected - We Had 5 Months Adopted Accelerated Project Management
Approach
Ohio Digital Government Summit 2007 10
LTE Project’sLTE Project’sApproach - AcquisitionApproach - Acquisition
Write and Issue RFP Respond to Bidder Questions Evaluate Bidder Responses
Step One – Technical Evaluation/Demo Step Two – Price Evaluation/Selection Step Three – Acceptance Testing
Negotiate Mandatory Price Agreement
Ohio Digital Government Summit 2007 11
LTE Project’s Approach – LTE Project’s Approach – Leveraging A SolutionLeveraging A Solution
All Departments Funded by CISO ($450K)
6,700 Laptops in the Baseline
Executive Departments Must use the Mandatory Price Agreement for Future Product Purchases
Secretary of State, Attorney General, Higher Education, and Local Governments May Use Price Agreement
Coordination/Communications with Departmental CIO’s
Technical Evaluators from Executive Branch Departments
Acceptance Testing Involved Same Departments
Centralized Training Provided to All Agency Technical Personnel
Ohio Digital Government Summit 2007 12
ResultsResults
Pre-emptive Solution Accepted Near On-Schedule Completion of Acquisition
Component of the Project Coordination/Communication with
Departments – Beneficial Technical Training of Agency IT Personnel
Completed On-Schedule Enterprise Solution Accepted Implementation Rate - Acceptable
Ohio Digital Government Summit 2007 13
Current StatusCurrent Status
Laptop Encryption Progress - All 26 Agencies
0.00%
10.00%
20.00%
30.00%
40.00%
50.00%
60.00%
70.00%
80.00%
90.00%
100.00%
4/15
4/29
5/13
5/27
6/10
6/24 7/8
7/22 8/5
8/19 9/2
9/16
9/30
10/14
10/28
11/11
11/25
12/9
12/23
1/6
1/20 2/3
2/17 3/2
3/16
3/30
4/13
Date
Lap
top
s E
ncr
ypte
d
Estimated Completion:Feb 2008
Estimated Completion:Feb 2008
2007200720072007 2008200820082008
Ohio Digital Government Summit 2007 14
What We LearnedWhat We Learned
Project Management Fundamentals Pay Off Planning Project/Schedule Essential Leveraging the State’s Buying Power Works! Procurement Methods Vary in Terms of Time, Risk, and
Effectiveness Communications/Coordination with Agencies Vital Funding Should Not an Issue Making Trade-offs Up-Front Necessary Acceptance Testing Involving Agency Technical Experts
Leads to Buy-In Training Up-Front Essential to Buy-In as Well Following-Ups On Agency Implementation Necessary
Ohio Digital Government Summit 2007 15
Contact InformationContact Information
Bob Feingold
303-810-3215