1

Background: I work at a financial company with very strict security guidelines. We're in a scenario now where we have to enable cached exchange mode for a couple of our remote offices. However our IRM (information risk management) department is giving us some trouble because they don't want to assume the risk of having people's e-mail cached locally on their workstation without any monitoring. If there is some type of monitoring or security in play, they will be ok with it.

Has anyone on here experienced this type of scenario? Is anyone familiar with any possible ways to monitor this or mitigate the risk?

ziesemer
  • 1,061
  • 1
  • 7
  • 15
Nick119
  • 11
  • 2

2 Answers2

2

You may consider this to be a little drastic (though you shouldn't), but a solution I've seen used is full disk encryption, on all workstations (desktops and laptops), integrated into the Windows login process. (This may be beneficial / required per your security guidelines anyway, for files besides just Outlook email.)

If the device is removed from the network and unable to successfully authenticate to the network at both the machine and user levels, there is no access to the unencrypted data - so even if the Outlook/Exchange email were cached locally in a *.ost file, it wouldn't be able to be accessed.

One implementation I was familiar with essentially just secured the Windows boot process. I.E., everything was encrypted, but there was no other prompt for credentials to the user other than the normal Windows login screen. If you couldn't successfully login to the domain, there was no access to the data on the computer. Attempting to use an alternate boot device, etc., would yield nothing but an encrypted disk.

ziesemer
  • 1,061
  • 1
  • 7
  • 15
  • 1
    I don't think FDE is drastic at all - with modern hardware, there is very little if any performance hit, and it's fairly easy to implement. – EEAA Jan 26 '12 at 15:33
  • @ErikA - agreed, but especially for an organization, it comes with additional support needs, the significance of which is debatable. – ziesemer Jan 26 '12 at 15:35
  • yes, absolutely. As I added in my edit below, though, it sound like FDE is something the should have already been familiar with. – EEAA Jan 26 '12 at 15:37
  • 1
    I really hope a **financial company** already has FDE. FDE + Disabling Cached Credentials solves this problem quick and easy and should be standard practice for non-laptop computers. – Chris S Jan 26 '12 at 15:40
  • @ChrisS - Completed agreed - which is why I mentioned that it may already be an existing requirement. And good point on disabling the cached credentials. – ziesemer Jan 26 '12 at 15:43
2

Is anyone familiar with any possible ways to monitor this or mitigate the risk?

As with any environment where physical security of machines is in question, use FDE, and require that employees power down their workstations when they leave for the day. Sounds like you're a Windows shop, so you probably want to look into Bitlocker. It integrates well with Active Directory, allowing recovery keys to be stored in AD.

If your security requirements are as stringent as you make them out to be, FDE is something that you probably ought to have sorted out anyway.

EEAA
  • 108,414
  • 18
  • 172
  • 242