1. Background

The High Impact Data Protection (HIDP) project team was convened in late July 2008 to determine a solution to mitigate the threat to sensitive Institute data posed by lost or stolen portable devices (laptop computers and mobile devices).  PGP's Whole Disk Encryption (WDE) product has been chosen as the best solution, and a deployment plan is currently under development, focusing on a targeted set of MIT users with access to sensitive data.

2. Findings

  1. LDAP Dependency
    There is concern over the assumption that LDAP authentication utilizing Kerberos passwords will be available for roll out as the current ldap.mit.edu infrastructure does not support this method of authentication.  The next generation directory system may support such authentications, but issues around access and proper use must be addressed before it can be enabled.

3. Recommendation from the TAP Consultation

"Approved with Concerns":
A majority of TAP approves the plan as long as it takes into account the concerns described in the Findings. 

  • No labels

1 Comment

  1. Paul B Hill

    I partially agree with Jeff. We defintely don't want to roll out while requiring the users to reset their Windows AD password.

    If we cannot limit the use of LDAP authentication when using the general purpose LDAP server, then one short term possibility is the creation of an LDAP server that can perform the authentication, and limit it to accept connections from the server for this product. However, the preferred solution is to use LDAP authentication against ldap.mit.edu, but be able to control which applications can use this functionality.

    We don't want to create a situation where people are encourgaged to create a web applications that prompts people for usernames and passwords and then send them to the LDAP server for validation.