Drexel IT Update: Encrypted Share Migration

Drexel IT is in the process of retiring the current encrypted file server (EFS) and will be replacing it with a new setup that will be referred to as the sensitive information file server (SIFS). The underlying technology currently used to encrypt the file server’s contents is being discontinued by the software vendor (Sophos SafeGuard) so this change is unfortunately mandatory.

The migration process will start with the Autism Institute in mid-March. If the process goes smoothly, CNHP will be the next in line starting early April, followed by SOPH in mid-April.

The replacement solution will:

  • Continue to use the same path (\\files.drexel.edu\encrypted\ai). Your files will be right where you left them.
  • Not use any third-party software as is currently required (Sophos SafeGuard).

For those who are curious of the technical details, the replacement solution will:

  • Require SMB 3.0 to perform encryption in transit
    • Both macOS and Windows support SMB 3.0 on all currently supported version.
      • Windows 10
      • macOS Catalina 10.15, macOS Big Sur 11, and macOS Monterey 12 (to be supported soon by Drexel IT)
  • Run on a Windows Server that uses BitLocker so the data is encrypted at rest.

Major changes to the data stored in the new location will include:

  • Files will no longer be individually encrypted but will be stored on a volume that is encrypted. This change will be transparent to most.
  • Encrypting data at rest requirements are fulfilled by encrypting the entire volume using BitLocker on the server.
  • Access controlled via Windows share and NTFS permissions.
  • Clients on the Drexel VPN will not be able to access the new server!
    • This change is being made to help prevent data leakage.
    • Previously with Sophos SafeGuard file-based encryption, if a file was copied to a personal machine over the VPN, file level encryption prevented said file from being accessed on a system that did not have SafeGuard installed.
    • Since we’re not utilizing file-based encryption in the new configuration, a file copied to a non-Drexel machine would be accessible.

If access over the VPN or from a personal machine is required, Drexel now offers Virtual Desktops which is a secure solution for accessing data on the new file server.

For those who have workstations for analyzing large data sets, please reach out to me if these workstations are used at home and connect to the VPN to process data on the EFS. They’ll need to be brought back to Drexel and accessed remotely using Remote Desktop Protocol (RDP) from a second machine if you’ll continue working remotely.

Please contact Larry Win with questions.

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s