Encryption deadline May 31, 2015 - what happens next?
Last revision May 27, 2015
For the past one and a half years, the university central
administration has been promoting new computer security requirements,
including the goal to verifiably encrypt all devices used to access
Stanford data by May 31, 2015. See:
This deadline is almost upon us. Where do we stand, and what happens next?
The mandates for computing security are being broadly applied to any computing device used for Stanford work by any person who could be considered an employee of the university. "Employee" includes not only regular faculty, staff, and post-docs, but also any student who gets a paycheck as a research or teaching assistant! A "computing device" can be a desktop or laptop computer, a smartphone, or a tablet, and includes personally-owned devices registered on the Stanford network.
The university has finally provided some good data analysis tools to let everyone see if their computing devices meet the standards. Login with your SUNet ID to the new MyDevices website at:
https://mydevices.stanford.edu/
This will show you every computing device that the university believes is controlled by you and subject to its security requirements. You can click on each device to see its current status and whether it is reported as encrypted. There is a link to file a HelpSU request if a device is not really yours, has been discarded, or has incorrect data.
Please note that the MyDevices website also lets you recover the encryption key for any of your devices in case you get "locked out".
The May 31 encryption deadline applies to all devices you see on the MyDevices website, with some exceptions described here:
https://securecomputing.stanford.edu/endpoint_compliance.html
But nothing drastic will happen on June 1 for devices that missed the deadline.
Later in June, automatic systems will start sending email messages to people about their devices on the MyDevices website that do not meet university security standards -- specifically, encryption.
Once you get a warning email, you will have 30 days to bring the device into compliance, get an exemption, or cease using it for Stanford work. If you do nothing, you will get email messages more frequently until finally, after 30 days of doing nothing, access to the Stanford computer network by the non-compliant device will be automatically cut off. You will not be able to regain network access until you complete the security steps detailed in the email -- generally, run the university's encryption program.
What should you do right now?
First of all, check the MyDevices website to see the status of your computing devices.
You can avoid all university security requirements for your personally owned devices if you just stop using them for Stanford work! This will require that they be de-registered from the Stanford network and the BigFix application be un-installed, if present.
Next, for non-compliant Stanford-owned devices and any personally owned devices that you plan to keep using for Stanford work, the first step to make them compliant is to make sure you have good data backups!
Our experience is that the encryption process, particularly on older computers, can cause problems that require restoration from backup. This happened in 1 to 2 percent of the systems that we encrypted last year. If you rush to encrypt your non-compliant computer without any backup, you could lose all your files forever!
The School provides a free backup solution for all computers that are subject to the security requirements (any computer in MyDevices). See this website to get signed up:
https://earth.stanford.edu/computing/resources/backup/
If you need help to bring your computing devices into compliance with university security standards or to implement any of the suggestions in this news item, submit a request at: