S 4.379 Secure data management and transport under Mac OS X

Initiation responsibility: IT Security Officer, Head of IT

Implementation responsibility: User

Mac OS X enables the user to create disk images. Disk images are presented like files, but internally comprise their own file system which can be integrated in the system as a virtual drive. Disk images can be compressed and encrypted. Every Mac OS X system can thus read the disk images created in this way without any problem. On other platforms, additional software is needed for this. In general, it should be ensured that confidential information is transported and stored only in an encrypted disk image or by means of another suitable encryption method under Mac OS X. The users must be trained in handling disk images.

If a disk image is created by an existing directory, two different settings are available. First, the image format can be selected, for example "compressed", "read only" or "read/write". For exact images of CDs/DVDs the image format "DVD/CD master" is suitable. Secondly, encryption is available. If the disk image contains confidential information, it should be encrypted. For this purpose 256-bit AES encryption and a complex password should be selected avoiding trivial passwords (see S 2.11 Provisions governing the use of passwords).

If a new, empty disk image is to be created, unlike with images from an existing folder, additional settings are available. The most important options are the setting of the maximum size of the disk image and the selection of the image format. If a "sparse bundle image" is selected, storage space on the hard disk is only used when it is needed. The image grows with the added data. However, the "sparse bundle image" does not shrink, if data is removed from it. Used storage space, however, can be reclaimed by means of the command "hdiutil compact namedesimages". This command works only on computers which are not in battery mode. An additional setting for a newly created disk image is the choice between the conventional file systems from Apple and Microsoft.

The password for the disk image can also be stored, like other confidential information, in the key chain as "secure note". In this case, the safeguards in S 4.371 Configuration of Mac OS X clients must be implemented. If more than one person works with a disk image, a central secure storage location must be chosen in order for the current password to be available to all authorised staff members.

Review questions:

• Is data securely kept and transported under Mac OS X?
• Is every Mac OS X user trained in handling disk images?
• Is a strict password used for protection of the Mac OS X disk images?
• Is the password of Mac OS X disk images stored in a suitable location?