Exclusive: CoreGuard 3.1 clamps down on server, app security

Powerful server encryption from Vormetric keeps data in its place

Keeping data safe is starting to sound like a cliché, thanks to vendors who use the catchphrase but don’t effectively address this very real concern.

Count Vormetric as one that gets it right. Its CoreGuard solution goes far beyond encryption, protecting databases and files at the system level and giving you a secure, easily managed environment.

CoreGuard protects registry and system files against rogue or clumsy administrators. It allows you to define an administrator outside the server environment who can make sure that the server administrator can’t change certain aspects of the server. That’s a handy feature, as it falls directly in line with Sarbanes-Oxley regulations that require separation of duties control -- so you can kill two birds with one security product.

Permission Control
Installing the CoreGuard appliance itself is simple. Just plug it in and configure it for the network, install the agent on the boxes to be managed, and start creating keys.

CoreGuard’s polished Web-based admin interface makes management easy. Vormetric did a nice job of making the system intuitive; all I had to do was learn a couple basic concepts and I was off.

I first tested CoreGuard’s capability to protect sensitive documents on a file server. Core-Guard sits in front of the OS-level permissions, so requests to individual files and folders are evaluated by CoreGuard first, then by the OS. I set up several folders and files to be guarded, and then I set up policies that restricted Windows administrators.

Here is where CoreGuard really shines. I not only prevented the unauthorized users from viewing the contents of the files, but I fully audited all access attempts, both successful and unsuccessful. And permissions can get far more granular than that; you can also define policies for reading, writing, copying, deleting, and more.

The business case for this scenario is quite simple. You have an administrator who has access to everything on the server but is not allowed to view specific aspects of some of its contents. Normally, any administrator or user who knows an account’s log-in information used in the unattended process has the keys to whatever permissions it has. With CoreGuard, however, your policies protect that granular access.

Next, I encrypted a SQL Server database. Database encryption reveals an important distinction between CoreGuard’s method and those of competitors such as Ingrian and DBEn-crypt. CoreGuard doesn’t attempt to apply column-level encryption inside the database. Instead, it encrypts the OS-level files themselves -- a level of protection that most companies grossly overlook. Because CoreGuard encrypts at the file system level, it isn’t concerned with the database vendor or version number.

Keeping individual database files from being stolen or otherwise compromised is an important security layer, and CoreGuard takes care of it with aplomb. Of course, I didn’t protect only my database files with Core-Guard; I also set up policies to encrypt the backups, and set the permissions so that only the SQL Server service could do anything with them at all.

Securing Applications
Enforcing application security is one of the smarter steps you can take to secure your server. With CoreGuard, you use simple application security where you define an application in a directory to be used, or you digitally sign the application and all of its DLLs.

For example, if you have a financial application, you might encrypt its files with CoreGuard and rest assured that they can be accessed only by the application itself. Put simply, you define a policy that ensures that the files under its protection can only be accessed by the intended application.

To test this functionality, I guarded a Web site with CoreGuard and limited file access only to IIS. This action allowed me to protect the database connection information contained in the ASP code from everyone except the specific IIS application itself.

For front-end Web servers, this level of protection is invaluable -- it keeps hackers from gaining access to your system and looking at data in plain text, something they would usually be able to do easily when a server is compromised. I also tested it against Excel, and CoreGuard protected my files without fail.

It’s important to note that these app-security measures are extremely difficult to circumvent. The CoreGuard services themselves can’t be turned off, restarted, or disabled in any way unless released directly from the CoreGuard console.

It would take an extremely skilled hacker a very long time to figure out how to get around this system, and when he finally did, he would still have to contend with the encryption.

This observation brings us back to the Sarb-Ox controls. If your company can ensure that sensitive files are accessed only by the appropriate application and that there is a clear separation of duties -- where the server administrator doesn’t have access to CoreGuard and CoreGuard doesn’t have access to the server -- then you’ve got a nearly bulletproof methodology for protecting your data.

Another one of CoreGuard’s strengths is that, unlike some of its competitors, it provides a way to back up your policies onto another server and to get back in should you lose your password.

Reports Come Up Short
The only area where CoreGuard falls short is in reporting. The current process just lists all activity in the console, with no real exporting. This makes it hard to read about a busy server.

A security and encryption product as detailed and involved as Core-Guard simply needs richer reporting. More involved, detailed reports would make it easier to retrieve records of activity, aggregate activity on sensitive files, or pull up reports on various users or access attempts, and then pass those records on to managers and auditors.

CoreGuard can be used for compliance, but it really muscles its way through serious security configurations, making it the clear choice for extending server-level security. Any company will benefit from CoreGuard’s capabilities, but only companies with truly sensitive data -- such as legal, health care, and insurance organizations -- will appreciate its power.

CoreGuard’s ability to create an application-security policy by digitally signing your applications and all of their DLLs prevents information from being misused.

InfoWorld Scorecard
Performance (15.0%)
Ease of use (15.0%)
Management (20.0%)
Accuracy (20.0%)
Reporting (20.0%)
Value (10.0%)
Overall Score (100%)
Vormetric CoreGuard 3.1 9.0 9.0 9.0 9.0 4.0 9.0 8.0