Encryption products aim to protect data from prying eyes

Three products enjoy varied levels of success in securing data

The world has changed, but you know that. Your auditors are now checking to see if you’re protecting sensitive information to meet Sarbanes-Oxley or HIPAA requirements, among others, and your lawyers are promising dire consequences if somebody gets into your database and steals customer information. And although the laws may not require that you encrypt your information, your auditors and lawyers probably do.

A number of encryption products are designed to protect data from unauthorized access, three of which I recently had an opportunity to test: Control Break SafeBoot Device Encryption 4.2, Credant Mobile Guardian Enterprise Edition v. 4.3.1, and Utimaco SafeGuard Easy 4.11. (A fourth vendor, PointSec, declined to participate.)

All three products were originally designed to protect the information on mobile devices, such as laptops, from being accessible if the device was stolen. However, all three companies are now selling them as solutions for ensuring compliance with regulations such as HIPAA and Sarb-Ox. They’re also pitching these wares as protection against the loss of commercial data that could lead to action under Visa and MasterCard’s PCI (Payment Card Industry) requirements.

The products from Control Break and Utimaco, however, only encrypt a machine’s hard disk, which may be adequate for protecting mobile devices but not much else. The third product, from Credant, is much more useful. Despite the marketing hype, none of these products is more than a limited solution to a much bigger problem.

Power Off vs. Power On

SafeBoot Device Encryption and SafeGuard Easy both employ whole-disk encryption, also called power-off encryption. These products encrypt a machine’s hard disk and modify the Windows master boot record so that the machine requests a log-on name and password at startup. The idea is that the data is completely inaccessible if someone turns on the machine without the proper authentication. Thus, it’s protected when the power is off.

The companies that provide whole-disk encryption products claim the encryption is unbreakable. That’s fairly accurate, except that the machines are safe only when they’re turned off. When the correct log-on information has been entered and the machine is in use, the material on the hard disk is automatically decrypted. At that point, anyone else who gets in, say, through a remote admin account can see what’s on the hard disk. Likewise, a worm can still mine the information and send it to a third party. Therefore, machines running whole-disk encryption will require additional protection. Most enterprises already employ such means anyway, but with these devices it becomes vital.

Taking an alternative approach to whole-disk encryption, some vendors’ solutions, such as Credant’s, encrypt individual folders and files. This approach is known as power-on encryption, because information is protected even when the computer is running. (This is not to suggest that it’s not encrypted when the power is off, because it is.)

Power-on encryption methods are not without weaknesses. To ensure effectiveness, an administrator must see that all necessary file types are listed in the configuration and that all material to be encrypted is saved in folders flagged for encryption. Therefore, it’s possible for users to save sensitive data in such a way that it’s available in an unencrypted form.

For my test, I installed each of these products into a test enterprise consisting of Windows machines, PDAs, and servers. None of these solutions is intended to encrypt servers, although they can use your server’s directory service to create their user list. In practice, this means they’ll use Windows Active Directory. Although you’ll see claims that the products work with LDAP or Novell directory services, I wasn’t able to use these products that way.

Control Break SafeBoot Device Encryption 4.2

SafeBoot encrypts the entire hard disk of the machine on which it’s installed. It will also encrypt the contents of PDAs and smartphones. It supports client platforms, including Windows, PocketPC, PalmOS, and Symbian. Linux support is planned for Q4 of this year.

Before you can start encrypting anything, you must install the SafeBoot Management Center, along with the SafeBoot Administration Database. This latter product is a proprietary data store that keeps configuration and user information needed by the enterprise version of this product.

The setup process leads you through installing the admin server, creating groups to be managed, and finally creating users and machines. When these are created, you use the server to create an install set that’s used to place the client software onto each machine.

After the client software is installed and synchronized with the server, the encryption process begins. I tested encryption on two machines, an HP D530 desktop PC with an 80GB disk drive and an IBM Z Pro Xeon workstation with a 72GB drive. Encryption took about two hours on the HP.

On the IBM, because there was an incompatibility between the SafeBoot encryption software and IBM’s LSI SCSI controller drivers, the Z Pro restarted several times during the encryption process. Fortunately, the SafeBoot encryption process is extremely robust, and it was able to recover from these restarts and eventually complete the encryption process. Additional testing on a different system showed that, although SafeBoot operates more slowly on SCSI-based machines, the reset problem seems to be unique to IBM’s implementation of LSI’s SCSI controller on the Z Pro.

Although the time for encryption is lengthy, the productivity hit is smaller than you might expect. The machine can still be used during the process, although disk-intensive activities may be slowed somewhat. The processor load is minimal, however, so many users are unlikely to notice much of an impact.

SafeBoot can be set up so that a screensaver will launch after periods of inactivity. Getting back into the machine requires logging on with a user name and password. A risk remains, however, that someone can gain remote access to the machine -- and the information that should be protected -- while it’s in use. SafeBoot’s Content Encryption product, designed to work with SafeBoot Device Encryption, would solve this problem, but that product was not made available for this review.

This product provides good protection for mobile devices where the primary risk is loss or theft. Unauthorized users aren’t likely to be able to do anything with a device equipped with SafeBoot unless they know the user name and password. Likewise, given a reasonable level of security precautions such as a personal firewall and use of the SafeBoot screensaver, the risk of unauthorized access is reduced. Without a separate product, however, admin staff can still gain unauthorized access to view the material contained in the machine, so some risk remains.

Credant Mobile Guardian Enterprise Edition v.4.3.1

Credant Mobile Guardian does not encrypt your entire hard disk. Rather, it encrypts files and directories, including temporary files, swap files, or files created when a computer goes into hibernation -- basically, everything but Windows OS and program files. Admins also can set it to encrypt files only in specific locations or of a specific type. The Enterprise Edition lets you set enterprise-wide policies for fixed and mobile workers.

If an unauthorized person -- be it an intruder or support staff -- gains access to the protected machine, he or she will not be able to access protected material. This means that a network administrator can help solve a problem on a computer containing financial or medical records without being able to view them, even though he or she can see that the information exists.

Likewise, if someone steals a laptop or PDA, he or she gains access to the device but not to the protected information.

In an intriguing tech-support practice, when Credant gets a call from someone trying to open a protected file, the company alerts the registered owner, reporting on who is in possession of the computer and that person’s location.

Credant supports PocketPC and Palm devices as well as smart phones using the Symbian OS. It’s also the only company in this test offering RIM Blackberry support.

Installing the Enterprise Server is mostly a process of running the setup files on the CD and letting the process happen. In addition to installing the management software, Credant installs a copy of Apache, which provides a Web-based management console, and a copy of MySQL on the server. If you’re already running MySQL, you can use your existing database installation. You’ll need to initialize the database after the install using a batch file provided by Credant.

After you have the server up and running, you then create installation files for the client machines on your network. The software for the client machines is called a Gatekeeper and its configuration is embedded in the installer that the server creates. Keep the installer in a shared directory on the network, or install using the deployment wizard, SMS, Tivoli, or other software-distribution package. Feel free to specify your policies for the Gatekeeper in significant detail; those policies will be part of the installation.

After everything is installed, the server provides the means to control the encryption policies for your network as well as ways to keep tabs on the status of devices currently attached to the network. In fact, you can even keep an eye on battery levels for mobile devices. The product is transparent to end-users. There was no apparent impact on performance and authorized users never noticed the encryption.

I found Credant Mobile Guardian to be a useful, well-designed product that can work anywhere in the enterprise. More important, it’s useful on machines that are on the go or sitting on a desktop. It gives you a single solution for managing your office computers and most of your mobile devices, all with one interface. This product is the preferred choice in this review, unless your policy mandates whole-disk encryption.

Utimaco SafeGuard Easy 4.11

SafeGuard Easy is a whole-disk encryption product similar in some ways to SafeBoot. Unlike the former product, however, SafeGuard is limited to Windows platforms only. PDA support for Windows Mobile platforms is available as a separate product, called SafeGuard PDA, which I did not test. The company offers no support for non-Windows systems of any kind.

Utimaco has designed SafeGuard Easy as essentially a stand-alone package that can be administered centrally. First, you install the administration package on the admin machine, then create a Windows installation file for distribution to other machines. This, and a standard configuration file, is distributable via the SafeGuard Easy Central Administration software or a software distribution package of your choice. You may also install it using a CD or a shared folder on the network.

Post-installation, you start encryption by using the local administrator and clicking on a blank spot in a column until a key appears. Save that setting, then encryption begins. On my HP machine, the process took about two hours, but I could use the machine during that time. On my IBM Z Pro, the process took somewhat longer, but unlike with SafeBoot, the encryption process did not cause the Z Pro to reboot.

As was the case with SafeBoot, SafeGuard Easy writes a modified version of the master boot record, which then runs a log-on sequence as the boot process begins. It synchronizes the preboot log-on information with the Windows log-on information, which means you can use a single sign-on, making it easier to use. There is little if any impact on the user with this product after installation and encryption.

Unfortunately, the life of the SafeGuard Easy administrator is made a little more difficult by the Central Administration console’s failure to work properly with Windows XP Service Pack 2, which has been the standard version of Windows for about a year. The Central Administration requires that either anonymous log-ins be enabled or that an administrator’s log-on that allows full remote access be provided.

Microsoft turned off anonymous log-ons for Windows as a way to plug a serious security hole. Enabling anonymous log-ons reverses that security fix. The other choice -- providing a system-wide administrator log-on -- is no better. Either way, you’re effectively opening up your SP2 machines to people who may not be authorized to view the contents of the machine they’re able to access. Utimaco says you can avoid this problem by not using the Central Administration console. In reality, this is a problem that should have been fixed already, but instead it leaves administrators with a lose-lose situation.

Utimaco does make a content encryption package, LAN Crypt, but it was not made available for this review. Utimaco claims that with LAN Crypt you can define certain files or folders that will be encrypted even while the machine is running, decrypting the information on demand. Without that software, however, SafeGuard Easy is at best a partial solution, best for the limited use of protecting mobile Windows machines against loss of protected information in the event of the machine’s loss or theft.

1 2 Page 1