Encryption products aim to protect data from prying eyes
Three products enjoy varied levels of success in securing dataFollow @infoworld
The world has changed, but you know that. Your auditors are now checking to see if you’re protecting sensitive information to meet Sarbanes-Oxley or HIPAA requirements, among others, and your lawyers are promising dire consequences if somebody gets into your database and steals customer information. And although the laws may not require that you encrypt your information, your auditors and lawyers probably do.
A number of encryption products are designed to protect data from unauthorized access, three of which I recently had an opportunity to test: Control Break SafeBoot Device Encryption 4.2, Credant Mobile Guardian Enterprise Edition v. 4.3.1, and Utimaco SafeGuard Easy 4.11. (A fourth vendor, PointSec, declined to participate.)
All three products were originally designed to protect the information on mobile devices, such as laptops, from being accessible if the device was stolen. However, all three companies are now selling them as solutions for ensuring compliance with regulations such as HIPAA and Sarb-Ox. They’re also pitching these wares as protection against the loss of commercial data that could lead to action under Visa and MasterCard’s PCI (Payment Card Industry) requirements.
The products from Control Break and Utimaco, however, only encrypt a machine’s hard disk, which may be adequate for protecting mobile devices but not much else. The third product, from Credant, is much more useful. Despite the marketing hype, none of these products is more than a limited solution to a much bigger problem.
Power Off vs. Power On
SafeBoot Device Encryption and SafeGuard Easy both employ whole-disk encryption, also called power-off encryption. These products encrypt a machine’s hard disk and modify the Windows master boot record so that the machine requests a log-on name and password at startup. The idea is that the data is completely inaccessible if someone turns on the machine without the proper authentication. Thus, it’s protected when the power is off.
The companies that provide whole-disk encryption products claim the encryption is unbreakable. That’s fairly accurate, except that the machines are safe only when they’re turned off. When the correct log-on information has been entered and the machine is in use, the material on the hard disk is automatically decrypted. At that point, anyone else who gets in, say, through a remote admin account can see what’s on the hard disk. Likewise, a worm can still mine the information and send it to a third party. Therefore, machines running whole-disk encryption will require additional protection. Most enterprises already employ such means anyway, but with these devices it becomes vital.
Taking an alternative approach to whole-disk encryption, some vendors’ solutions, such as Credant’s, encrypt individual folders and files. This approach is known as power-on encryption, because information is protected even when the computer is running. (This is not to suggest that it’s not encrypted when the power is off, because it is.)
Power-on encryption methods are not without weaknesses. To ensure effectiveness, an administrator must see that all necessary file types are listed in the configuration and that all material to be encrypted is saved in folders flagged for encryption. Therefore, it’s possible for users to save sensitive data in such a way that it’s available in an unencrypted form.