Exclusive: CoreGuard 3.1 clamps down on server, app security
Powerful server encryption from Vormetric keeps data in its place
Keeping data safe is starting to sound like a cliché, thanks to vendors who use the catchphrase but don’t effectively address this very real concern.
Count Vormetric as one that gets it right. Its CoreGuard solution goes far beyond encryption, protecting databases and files at the system level and giving you a secure, easily managed environment.
CoreGuard protects registry and system files against rogue or clumsy administrators. It allows you to define an administrator outside the server environment who can make sure that the server administrator can’t change certain aspects of the server. That’s a handy feature, as it falls directly in line with Sarbanes-Oxley regulations that require separation of duties control -- so you can kill two birds with one security product.
Installing the CoreGuard appliance itself is simple. Just plug it in and configure it for the network, install the agent on the boxes to be managed, and start creating keys.
CoreGuard’s polished Web-based admin interface makes management easy. Vormetric did a nice job of making the system intuitive; all I had to do was learn a couple basic concepts and I was off.
I first tested CoreGuard’s capability to protect sensitive documents on a file server. Core-Guard sits in front of the OS-level permissions, so requests to individual files and folders are evaluated by CoreGuard first, then by the OS. I set up several folders and files to be guarded, and then I set up policies that restricted Windows administrators.
Here is where CoreGuard really shines. I not only prevented the unauthorized users from viewing the contents of the files, but I fully audited all access attempts, both successful and unsuccessful. And permissions can get far more granular than that; you can also define policies for reading, writing, copying, deleting, and more.
The business case for this scenario is quite simple. You have an administrator who has access to everything on the server but is not allowed to view specific aspects of some of its contents. Normally, any administrator or user who knows an account’s log-in information used in the unattended process has the keys to whatever permissions it has. With CoreGuard, however, your policies protect that granular access.
Next, I encrypted a SQL Server database. Database encryption reveals an important distinction between CoreGuard’s method and those of competitors such as Ingrian and DBEn-crypt. CoreGuard doesn’t attempt to apply column-level encryption inside the database. Instead, it encrypts the OS-level files themselves -- a level of protection that most companies grossly overlook. Because CoreGuard encrypts at the file system level, it isn’t concerned with the database vendor or version number.
Keeping individual database files from being stolen or otherwise compromised is an important security layer, and CoreGuard takes care of it with aplomb. Of course, I didn’t protect only my database files with Core-Guard; I also set up policies to encrypt the backups, and set the permissions so that only the SQL Server service could do anything with them at all.
Enforcing application security is one of the smarter steps you can take to secure your server. With CoreGuard, you use simple application security where you define an application in a directory to be used, or you digitally sign the application and all of its DLLs.