Review: 3 encryption tools protect sensitive data -- and more

SafeNet, WinMagic, and Symantec deliver basic key management for businesses, particularly in the mobile era

Encryption is one of the best ways to prevent the type of terrible headaches that many high-profile companies have experienced with stolen data. Even if experienced hackers are able to penetrate a system, having the data encrypted can mean that nothing useful is taken.

But encryption can place a high burden on a network and its users. It's not too difficult to encrypt data, but providing access to protected files for authorized users while keeping everyone else away is extremely complicated. Small organizations may be able to manage encryption schemes manually, but for anything beyond a few dozen users, the task of doing that without help becomes monumentally difficult.

Enter key management systems. We tested three: SafeNet KeySecure, WinMagic's SecureDoc Enterprise Server and Symantec Encryption Management Server.

SafeNet Key Secure comes as an appliance or in virtualized form, running in the cloud. Key Secure is designed to manage other vendors' encryption products, so it's a good bet if your company already has one or more encryption products already deployed. It can manage keys for drives, tape backup devices, SANs, client systems, and virtual applications.

+ ALSO ON NETWORK WORLD Universal key management for the cloud +

WinMagic's SecureDoc Enterprise Server is a good option if you're interested in encrypting data on mobile devices. SecureDoc also goes beyond managing encryption keys; its management console allows you to set up security policies such as password authentication for Android and iOS devices.

Symantec Encryption Management Server provides a comprehensive suite of programs designed to help with all aspects of encryption, including drive encryption, endpoint encryption, gateway email, desktop email, and file share encryption. In contrast to Key Secure, Symantec's suite only manages its own components.

What we looked for

An encryption key management system is supposed to keep track of all the valid keys that users can present to gain access to their encrypted files. Different management programs handle this in a variety of ways, but in general all of them include the process of issuing new keys as needed, tracking of the number of valid keys in place, and rescinding keys when necessary, such as when an employee leaves an organization.

Additionally, robust key management programs can set different permission levels so that a specific key only gives a user access to what they need and nothing more. They can also log when, how and where keys are being used, all of which could unmask abuse or an ongoing breach as it happens.

Some programs present easy to understand audit trails and help administrators set network policies. And some can automatically discover new devices and new applications that can store or be protected by an encryption process, giving administrators the ability to automatically configure and protect network assets from the time they come online to the point where they are decommissioned.

Most encryption key management vendors try to specialize on one aspect of encryption, such as whole drive, e-mail or file based protection. That's why we tested each vendor for this review based first on the basic functions of issuing encryption keys to new users and devices and then the ability to rescind them as needed. Beyond that, we tested the functions that they added onto that basic platform.

In all cases, a stable and friendly user-interface was paramount. Encryption key management isn't a simple thing to accomplish, and there's a lot riding on success or failure. As such, the interface needs to be clean and capable so administrators are able to tackle the problem, not wrestle with their chosen solution.

The key management servers were tested using normal office type programs on the client end, running on both Windows and Linux. If the feature was available, each program also was asked to issue keys to mobile devices running Android, Blackberry and iOS operating systems. A lot of weight was given to how easy each task was to perform, what level of reports and auditing was available and how difficult the entire system was to setup and maintain. In all cases we assumed that the actual encryption was valid and no attempt to break it was made, especially given that with AES 256-bit encryption, it's considered impossible to do so.

Key management

Here are the individual results:

SafeNet KeySecure

The SafeNet KeySecure device is like a safe that protects encryption key data. It can be purchased as an appliance, including a hardened variety for challenging environments, or as a virtualized infrastructure device running in a cloud environment.

For KeySecure units deployed as hardware, there are a few models which scale to meet demand. The KeySecure K 460 is a 42-pound unit that can handle a million keys and 1,000 concurrent clients, while the smaller K150 weighs in at just 15 pounds and works with 25,000 different keys and 100 simultaneous users. The management interface between the two is mostly identical, though a K150 was used for this evaluation.

Organizations can purchase KeySecure in a variety of ways. For about 75 cents per hour, it can be leased and accessed in the cloud through Amazon Web Services. But, companies that need to keep all security hardware in-house can purchase a physical appliance for their server room. Depending on the model, that can cost between $4,700 and $10,000 with up to three years of maintenance. That's a pretty good value in all cases, especially if multiple encryption schemes need to be managed.

KeySecure is a robust platform designed to manage other encryption products, so it's a good choice right off the bat for organizations that have begun to implement a variety of encryption solutions, but have not really given too much thought as to how to manage everything. It could also fit in for organizations that have an encryption solution that they like, but which has grown beyond its key management capabilities, or as an anchor for a new deployment that gives maximum freedom as to how to expand independent of vendor products.

A KeySecure appliance can manage keys for self-encrypting drives, tape backup devices, SANs, client systems, virtual applications, archives and many others. It will work with any device that supports the popular OASIS Key Management Interoperability Protocol (KMIP) standard.

In terms of key types, we were pleased to find that KeySecure is also neutral and open. From the management console, administrators can assign symmetric, asymmetric, secret data, and X.509 certificates with only a few clicks. Once a key is created, it's quite easy to configure the properties of that key before it's issued. For example, I was able to create a new key using the AES-256 algorithm. It was given a primary name and the name of the owner on the network. It was also easy to configure flags, like if the key could be deleted by a user, or exported to a mobile device.

Managing individual keys is quite easy, but so is configuring the overall security policy for the device and an organization's encryption scheme. For example, you can disable the creation and use of global keys, or prevent non-FIPS algorithms and key sizes from being used. It's also fairly easy to manage the local KeySecure device itself, disabling possible security holes such as using FTP to import new certificates, unless that is something that administrators need to use. If they do, additional security can be configured around that process.

On the negative side, the interface could be described as a little bit sparse. That's both a good and bad thing, depending on the administrator. On the good side, it makes basic management functions quite easy to accomplish. But on the down side, it means that doing anything really complex will likely require a little training.

There are also some minor annoyances like the inability to put spaces in when naming keys, your users have to type underscores instead, though for anyone with any programming experience it's a mistake that will only be made until the system is learned. And the KeySecure interface won't allow a mis-configured key to be created. Instead it will trigger an alert and show how to fix the problem prior to deployment.

Organizations that prefer to have a robust key management appliance that can be locked into a secure server room for added physical security or those that don't want their encryption options limited to one vendor can find a good fit with a properly scaled KeySecure appliance.

SecureDoc Enterprise Server

WinMagic's SecureDoc Enterprise Server comes on a disk, and once installed on a compatible server, can be used to do a lot more than just manage encryption keys. SecureDoc can become the heart of an entire enterprise security system for Windows PCs, Macs, Linux or mixed networks. It also concentrates strongly on mobile device management, making it a natural fit for offices that are allowing users to become part of a bring-your-own-device (BYOD) workforce.

Having used many WinMagic tools over the years, I wasn't surprised to find a similar, user-friendly interface with SecureDoc. The heart of the program is the SES web console. From that central location, an administrator can set about automating many of the common tasks required of key management such as daily reports and auditing. Issuing keys didn't require any special training, and the program does a good job of pointing out how everything works if needed.

What sets SecureDoc apart from the pack is the care put into mobile device management, and keys going onto those mobile devices, which are an increasing concern in many enterprise environments. Right from the splash page of the MDM part of the console, administrators are given a complete picture of all mobile devices that are part of the network.

It works with both Android and iOS devices, and both popped up on our test network. Besides simply issuing keys to these devices, the SecureDoc console lets administrators also set up security policies such as password authentication, and can alert the proper officials if someone tries to circumvent them.

One additional feature of SecureDoc that is unique among the products tested is called PBConnex. When combined with full disk encryption, it forces devices to authenticate themselves on a network in the pre-boot phase, before an operating system loads. This can ensure that security policies are being enforced, and doesn't give hackers much of a chance to insert malware or snooping programs since the authentication happens before the operating system, or anything else, can load.

The cost of the SecureDoc Enterprise Server varies with the number of users it can support. A setup of between 500 and 999 users can be found for about $6,500 with a year of maintenance thrown in, a good price for key management software with an easy to use web-based interface and a concentration on mobile device security. The SecureDoc software would be a good fit for any organization considering moving to a BYOD workplace that doesn't want to compromise on security in the meantime.

Symantec Encryption Management Server

Symantec got into encryption management through its merger with both PGP Corp. and GuardianEdge in 2010. Harnessing the resources of both of those entities, Symantec put together a homogeneous suite of programs designed to help with every aspect of encryption on a modern network. The heart of the entire system is the Encryption Management Server, which we tested for this review.

However, other components which can be optionally added to improve security include Drive Encryption, Endpoint Encryption Removable Storage, Gateway Email Encryption, Desktop Email Encryption, File Share Encryption and the Command Line program, which helps with setting up batch processes and special triggers to protect data in transit and at rest.

We used the Encryption Management Server with the Drive Encryption part of the suite, since Symantec says that is how most users who want to move to encryption begin. That makes sense given that encrypting an entire drive is the easiest and most brute force way to protect data from snooping. Later on, users can add new components as they find the value of encrypted e-mail communications, or want to extend that protection to cloud-based components. Adding new programs to the Management Server is a simple matter, since they are all designed from the ground up to work together. The main server will notify users when a new component is added to a network. Keys can then be issued and shared with the new devices after a brief set up period.

The Encryption Management Server is designed to be run as an appliance on a system that is solely dedicated to that purpose. However, the system requirements are surprisingly light. The minimum requirements are a 1.4 GHz Pentium 4 processor, 1G of memory and 15G free hard drive space. The program installs and runs on a self-contained operating system built over a CentOS core. For the Drive Encryption product, a typical client machine need only have a 233 MHz or faster processor and 360MB of free space to handle the extra volume that encryption requires. Clients can be Linux, Mac or Windows based.

1 2 Page 1
Page 1 of 2