Review: How to protect top-secret data

The small, camera-equipped drone hovers unobtrusively outside your office window, quietly photographing the confidential documents on your desk and on your computer screen. A dumpster diver retrieves your shredded printouts, scans them into a computer and uses jigsaw-puzzle-solving software to reform the shreds into legible documents.

An innocent-looking but virus-infected computer uses nothing more than heat signatures to glean data from your air-gapped (non-networked), "off-the-grid" machines that you thought were perfectly safe from prying eyes. And an industrial spy has tapped into your network links to make copies of private documents as they flow around your company.

+ ALSO ON NETWORK WORLD: REVIEW: Best Wi-Fi stumblers for the Mac +

You're on your own with the drone, the dumpster diver and the heat-signature-reading computer. However, you can use encryption to thwart the industrial spy who wants to steal your digital documents.

Full disk encryption (FDE) -- think Microsoft BitLocker -- is a particularly effective way to render data illegible and useless to a thief who's stolen a physical computer. In contrast, file encryption (a la Microsoft Rights Management System, or RMS) protects the data itself, document by document, on any computer and across any network link. RMS technology, which Microsoft includes in many versions of Windows, can encrypt individual files at the time of creation, and allows decryption by specific users or groups according to Active Directory permissions. Microsoft Office applications are RMS-aware.

But how do you administer and manage RMS? What about file types and applications beyond those of Microsoft Office? Can you force certain users or groups (e.g., the Finance Department's Mergers and Acquisitions Research Team) to encrypt their files? When a user creates a document containing sensitive information, how can you remind that user to encrypt or otherwise classify the file? How can you monitor encrypted file usage across the enterprise? How do you authorize document access for some people and deny it to others? What about the documents that already exist at the time you decide to begin using digital encryption?

Guarding access to your private digital documents is not a simple or cheap affair. Plan to do a risk assessment before your organization decides to embrace file encryption. Be aware that digital document privacy adds significant costs in the form of administrative effort and user training. These costs are worthwhile expenditures if exposure or disclosure of sensitive information would likely result in even greater costs.

A handful of vendors offer products to help you achieve a high level of digital document confidentiality and privacy. Unfortunately, most of these vendors are quite coy about having anyone evaluate their products. For this review, we invited EMC, Secure Islands, GigaTrust, Seclore, and Watchful Software to send us software that we could test in our Alabama laboratory. Only Watchful Software and Secure Islands responded. Watchful Software declined to participate upon learning that it could not help us install its server component -- a difficult process that is apparently fraught with peril. Secure Islands sent us IQProtector Suite 5.0.

Secure Islands' IQProtector (in conjunction with Microsoft's RMS technology) encrypts and decrypts more than 1,000 file types. It secured our files based on a variety of criteria that included content, user ID, user group and user choice. It gave us four security levels from Top Secret through Public and was simple and painless to administer. It monitored access to secure files and produced useful, informative reports. IQProtector even scanned and classified documents we downloaded from (or uploaded to) Web sites.

On the other hand, IQProtector is highly Windows-centric (because it relies on RMS technology), it's pricey and it slows document access noticeably. IQProtector "paused" the opening or creation of encrypted files by a few seconds even for small documents. For larger files, access was annoyingly slow. We concluded that IQProtector is inappropriate for files of about 25MB or greater. However, the slower performance is doubtlessly part of the price we paid for privacy. Overall, IQProtector is an effective privacy tool that we recommend you take a close look at.

IQProtector architecture

IQProtector has two server components, a Management Server and a Classification & Protection Server. It stores policies (rules for what and when to encrypt) and event logs in a Microsoft SQL Server database server. It requires that Microsoft RMS be enabled on all the computers that create, store or process encrypted files, and each of these computers also needs an IQProtector agent (an Interceptor). These agents run on client (user) computers, terminal server computers, file servers and application servers (such as Microsoft Exchange, Microsoft SharePoint and OpenText Enterprise Content Management [ECM] servers).

For specialized, customer-unique file types and content, IQProtector has a well-documented and easy-to-use Developer's Guide API for building Custom Interceptors. Additionally, IQProtector has a Data Scanner component that "crawls" through file systems. It looks for files that according to administrator-configured policies should be encrypted but are not.

Administrators use IQProtector's Web-based interface to create and manage policies, set up file system discovery parameters for the Data Scanner, audit for compliance with corporate privacy goals and analyze IQProtector's ongoing operations.

At each file access, an IQProtector endpoint Interceptor sends data to the IQProtector Classification and Protection (C&P) Server. The C&P Server uses policies, data content and other factors to decide if the data should be encrypted, performs the encryption and returns the result to the Interceptor. A Server Interceptor can additionally subsume the role of C&P Server. In a cloud-based environment, the Interceptors are local while both the C&P Server and Management Server reside in the cloud.

The Management Server provides the Web-based user interface. It sends policies to Interceptors and the C&P Server and, in return, gets activity logs, which it stores in the database. The Management Server analyzes and summarizes the encryption activity, and it also displays the results of the Data Scanner's search for files that should be encrypted.

Installation was simpler than this description of IQProtector's architecture implies. The Management Server and the C&P Servers required just a few minutes each. After IQProtector instantiated its SQL Server database, we set up each endpoint Interceptor on our client computers and used the Management Server's browser-based interface to configure a dozen initial policies. We installed and fired up the Data Scanner, which gave us a report that accurately identified the test files we expected it to find. IQProtector's documentation is comprehensive, but it lacks a clear, intuitive explanation of IQProtector's concepts and terminology. Fortunately, IQProtector is easier to use than it is to explain.

IQProtector supports several versions of Windows: XP Pro, Windows 7, Windows 8, Server 2003, Server 2008 and Server 2012. It works with Microsoft Office 2003, Office 2007, Office 2010, Office 2013 and Office 365, and it requires SQL Server 2008 or SQL Server 2012. Secure Islands' IQProtector Mobile component provides access to secured email messages and attachments on iOS, Android and Blackberry mobile devices.

Files, emails, clouds and security levels

As directed by policies configured by an administrator, IQProtector secures files, email messages, Web pages and cloud data. These policies use content types (file extensions and MIME types), Web and file folder names (e.g., a directory named TopSecret), specified sender or recipient email addresses, email subject line tags (such as _TopSecret_), a named application, patterns or phrases in the data itself, Active Directory attributes (such as a department ID), IP addresses and storage device identities (such as a USB drive) to classify a file's privacy level.

IQProtector gave us complete flexibility regarding the classification and encryption of our documents. For our simulated Audit Department, we configured IQProtector to automatically restrict access to files created by anyone in that department. We used IQProtector to make sure that only people with the appropriate credentials could view our Mergers and Acquisitions plans.

IQProtector's Data Scanner examined the contents of our files and told us which pre-existing documents needed a security classification. It warned us before we sent a secured email message to someone outside the company (in order to access confidential documents or email messages, an external user must be using Microsoft RMS and must be able to authenticate him or herself). In all our tests, IQProtector was always able to secure our files exactly as we wished.

IQProtector understands the file formats of over 1,000 file types and can examine their contents for sensitive data, such as credit card numbers or references to financial information. These are the same 1,000 file types that the HP file viewer KeyView supports. Secure Islands says that IQProtector has special support for the OpenText company's Enterprise Content Management (ECM) Suite, but we did not test this. For other, specialized file types, an organization can use Secure Islands' .Net SDK or Web Services REST API to customize and extend IQProtector's ability to examine file contents. We found the process of programming a Custom IQProtector Interceptor to be quite straightforward and simple in our simulated automatic document processing system.

IQProtector has four default data sensitivity levels: Public, Internal, Secret and Top Secret. A person creating a document, if directed by an administrator's policy configuration, chooses one of these four levels. Or, during (possibly unattended) file creation, IQProtector assigns each file a data sensitivity level according to a rule set up by an administrator. In the form of metadata, IQProtector attaches to each file or email message the data sensitivity level, the data security type (such as Customer Information, Personal Identification Information, Financial Information, or Personal Credit Card Information) and other security-related characteristics.

IQProtector's ability to identify sensitive data content was impressive. We could flag documents based on words, phrases, regular search expressions, credit card data and other criteria. And IQProtector contains special logic to identify Payment Card Industry (PCI) data.

Note that while administrators do not see the data you designate as confidential, they do see the words and phrases that they insert into rules and policies. Accordingly, administrators will know the names of companies involved in a merger or acquisition and thus need a special security clearance.

IQProtector's security was top-notch in our tests. We tried various hacking methods to decrypt files, alter a file's metadata and otherwise defeat IQProtector's security -- to no avail.

Administering and using IQProtector

IQProtector selectively encrypts files and email messages based on what Secure Islands calls Information Profiles, Data Classes and Classification Rules. An Information Profile specifies an information category, such as "new product sales forecast spreadsheets" or "merger/acquisition plans." An Information Profile can be defined by metadata such as file type, data source or data contents, and it can contain references to other Information Profiles. A Data Class is an administrator-supplied label that describes a security characteristic, such as Data Sensitivity. A Data Class can have multiple values (such as Public, Internal, Secret and Top Secret), and an administrator can put Data Classes into named groups.

A Classification Rule tells IQProtector the circumstances in which it should apply its privacy protections. The Rule specifies how to use Information Profiles and Data Classes to decide whether to mark a file or email message for private consumption. For example, a Classification Rule might automatically (no user intervention required) add a particular Data Class value, such as Top Secret, to documents created by someone in the Audit Department.

The associated Information Profile specifies a data source of the Audit Department, which IQProtector recognizes because the user logon ID's Active Directory group is "Audit." If the administrator specifies, a Classification Rule might cause a user, at file creation or file save time, to see a pop-up window in which he can give the document a particular Data Class. The administrator chooses the list of Data Classes from which the user selects and whether the user must assign a data classification before proceeding further. A Classification Rule might insert configurable content (such as "Confidential -- For Finance Dept. Use Only") to the header or footer area of selected documents.