Review: How to protect top-secret data

Classification Rules can work in combination. For example, suppose all documents created in the Audit Department are automatically designated "Internal" by one rule, while another rule allows an auditor to raise the privacy level of a particular document to "Top Secret."

To get you started, Secure Islands includes a number of basic, pre-configured Information Profiles, Data Classes and Classification Rules with IQProtector.

As we found in testing, designating these encryption criteria is the most important step in administering IQProtector. Doing it well (i.e., comprehensively but not in too much detail) requires a good deal of forethought and careful analysis. In some of our tests, we defined absolutely every possible privacy situation we could think of. As a result, we had myriads of IQProtector criteria to maintain and we quickly found the effort labor-intensive and even a bit confusing. We think your success with using IQProtector (or any privacy scheme, for that matter) will depend mostly on two considerations … your company's whole-hearted, serious embracing of the new environment and your analysis of your documents and their flow through the organization.

Beyond spreadsheets, email, word processing

To evaluate IQProtector outside the mundane environment of Microsoft Office, we developed an automatic document processing system that, among other functions, inspected the contents of various files: PDF reports, DocX and XLSX Office documents, accounting system files, VSD Visio drawings and a range of internal custom application files. The result was a batch processing system that we wanted to use to fairly quickly look for patterns (or the lack of patterns that should exist but didn't) across myriads of files.

We ran two sets of tests. One used unencrypted, unprotected files. The other put IQProtector in control of the secure, private data.

We used Visual Prolog, an AI programming language, to create software that looked through these files for anomalies, discrepancies and contradictions. Most but not all the files contained confidential data. Our Prolog software made use of the IQProtector Custom Interceptor .Net API and the Microsoft RMS API to both gain access to the unencrypted contents of each file and also change the privacy classification levels of selected files.

The IQProtector and RMS interfaces unlocked our confidential files and let us manipulate the files' security settings, but we paid a high price for access to the private data. Run times more than doubled in the IQProtector environment.

Conclusion

IQProtector is an excellent guardian environment for keeping designated documents private. It's easy to administer, once you master its concepts. IQProtector is highly configurable. You can tailor it to automatically secure one type of document while at the same time you specify that users must manually classify another type of document. IQProtector does slow access to confidential files and is somewhat pricey. However, if you need to keep industrial spies from stealing your private data, we think IQProtector is worth a close look.

Nance runs Network Testing Labs and is the author of Network Programming in C, Introduction to Networking, 4th Edition and Client/Server LAN Programming. His e-mail address is barryn@erols.com.

How we tested

We evaluated IQProtector for its ability to limit file access to designated people, groups and processes. We expected it to enhance, enforce, manage, administer and control rights-related access to various kinds of files. We wanted to know what file types IQProtector supports, how it classifies and protects confidential data and the extent to which it affects user workflow. We looked at how administrators use IQProtector to maintain a private, data-secure corporate environment.

Our testbed network consisted of eight Gigabit Ethernet subnet domains connected by Cisco routers. Our lab's 350 client computing platforms included Windows 2008/2012, Windows Vista/7/8, Macintosh 10.x and Red Hat Linux (both server and workstation editions). We operated these clients in ways that simulated much larger networks. Remote access used T3 and OC-9 WAN links.

The relational databases on the network were Oracle, Microsoft SQL Server 2008 and SQL Server 2012. The network also contained two Web servers (Microsoft IIS and Apache), three e-mail servers (Exchange, Notes and iMail) and several file servers (Windows 2008 and Windows 2012 servers). Our virtual computing environments were VMware, Citrix XenServer and Microsoft Hyper-V. We had cloud connections to Amazon AWS, Microsoft Azure, Rackspace and a private cloud. PDC's Visual Prolog was our AI programming tool for the document processing and analysis system.

A group of eight PowerEdge R720 servers with Dual Xeon E5-26xx processors, 384 GB RAM and 32 TB disk storage and running Windows 2003 Server, Windows 2008 Server and Windows 2012 Server were platforms on which we ran the server components. A Red Hat Enterprise Linux server stood by, idly, during the tests.

Net Results

PRODUCT: IQProtector Suite 5.0

COMPANY: SECURE ISLANDS

PRICE: Starts at $65 per user

SCORE: 4.0

PROS: Comprehensive, highly-configurable and virtually unbreakable data privacy

CONS: Access is slow for large files; pricey

This story, "Review: How to protect top-secret data" was originally published by Network World.