Product Group Tests
Data encryption (2006)
DESlock+ wins our Best Buy award due to its simplicity of use, reliability and overall value for money. For many users, DESlock+ will meet all their basic encryption requirements while also providing some genuinely useful functionality and utilities. For personal users, the basic version is even available as a free download from the internet, so no one needs to miss out on the benefits of encryption. Dekart Private Disk earns a Recommended award due
to its slightly "out of the box" thinking, coupled with effective encryption. It offers good value for the individual user and is flexible enough to cover most requirements without becoming overly complex. It is also intuitive and easy to use, making encryption a workable option for just about anybody. Our second Recommended award goes to SecureDoc due to its inherent flexibility, depth of design and standards-based approach. There is little worthwhile in the realm of hard drive data encryption that you couldn’t achieve with this product within a Windows environment. It is scalable up to enterprise level if you wish, and compatible with various authentication methodologies.
Full Group Summary
Encryption is one of those words that is guaranteed to conjure up a variety of mental pictures, according to the interest and understanding of the individual concerned.
Some will think of espionage and spies, of James Bond hacking into Dr. No’s supercomputer to save the world, or the more prosaic work of the Enigma machine busters during World War 2. Some will think of complex algorithms and their relative strength. Some will think of public key infrastructures (PKIs) and messaging. Some will think of encryption in relation to portable tokens.
But one thread common to all these is the concept of taking some piece of visible information and obscuring it in such a way that only authorized individuals may be able to understand it via a mechanism of decryption.
What IT security professionals are particularly interested in, however, is the storage and transmission of such information and its protection from unauthorized access and usage.
Conventional access control mechanisms provide some protection against unauthorized access. But once such measures are defeated, the data itself is typically open to inspection. This is particularly worrying with respect to the physical theft of mobile computing devices, such as laptop computers and PDAs, and also the sort of portable data storage devices which are now becoming increasingly efficient and affordable.
It is similarly worrying with respect to data stored within databases and networks and the possibility of such data being stolen or otherwise misused.
In order to respond to such challenges, various data encryption methodologies have been developed, from simple file-based symmetrical encryption to comprehensive PKIs and a host of ideas and techniques in between. In parallel, encryption algorithms have also developed to offer greater "strength" as regards the possibility of them being defeated.
Currently, one of the more popular algorithms is AES (Advanced Encryption Standard), as articulated in FIPS 197 (NIST), and used by many government agencies, among others. As a result, it is not unusual to find AES featured in contemporary encryption products, although DES, 3DES and others are still often supported.
However, the question remains: what exactly do we wish to encrypt and why? What is the risk associated with non-encrypted data residing on hard drives, network storage systems or portable media? This will be the starting place for most of us.
Clearly, those who deploy a significant number of portable computing devices within the enterprise will have a concern about the fate of data if one of these devices is stolen.
Similarly, the pervasive use of removable storage – including Zip drives, USB flash devices and others — raises questions around the relative security of data. In many cases, such concerns may be adequately addressed by simple, file-based encryption techniques. In other cases, organizations might be more interested in the broader infrastructural picture and the protection of data across applications, databases and communications channels.
We might also like to consider the first level access control mechanisms associated with data encryption and decryption – can we rely on passwords? Or perhaps biometrics? Or smart cards and tokens? Or perhaps a combination under a two- or three-factor authentication model?
Much might depend on our perception of risk, as well as regulatory compliance obligations (such as password complexity). We must also consider the OS file systems in use (FAT, NTFS and so on) and other utilities, such as disk defragmentation systems, disk imaging, anti-virus scanning and so on. There may be compatibility or performance issues to take into consideration in this respect.
Similarly, we will need to consider our use of directories and security policies, and precisely how data encryption fits into the broader scenario.
There are also distinctions to consider between hardware-based and software-based encryption, pre-boot or post-boot implementation, Unicode compatibility and other factors. Fortunately, there is no shortage of choice in products. This group test offers an overview of some of the popular packages currently available.
When contemplating deploying such a system, whether on a standalone computing device or across a network, one of the more important parameters to consider will be ease of use and ease of recovery, should the authorized user find themselves locked out of their own data. However, the attentive supplier will no doubt have thought this through.