Protecting information against today's sophisticated, real-time threats in today's mobile environment is a challenge that keeps a lot of IT security professionals up at night. What is our defense against a breach that exposes a user's file system? How do we protect sensitive data that walks out of the enterprise every day on laptops, mobile devices and removable media?
We could say that we've established policies to prevent that from happening. That is a viable mitigation tactic. But, we continue to read about organizations with said policies losing a notebook, drive or tape with sensitive data on it. So, in the end, policies are only as good as the enforcement capabilities. Even within the enterprise, on systems that don't leave the fortress, there is risk of exposure.
This month we focus on encryption technologies. Although, historically, these technologies were hard to use and impacted the performance of systems, they have always been a reasonably priced option for adding a layer of protection.
Encryption technology isn't new. With the risk of exposure increasing, should protection of the information where it resides become a required part of our defense-in-depth practice? I have to admit, encrypting files and media does have overhead, both in performance and time. But, I was hopeful to see some vast improvements in this technology as we reviewed this set.
We were looking for the performance impact on the local system. We were interested in what management tools were available to assist with deploying and managing this technology in a large enterprise. Another focus was the ability to securely back up keys or recover encrypted files or partitions.
We tested the products in our virtual environment. We set up both 64-bit and 32-bit servers for hosting the applications and database components. If the applications supported 64-bit operating systems, we tested in that environment. Our desktop environment consisted of Windows 7 notebooks with various removable media components for testing those capabilities. Some of the solutions came with a complete installation package that ran through the deployment of the application and all the dependencies. Others were much more tedious to deploy and required a lot of manual configuration.
The solutions reviewed fell into two groups: user- or enterprise-centric. The difference was in how they were managed and deployed. The user-centric applications installed and were managed locally with some capabilities to back up configurations and keys. The enterprise-centric solutions provided a centralized console for setting up policy; provided software deployment tools; offered disaster recovery components, like centralized key storage, key backup and recovery options for systems under administrative control; and may have been LDAP/AD-integrated.
Although we did not evaluate other endpoint protections under this review, we should note that several of these solutions were part of a larger suite of product offerings and integrated with a common management platform. All of the solutions did what they advertised. Yet, there were vast differences in how they would perform and how one could manage them in an enterprise environment.
Price, features and performance all varied, so the best option one has is to evaluate several of these when trying to choose a solution for the enterprise. Some of the offerings deployed quickly and were ready to use with little overhead. Others required some serious time and technical abilities to get up and working. In the end, there are some very good choices available. Price points are reasonable, and there are solutions that provide protection with little overhead. Consider adding encryption for data at rest as a last line of defense.
We also would like to take a minute to thank Kevin O'Connor for his help this month in the SC Lab, assisting with the product testing. Kevin stepped in and handled most of the physical deployments and testing so that I could keep my vacation plans, a date in North Carolina with Hurricane Irene.