Securing data in any organization is a delicate balance of operational integration, cost and reason. Depending on the particular industry, organizations may have many different data exchange needs and requirements. A review of any data exchange initiative may uncover the need to encrypt data as it rests within storage, as well as encrypting data as it is in motion. Within these requirements may be several types of transactions, key management needs, encryption standards, compliance mandates and many other components that require consideration. Understanding the needs and the requirements is critical to matching them with the right solution. In this Group Test, we are reviewing encryption solutions specifically for data in motion.
For this particular review, we specifically focused on products that helped to secure end-to-end file transfers using common encryption standards. There are many point-to-point security products, such as VPN or email security gateways. However, there are separate groups for those particular product reviews. Instead, we honed in on the solutions that offer application-to-application types of secure file transactions. This includes secure EDI-based transactions, FTP, SSH, HTTPS and other means of end-to-end delivery. In some form or another, these products allow workstations, servers or even web servers to provide a secure channel, and support common file transfer protocols in either a batch processing type of mode or by allowing users to perform self-service, on-demand transactions. They also control recipients via pushing and file-retrieval mechanisms. It is common that the data at rest within these transaction servers is encrypted as well, but our focus is on how the products help secure the remote file transfers.
All of the products submitted for testing in this group were software solutions, but some are available from the vendor as VMware. Some tools are architected as client server implementations, others are single host installations, and some are web servers that allow users to push and pull files from a centralized server. Depending on the size of the business and the amount and type of transactions that need to be secured, some products will fit better than others into environments. Businesses that do a large amount of batch EDI transactions may look for solutions that are designed specifically for these transactions. Other products fit better when less specialized protections are needed. This includes whether or not batch jobs are used or whether the environment simply needs an on-demand method of exchanging sensitive files with external entities. Business and security needs are important factors for considering what type of product to implement into the environment because many of them contain different types of feature sets.
It is worth noting, however, that all the products in this group performed well. They all use well-known encryption standards and will fit nicely into existing architectures. The encryption schemes aren't necessarily the most compelling buying factor as they all help meet a high level of encryption. The intangibles will be the determining factors: administration and operational features, overall architecture, and how the solution fits into your environment. Whether or not you require a flexible PKI environment or if a HTTPS transaction web server meets your needs, most of the solutions in this group deliver on one or more of these criteria.
How we tested
Our lab server machines consist of both physical and virtual Windows 2003 RC2 Standard Edition images. Our virtual environment consists of Windows 2008 servers using Hyper-V or VMware as needed. All client software was installed on either physical or virtual instances of Windows XP SP3. We also installed IIS and MS SQL Server 2005 on our Windows 2003 server when necessary.
The areas we assessed were implementation, administration, usability in an enterprise environment, user experience (transparency and performance), support, price and overall value for the money. Some products have more of an enterprise look and feel to the overall implementation, while others serve more of a single host use. Because of limited space, we did not touch on every product's operational integration capabilities, but several products can integrate into existing frameworks for authentication, key management and other environmental considerations.
Keep in mind that most of the solutions reviewed are not policy-based email or VPN types of products and do not enable encryption schemes on the fly based on keywords, regular expressions or packet inspection. These products are designed for dedicated file transfer scenarios, such as hosts that perform EDI, FTP, SSH or other specific use functionality or user groups that are dedicated to managing known or on-demand file transfer needs.