The market for encryption products seems to be expanding these days. As we've previously said, the list of states which mandate data breach disclosures is growing exponentially. At this point in time, there aren't too many states that haven't enacted some sort of disclosure legislation. This particular influence has surfaced in many of the encryption products that we see today. The trend this year indicates that protection is spreading to different operating systems and devices other than Windows-based desktops and laptops.
As we expected, we're seeing a slight convergence between overall endpoint protection features and encryption solutions. Suites of products are still offering the standard features - such as whole disk encryption, protection for various partitions, and encryption of removable media. However, we're also seeing a growing trend in these policies to either allow or deny access to devices based on certain rules and criteria. Even if the software does not have the ability to encrypt an external device, it may have granular controls and rule sets on how to treat the device if it's connected to the host machine. Some solutions are extending this protection to mobile devices and smart phones.
When making a buying decision, many of these newly converged features may be attractive. Your enterprise's policy should ultimately drive the investment. In some organizations with highly confidential data, whole disk encryption may be mandatory for all mobile assets. However, not all of the products available, or even in our review, have the ability to encrypt the entire hard drive, and require pre-boot authentication before accessing the device. But, many products that do not have whole disk encryption capabilities may have other useful features, such as centralized management consoles or the ability to push clients remotely to all host machines. IT and security stakeholders should make sure that company policies and standards are covered when asking questions and making purchasing decisions.
This year's crop
For this particular review, all of the products we assessed were software-based encryption applications. They did not require any special chipsets within a hard disk, and all of the products contained either a client installation or client-server architecture. Some of the features we looked for were the ability of the product to secure the entire disk, secure files and folders, secure removable media, and whether or not the product could be centrally managed through an administrator interface. Whole disk encryption products secure all of the contents on the hard disk and require a pre-boot authentication screen (PBA) before accessing the disk. Products that did not offer whole disk encryption methods usually encrypt a partition or allow for certain files or folders to be encrypted.
All of the products we reviewed contained strong encryption schemes (AES in various bit strengths). Most offered incrementally less intense encryption algorithms for organizations that might have performance issues on older hosts. Encryption is also applied differently, either using passphrases or key ring technology.
How we tested
All server software was installed on a virtual instance in our lab. Our lab server machines consist of Windows 2003 RC2 Standard Edition images managed with Hyper-V within a Windows 2008 server. To test encryption times, all client software was installed on a laptop running Windows XP SP3 with a 75GB hard drive. We also installed IIS and MS SQL Server 2005 on our Windows 2003 server.
Since most of the products can deploy some sort of strong encryption scheme to protect your data, the decision criteria for purchasing isn't the algorithms, but the ease in which clients are deployed and managed. Decision-makers should review whether or not the product helps to support organizational policies, as well as the ease of configuration, deployment and support from the vendor.
Trevor Hough contributed to this Group Test review.