Group Test: Encryption

Legislation at the state and federal level seems to be favoring encryption mandates for businesses that have a strong need to protect sensitive data. At this time, several states have enacted laws that require businesses that have reported a data breach to encrypt customer data. As these requirements take the spotlight and consumers realize the dangers associated with the disclosure of their account numbers or health information, businesses are being pressed to take action.

For all the extra level of security that encryption affords an organization, the mismanagement of technology can also add to the risk. Organizations are looking for simple solutions that can not only effectively integrate with existing directories or technologies, but also do the job of encrypting endpoints without impeding performance or user productivity. Transparency to the user is a must today, and vendors are responding. As the market matures, we are starting to see several feature sets that allow for an organization to implement a solution without having to invest significant resources in deployment and management.

From a product perspective, encryption products are generally either hardware-based (chipsets, such as the Trusted Platform Module) or software-based. Software-based products range from whole disk encryption - which provides protection for a hard drive, even if taken out of the computer - to encrypting particular files, folders or removable devices, such as USB drives. Whatever the end result of a product's feature set, businesses should implement solutions that help them align with their own security objectives.

We examined products that perform whole disk encryption (often referred to as FDE, or full disk encryption) and products that help to secure folders or files within the operating system (OS). Both have the end goal of ensuring that only those who need access to the data have the ability to do so. This is achieved by locking out unauthorized users through the use of keys and encryption mechanisms whose implementation may vary from product to product.

How we tested
All of the products in our group review were divided into two areas: client and server software. All server software was installed on both a virtual instance and physical machine. Our lab server machines consist of Windows 2003 RC2 Standard Edition servers and Windows 2008 with Hyper-V for our virtual instances. Our client machines were installed with Windows XP SP2 and Windows Vista Business Edition SP1. Linux-based OSs were only used to attempt to boot to encrypted Windows devices in order to access the drive. We installed IIS, MS SQL Server 2005 and ADAM when specific vendor requirements called for it.

The areas we placed emphasis on were installation, administration, usability in an enterprise environment, user experience (transparency), support, price and overall value for the money. Most of the products performed to the same technical levels when determining how quickly disks or files can be encrypted or decrypted.

The real meat of our testing was how easy and efficient it was to create policies and deploy them to endpoints. Most products made it easy to import or choose users, groups and computer objects and then deploy our policy templates to those users. However, we liked the ability to see what was actually secured (or not), so that we could make informed decisions about how to secure certain assets based on the criticality in the environment. The overall assessment of ports and ancillary devices is also a welcome feature. Having a window into your environment regarding what physical and logical channels exist for users to actually exploit, helps the administrative cause in the long run.

Because cryptography is sometimes a more specialized field, the use of documentation becomes even more important. Vendors that organized their documentation in an easy-to-read format scored higher on our tests because their stakeholders may rely on it much more heavily than with other solutions. This also lends itself to how easy it would be for an administrator to use the solution. In this group, this was the biggest variable. Some products were a breeze to setup, while others contained detailed manuals with hundreds of pages needed to install and configure the product.

Nathan Ouellette is consulting director of Viopoint.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.