Sophos SafeGuard Enterprise is a modular suite offering device and file encryption. With PCI DSS compliant device encryption and management of BitLocker, you can easily and securely recover BitLocker installation when a user has forgotten a PIN or password using a BitLocker Recovery Key. This is stored in a secure, encrypted database and gets passed to the user. The company’s file encryption houses the main differentiator with other products and companies.
We were provided with a unique license key to use. Sophos provides a tool that offers step-by-step instructions to ensure you install the correct components for the SGN server.
The layout of the SafeGuard Enterprise platform is clean and intuitive. Once you open the document, you can read the actual contents. SGN gives the option to set occasional scans of your hard drive for unencrypted documents.
Employees can open the Sophos key ring to see what documents they have access keys for. If a document is created and saved outside the designated directory, it will still be encrypted. You do not need to know if a document is confidential. When that file is moved to another location, the encryption key will be changed to fit that group’s encryption key. Group keys ensure only those within a group can access a document. This process works the same if a document is copied to a public location, it will be unencrypted.
If a potential threat is detected, Sophos SafeGuard key ring will give a warning when a user tries to open that file. SafeGuard protects encrypted files by removing all encryption keys from the key ring. You will not be able to access any encrypted file until no threats remain on your device. This incorporation of encryption and antimalware software is unique. Even if a user has another antimalware software compromised, the malware will only be able to see encrypted content, meaning doubly protecting customers against leaked or stolen information. Should this happen, all customers need do is contact the SafeGuard server to regain access to their keys. They will need to confirm login credentials for authentication purposes. Upon successful login, SafeGuard will synchronize with the server and restore encryption keys to allow for accessing encrypted files again.
To share information with someone outside of a company or group, one could decrypt the file before sending. Sophos offers an easier, more secure way. Customers can go to the file they would like to share and select password protection. There exists a built-in password policy that can be adjusted based on the desired level of complexity. A new HTML file will be created on the desktop to simulate what will happen when the recipient opens the now password protected document on another device. This opens in a browser with a notification the file has been protected. The recipient can edit and return the document. Even without SGN installed, they can go back to the original browser and password protect the document again, using the same password or one of their choosing, to send it back.
If there is an issue with BitLocker, customers can go to the management center which integrates with Active Directory. If a new user is added, you will get a notification that changes have been made and what they were. This adds visibility for Security Officers to accept or deny changes. Groups can also be created within Active Directory and changing users in groups will change them in Active Directory.
Policies are completely customizable in the policy configuration menu. Customers can see the default value to know whether to convert them. The Outlook add-in policy configuration can also be managed here. Arguably the most important are the file encryption configurations. These are application based, meaning default encryption will be based on the application used to create the document. Customers can also choose to use location-based encryption. File extensions are defined for better recognition when SGN is scanning devices.
The default report setting is not done in real-time. The connection interval to the server usually synchronizes every ninety minutes. However, there is an option under logging for the number of events to be changed from the default 100 to one. That way, there will be a notification and log after every event occurs. The backend of this reporting is SQL, and the event information can be exported to Splunk, and the like.
Tested by: Matthew Hreben