Product Group Tests
A vast number of protection options at a great price point make Safend Data Protection Suite our Best Buy.
An enterprise-class modular suite: Utimaco SafeGuard Enterprise wins our Recommended award this month.
Full Group Summary
Data breach disclosure is driving expansion in this area. We test eight products. By Nathan Ouellette.
The market for encryption products seems to be expanding these days. During our last review (SC, October 2008), we noted that the list of US states that mandate data breach disclosures was growing exponentially. This factor, with others, has surfaced in many of the products we see today. The indication is that protection is spreading to different operating systems and devices, beyond just Windows-based machines.
We are seeing convergence between overall endpoint protection features and encryption solutions. Suites of products are still offering the standard features, such as whole disk encryption, protection for various partitions and encryption of removable media. However, we're also seeing a growing trend in the ability of these policies to allow or deny access to devices based on certain rules and criteria. Even if the software does not have the ability to encrypt an external device, it may have granular controls and rule-sets on how to treat the device if the host machine connects to it. Some are extending this protection to mobile devices and smartphones. Two products offer Mac OS X support.
Many of these newly converged features may be attractive to some when making a buying decision, but policy should ultimately drive the investment. In some firms with highly confidential data, whole disk encryption may be mandatory for all mobile assets. However, not all of the products have the ability to encrypt the entire hard drive and require pre-boot authentication before accessing the device. But many products that do not have whole disk encryption may have other useful features, such as centralised management consoles or the ability to push clients remotely to all host machines. IT stakeholders should make sure that policies and standards are covered when making purchasing decisions.
This year's crop
All of the products assessed here were software-based encryption applications. They did not require any special chipsets within a hard disk and all contained either a client installation or client-server architecture. Features we looked for were the ability to secure the entire disk, files, folders and removable media and whether or not the product could be centrally managed through an administrator interface. Whole disk encryption products secure all of the contents on the hard disk and require a pre-boot authentication screen (PBA) before accessing the disk. Products that do not offer whole disk encryption usually encrypt a partition or allow for certain files or folders to be encrypted.
All of the products we reviewed contained AES strong encryption schemes in various bit strengths. Most offered less intense encryption algorithms for organisations with performance problems on older hosts.
Encryption is also applied differently, either using passphrases or key-ring technology. This may be a matter of policy, standard or even an operational choice. Each product also had some sort of passphrase or key recovery mechanism. Some have an administrator ID which acts as the key recovery mechanism, while others allow users to answer challenge questions to restore their key.
How we tested
All server software was installed on a virtual instance in our lab. Our lab server machines consist of Windows 2003 RC2 Standard Edition images managed with Hyper-V within a Windows 2008 server. All client software was installed on a laptop running Windows XP SP3 with a 75GB hard drive to test encryption times. We also installed IIS and MS SQL Server 2005 on our Windows 2003 server as needed.
The areas we assessed were: installation, administration, usability in an enterprise environment, user experience, support, price and overall value for the money. Most of the whole disk encryption products performed identically, and encrypted our test hard drive in under three hours. These all produced performance degradation between the pre-boot authentication screen and the operating system, but the trade-off for secured confidential information is a positive return.
Since most products can deploy a strong encryption scheme to protect data, the criterion for purchasing isn't algorithms, but the ease of deploying and managing clients. Decision-makers should see if the product helps to support organisational policies, ease of config and deployment - and has good vendor support.
Trevor Hough contributed to this article.