Product Group Tests

Encryption at rest (2010)

Group Summary

Credant Mobile Guardian Enterprise Edition is the Best Buy for its ease of use and excellent features.

For its full encryption capabilities and strong feature set we rate SafeGuard Enterprise Recommended.

Scroll To Full Group Summary Below

Click for a side by side comparison of products
Click for a side by side comparison of products

Full Group Summary

Just because information is on your computer does not mean that it is safe. Peter Stephenson looks at seven encryption solutions.

Today there are more types of creative malware than we could imagine five, or even three, years ago. The game has changed a lot. We have always talked about defence in-depth, and it has always been at the core of our security architecture design, but never before in the history of computing has it been more urgently required.

In these review columns over the years I have talked about achieving defence in-depth and the risks we may be running when we combine too many security platforms into a single box, but with time, we hope, comes maturity. As network architectures become more and more distributed, so too must security architectures. That is happening with the various combinations of UTMs, multi-purpose gateways and endpoint protection, but no matter how good these protections are, they will fail.

They may fail because an attacker has an as-yet unknown technology. Or they may fail because a user, wittingly or unwittingly, undermines them, but they will fail and when they do, then what? If there is no fall-back strategy data will be compromised.

An interesting point here is that this requirement has always existed but most organisations found a fall-back strategy too expensive or too difficult to use or deploy. The obvious fall-back is encryption and encryption programs have been notorious in the past for being difficult for average users and for not being scalable enough. With the advent of PKI, developers began to think about how to manage raw encryption, such as disk, file or folder encryption, as opposed to the use of encryption for digital certificates.

The idea is that organisations of all sizes have data and information that is their life's blood. Today there is a need to have a solid encryption scheme regardless of the organisation's size. Privacy-related information, for example, needs to be protected. Regulatory requirements have evolved considerably in the past few years and the safest, surest way to comply with privacy requirements is to encrypt.

We are concerned with encrypting both data at rest and in motion. The issues are very different for the two requirements but they do share similarities. This group test looks at encrypting data at rest, which can be a bigger challenge in many ways than encrypting data in motion. Issues such as deployment, recovery of encrypted data when an employee leaves or loses his or her key and ease of use to a very broad audience, wherein there is no consistency in skill levels, are critically important. Predictably, these operational issues are far more difficult ones with which to cope than the simple fact of strong encryption itself.

An important part of encryption is key management. This is where lessons learned with PKI have been helpful. In this month's data at rest reviews we saw two types of deployment: installers and full enterprise server-based.

The installer type pushes out installer packages to users and these can encrypt folders, whole disks or files. The enterprise server approach generally is policy-driven and deploys across the enterprise. In all cases there are recovery methods and virtually all vendors object to the use of the term back door. They insist that recovery is through an administrator-based procedure ranging in complexity from a universal administrator key/password to a more complicated procedure.

What to look for
When buying encryption for the enterprise the procedure is roughly the same as evaluating any enterprise-wide tool. First, what are you trying to accomplish? Many organisations simply want to encrypt the whole disk and let it go at that. Rather than depending upon the user to select the appropriate files or folders to encrypt these, organisations simply encrypt the entire disk. Some prefer to leave the user in control. This choice usually depends upon the types of data being protected.

How we tested
We fired up the virtual systems for this one. We created an exemplar enterprise consisting of a domain controller, an SQL Server deployment, an application server and a user client. We deployed using defaults and analysed the results, testing to make sure that if we removed the encryption from the client nothing stored there was damaged.

Encryption is no longer an option. The only options you have involve how you select the encryption product and deploy it. In that regard, this month's solutions offer some useful choices.

All Products In This Group Test