This article can also be found in the Premium Editorial Download "Information Security magazine: Compliance vs. security: Prevent an either-or mentality."
Download it now to read this article plus other related content.
|Encryption Gains Ground|
Data encryption has long been a strong security technology, but its use has been generally limited because of the complexity of implementing and maintaining it, as enterprises wrestle with thorny issues such as a key management and security.
That's all changing because of regulatory requirements and the exposure of data through Internet-facing applications. Nowhere has this become more evident than with the ubiquitous use of high-capacity portable storage media. Five out of six solutions Information Security tested for this review have integrated automatic forced encryption capabilities into their products.
Although the use of automated encryption for portable storage media is solving numerous security issues, there are still significant challenges to address.
Nate Lawson, senior researcher at Cryptography Research (www.cryptography.com), a security consulting and technology licensing firm, points out that there is plenty of room for improvement with the widespread use of encryption for storing information.
"How do I make sure I never lose or destroy that key, because if I do, it's like losing the entire set of data," Lawson says. "I won't be able to decrypt it again."
While there are lots of standards for encryption (AES, DES, 3DES, etc.) and protocols (SSL), there is little standardization for key backup.
Lawson sees this as a potential pain point, especially in M&A scenarios and because of the speed at which technology becomes obsolete.
Before organizations begin routinely encrypting portable storage media through solutions such as the ones we tested, they need to examine the lifecycle of the data being stored and ensure access to decryption tools, such as keys and software.
--SANDRA KAY MILLER
For organizations that want to further enforce policy through enterprise-class management systems, Control-Guard's Endpoint Access Manager is designed to integrate with third-party products like HP OpenView and CA Unicenter.
Safend offers similar policy control through role-based access and prohibiting simultaneously enabling multiple networking protocols. One feature that really caught our attention was the ability to easily print a summary of our entire policy anytime. This means corporate policy can be posted or viewed by management, which doesn't have access to the console, but needs access to security policies.
Overall, DeviceWall's policy configuration was the least intuitive of the products tested, although the Master Policy tree accessed through the Control Center provided a clean interface for configuring 16 different device categories, including digital cameras, scanners, smart phones, and BlackBerry, Palm OS and Windows Mobile devices. We would have liked to have seen all the individual categories for mobile handheld devices under a single high-level branch on the tree, instead of each given its own. It would make the Control Center interface much less cluttered.
When building complex policies that limit or deny the availability of computer resources, there are bound to be exceptions to the rules. DeviceWall was our favorite product for bending the rules. It let us assign temporary access for up to three devices either for the current Windows session or by start time and duration. Even when we weren't connected to the network or Internet to push out a change in policy, DeviceWall gave us the option to generate a key that could be verbally exchanged or sent via text message over a mobile phone to provide temporary access to the restricted port or device.
DeviceLock's exception to policy functions similarly to DeviceWall's temporary access, but lacked the granularity to assign any length of time, giving only the option to use the restricted resource during that particular Windows Session.
Safend allows for the temporary suspension of the client, even when the computer is offline.
This was first published in March 2007