Mobile Guardian Enterprise Edition 5.1
Price: Starts at $46.37 per client for 1-249 clients
Given the mobile nature of today's workforce, protecting confidential data on portable devices has become a red-hot area of concern for security managers. CREDANT Technologies' Mobile Guardian (CMG) meets this challenge with strong, policy-driven encryption.
CMG supports strong encryption -- TripleDES, Blowfish, and 128- and 256-bit AES -- on Windows hosts and popular PDAs like Palm, Symbian and BlackBerry.
Flexible encryption policies are a CMG strong suit, allowing managers to define robust business rules governing what gets encrypted on the Java-based management server and published to an agent on the managed nodes. The administrator can specify that specific folders be encrypted, including "My Documents," the Internet Explorer cache directory and removable media. A nice feature is its capability to mandate encryption for all content created by specified applications.
The Java-based management server connects to any enterprise level LDAP environment and maps user accounts to the appropriate encryption policy, in addition to allowing the delegation of CMG management rights to appropriate personnel. CMG has a built-in key recovery facility, and stores configuration and policy information in a MySQL or MS SQL Server database.
If a device is lost or stolen, there are administrator-configurable autodestruct capabilities built into the client that could, for example, automatically delete all of the data on a device if the user fails authentication within a given period. On the other hand, authorized admins can access encrypted data in the event of a failed password check through self-service authentication questions and/or one-time decryption keys.
Although functional, both the installation and management programs need work. The administration and configuration functions are spread among several different GUI applets, and we had to find and execute them. It would be far more user-friendly to have all such functionality available within a single console.
We were not able to initially connect to our Windows 2003 SP1 Active Directory infrastructure for the mandated LDAP synchronization, though a quick call to tech support showed us how. There is no reason why this functionality couldn't be thoroughly integrated into the main console. Additionally, the client agent installations need to be streamlined and integrated directly into the management console. Although CMG's solution -- providing MSIs for the client software installation -- is serviceable, other products in this market allow a direct agent push from management.
Given the stringent requirements of regulatory compliance and corporate governance, we were somewhat surprised not to see richer reporting capabilities. Logging and reporting is pretty basic, consisting largely of recording various successful/failed communications and administrative activity, such as agent contact and policy downloads. While this is adequate for debugging, we'd expect to see detailed records of user activity.
If you're concerned about sensitive data leaking beyond your organization, it's worth considering CMG, particularly if you have a large number of PDAs in your environment. We hope to see an improved management interface and more robust reporting in future releases, but it does an excellent job performing its main mission of providing strong, policy-based encryption for portable devices.
This article originally appeared in the July 2006 edition of Information Security magazine.