Data at rest? Rest easy
GCN Lab Review: SecureDoc encrypts individual PCs or works across the network
- By John Breeden II
- Mar 14, 2008
A vital but sometimes overlooked security challenge is keeping data safe when it's just sitting around on a laptop PC or other portable device.
We've seen plenty of news stories about stolen or misplaced laptops containing vital agency information, Social Security data or nuclear secrets. A lot of the ensuing panic could have been avoided had those devices been protected by whole-disk encryption.
WinMagic's SecureDoc has two ways of achieving encryption protection: an Enterprise Server Edition and a Client Edition. We mostly tested the Enterprise version ' they share many features ' but we did run Client through its paces on a stand-alone laptop, too.
Installing the Enterprise Secure-Doc program was relatively simple on our test network, which consisted of eight clients and a Windows 2003 Server. After installation, we set policies for users and devices. In many cases, this required conversion of entire drives on client machines from an unencrypted format to an encrypted one using RSA Security's Public-Key Cryptographic Standard #11 protocol.
The conversion was fairly painless ' and assuming you have properly set up permissions for users before the conversion begins, everyone can keep working during the process. In our test, the software converted about 25G of data per hour until entire drives were protected.
Computers can be shut down or have their power interrupted without impeding the process. We forced several power failures on PCs during conversion, and each time, the process resumed without any ill effects.
Once you have encryption in place, the real work begins for the administrator, who can now completely control the agency security process. One of the best features is that client devices can be set up to require as many as three factors of authentication ' all in the pre-boot phase ' for access to encrypted resources.
Your three-factor security could include a password plus some type of biometric scan and a token security device such as a smart card. Of course, you could settle for dual or even single authentication or mix and match your security scheme.
The Enterprise version also supports floppy drives, Zip drives, Jaz drives and USB key drives, which can be encrypted to comply with your security protocols. Or you can restrict access to removable media. This is not the sledgehammer approach we have seen with other programs but is configurable, allowing data to be copied and tagging other data as read-only.
We were impressed with the flexibility that the administration software offers. You can apply rules to an entire network, groups of users or individual users. You can, for example, have systems lock down if they lose their connection to the central network or if an incorrect password is entered a certain number of times.
This brings up a small negative about SecureDoc: the difficulty of implementing an agencywide security and encryption program. Even getting everything working on our eight-client test network took several days with all the options available.
The way to make it easier would be to assign subadministrators to control access and security for groups of users. SecureDoc provides this option and offers classes on how to implement the software across large organizations.
SecureDoc has been awarded Advanced Encryption Standard validation, Federal Information Processing Standard 140-1 Level 2 certification, and certification from the National Security Agency to protect secret-level data. It also supports the Defense Department's Common Access Cards and was recently chosen to support the Homeland Security Presidential Directive 12 initiative. At the government price of $129 per seat for the Gold version, it's a good deal for everything it can do even if large organizations will have to spend a lot upfront.
WinMagic, (905) 502-7000, www.winmagic.com