How encryption can save your bacon

Organizations with mobile workforces are looking for encryption
solutions that will protect their data but won’t give users and IT
departments extra headaches managing complicated keys and algorithms to
get their work done.

Export Development Canada (EDC), Canada’s export credit agency, has
tackled the problem with SecureDoc, a full-disk encryption solution
developed by WinMagic, a Mississauga-based provider.

The agency introduced a new mobile workforce strategy at the end of
2008 in conjunction with its equipment refresh program, and is
replacing its 1,200 desktop computers with laptops and tablet PCs.

“We have staff in over 200 markets abroad, and we needed to ensure we
had solid encryption capabilities,” says Dave McNulty, manager of
telecom and network management.

The EDC decided to go with SecureDoc because it was the product
selected for deployment to about 2000 workers in a government study
that reviewed a number of products, he adds.  

With so many staff on the move, a key requirement for the EDC was an
encryption solution that didn’t involve IT staff installing software on
each computer individually. “We wanted an enterprise solution that
allowed us to manage multiple computers from one central management
server and push updates out to them,” says Joe Gonzalez, senior network
analyst at the EDC.

SecureDoc also offers other features that minimize calls and trips to
the help desk by desperate users who forget their passwords. “Users
pick three unique questions when their computers are initially
configured, and it gives them the self-service control to reset their
own passwords,” says Gonzalez.

Another bonus is that the software’s workings are transparent to users.
EDC’s laptops work exactly the same with encryption as they would
without encryption.

“It prompts users for their name on login, and that’s it. We didn’t
receive a single user complaint and we’ve already completed the rollout
of 900 laptops,” says McNulty.

WinMagic’s hardware-based approach to encryption offers many advantages
compared with traditional software-based encryption, explains Garry
McCracken, VP of R&D at WinMagic.

---

“The encryption is done inside the hard drive instead of the computer’s
CPU. So there’s no performance degradation as the CPU isn’t processing
each keystroke. And it’s more secure, because the key required to
decrypt never leaves the hard drive so viruses can’t access it.”

Since encryption is centrally managed from a server, SecureDoc can also
be configured to enforce an organization’s security policies, says
Joseph Belsanti, VP of Marketing at WinMagic.

“Password rules, port control and what devices can connect to the
computer — these can all be set up in the user profile. Only
company-owned assets can be plugged into the computer, then if someone
plugs in a flash drive from home, it won’t work.”

The policy can specify the brand, model and even serial number for
devices that can legitimately be used with the computer. Data stored on
these will be encrypted in accordance with the user’s profile. “At EDC,
things like flash drives, CDs, DVDs are defined in the profile. So if
someone downloads corporate information to a flash drive and then loses
it at the airport, it’s covered off because it too is encrypted,” he
says.

However, the SecureDoc server can be set up to allow members of the
same team or department to share devices, depending on how these rights
are set up in their profiles. “So if someone from Marketing passes on a
flash drive to a team member, he can access it as though it were
unencrypted. But if someone from Finance tries to read it, the server
won’t allow access.”

WinMagic’s hardware-based encryption approach offers many advantages,
but the company faces major competition from Microsoft’s recent release
of Windows 7, which includes full hard drive encryption in its
BitLocker feature.

While BitLocker is a competitive product, Belsanti says it isn’t
suitable for enterprises that want centrally managed encryption. “It
doesn’t cover off all scenarios — for example CDs, DVDs and Mac
computers. And it doesn’t do as well on the management piece. BitLocker
is great but it’s targeted for consumers, not business environments.”

Both encryption and decryption keys are stored locally on computers
instead of servers in Windows 7, and this can lead to some unpleasant
situations, he warns. “So if an employee leaves the company, there’s no
way to get access to information on his computer. With all the layoffs
happening in this economy, employees are doing things like holding onto
their laptops until their severance is paid. With enterprise controls,
organizations can revoke their keys.”

Like many organizations, EDC is exploring Windows 7, says McNulty.
“It’s being reviewed now, but we’re not far enough into discovery to
have a clear idea what its encryption capabilities are yet. We’re good
for at least two years with WinMagic.”

McCracken believes the market will move away from software-based to
hardware-based encryption in the future. With SecureDoc, organizations
can future-proof their investments in technology, he says. “If things
change in the environment, for example, introducing Mac computers,
these will be covered under the same encryption management and
licensing scheme.”