Mar 06 2008

5 Benchmarks A Hard Disk Encryption Product Should Satisfy

GuardianEdge Hard Disk Encryption protects data on mobile devices and removable media


Photo: Rubberball/Jupiter Images

GuardianEdge Hard Disk Encryption secures sensitive information and other data stored on mobile devices or removable media. With GuardianEdge Hard Disk Encryption, the entire disk contents are encrypted — not only the folders or data that end users remember to protect, but also hibernation and page files that most people and even some IT departments tend to forget. The encryption sits between the operating system and hard disk drive, so any data written to the disk is secured on the fly (and conversely, decrypted on the fly as it is read).


Any hard disk encryption product should satisfy the following five criteria:

  1. Centralized management: It should be easy to administer and audit the solution from a central location. Management of remote or occasionally connected notebooks should not be an issue.
  2. Nearly invisible end-user experience: Unless you enjoy revolts, make sure your end users barely notice that any changes have been made. If possible, the solution should even enhance their experience, making it easier for them to wholeheartedly (well, semi-heartedly) accept the change.
  3. Excellent data security: The solution should not only meet industry standards but also provide additional security for removable media, such as external drives and USB thumb drives.
  4. Seamless enterprise integration: The solution should integrate well with your organization's current infrastructure, such as Active Directory or other Lightweight Directory Access Protocol service.
  5. Flexibility for the future: The solution should fit today's needs and be flexible enough for tomorrow. Choose a company with a history in encryption, and one that is constantly improving their product with new features.

GuardianEdge Hard Disk Encryption satisfies all five of these criteria.

End-User Experience

Let's face facts: Users are not big fans of security. If you force them to change passwords every 60 days, they grumble. Apply a password scheme to their mobile phones, and they start sharpening pitchforks. How in the world do you avoid a full-scale rebellion when you tell them you want to encrypt their entire hard drive (and then, possibly, any removable media they stick into them)?

GuardianEdge has taken pains to ensure your end users will keep their cool. Because the hard disk encryption works between the operating system and the hard drive, authentication must occur before the operating system loads (this is called pre-boot authentication). Normally, this would require the user to log in twice: first in the pre-boot stage, and then into Windows. But GuardianEdge includes single sign-on capabilities: The user's Windows password is synchronized with the pre-boot authentication. Immediately after the BIOS loads, the user is prompted for authentication. Then Windows loads and the user is automatically logged into the desktop. Thus, the user still logs on only once; it just happens a bit earlier than before.

When the software is first rolled out, it can take several days to encrypt a drive, depending on size, free space and fragmentation. GuardianEdge is configured to use only 20 percent of the computer's central processing unit during this time, to minimize the impact on the user. Once the drive has been encrypted, the actual encrypting of new data (while writing) or decrypting (as it's being read) is not perceptible, unless the end user is performing a disk-heavy activity, such as video editing and processing.

Why It Works for IT

GuardianEdge Hard Disk Encryption meets all industry standards, using a solid 256-bit Advanced Encryption Standard with Public Key Infrastructure (PKI). The pre-boot authentication is mandatory, so there's no getting around your security measures. Because PKI is used, your help desk or security team maintains the keys needed to unlock drives. That way, if a user leaves the company or you need to slave the drive onto another system to recover data, you can still gain access to the data by using the encryption keys.

The solution integrates well with Active Directory, using Microsoft Active Directory Application Mode. ADAM lets the application store specific personalization data in its own database but still allows authentication and publication of the application through Active Directory. The software is then configured and published through Active

Directory Group Policy. This makes deployment as simple as dragging and dropping a computer object from one organizational unit to another. When you need to perform maintenance on a notebook, simply configure a "maintenance" organizational unit with appropriate policy, drag the notebook into that OU, perform the maintenance and drag it back.

GuardianEdge Hard Disk Encryption also supports multiple users and administrators (up to 50 each with good performance) for shared notebook environments. The first end user to register kicks off the encryption process; each subsequent user also registers (and answers the pre-defined security questions) and each block of answers is kept separate for each user.

The admin console is based on the familiar Microsoft Management Console, so you simply add it to the list of other tools you manage in the same console. All of the encrypted computers report back to the central server, including the status of the encryption process, which makes it easier to prove that every notebook is encrypted. And, if the unforeseen happens and a notebook is stolen or lost, when you report the theft, you'll have confirmation (and peace of mind) that the information on the disk is safe.

There are some additional attractive features you can deploy with GuardianEdge Device Control. Removable media, such as external hard drives and USB thumb drives, can be encrypted upon insertion into a protected notebook. (Obviously, you'll want to warn your users before you pull the trigger on this, or personal devices may be affected.) It can also enhance security by blocking network bridging — for example, when a user is connected wirelessly to one network and then plugs in an Ethernet cable, "bridging" the wired and wireless networks.

GuardianEdge Device Control can disable the wireless network as soon as the wired connection is made.

What to Watch For

While GuardianEdge Hard Disk Encryption readily meets the five basic criteria mentioned above, there are a number of things to consider before deploying any product that affects each hard drive in such a low-level, invasive fashion.

As noted clearly in the documentation, 64-bit operating systems, such as Windows Vista 64-bit, are not supported. Exclude these systems using Group Policy; if you don't, the software installs, encrypts the hard drive, and will promptly go to blue screen the next time it boots up, resulting in catastrophic data loss. In fact, you should back up any vital data on any system, just to be safe.

Dual-booting notebooks can also be problematic. Because GuardianEdge Hard Disk Encryption affects the Master Boot Record, notebooks that have been configured to dual-boot through Linux LILO, for example, could present a challenge. Most notebook users aren't this technical, but look out for your fellow IT gurus who might be experimenting with different operating systems.

When recovering a failed hard drive, there are extra steps required to recover the data. Because you need to unlock the data you're trying to recover, you must integrate the GuardianEdge PKI into your recovery process. Invariably it will be the CFO's notebook that presents the first failure; practice and document your recovery procedures so you're fully prepared.

Also, booting to a USB drive should be disabled in the BIOS. If USB booting is enabled, the system will take a long time to reach the pre-boot authentication screen and the result will be many unhappy users. But, again, few of them are likely to boot their notebooks off USB drives, so just be aware to set the BIOS properly and you shouldn't have any complaints.

GuardianEdge Device Control is offered as a separate product that integrates with GuardianEdge Hard Disk Encryption. You'll pay more for the extra security — protecting USB external drives and thumb drives and guarding against network bridging — but you'll be able to manage and deploy all the features together.

CDW Price: $139.99

Dr. Jeffrey Sheen is the lead enterprise analyst for Grange Insurance of Columbus, Ohio.