Hard Disk Encryption Evaluation of device encryption software

Evaluation of Data Encryption Software

In order to help evaluate the complex nature of hard disk encryption products ecommnet have developed this guide. It raises a number of key issues that should be considered before selecting such products

Installation and Deployment

How is the software installed?
Do all PCs have a client application to install?
How do install the software
1. Manually?
2. Automatically?
3. Remotely?
Can I easily un-install the encryption s/w remotely?
Can I install the product using Microsoft's SMS or other s/w distribution mechanism like IntelliSync SM?
Can I use Ghost or something similar to build standard laptop image for deployment?
Setting encryption settings is difficult; can I do this centrally without the user getting involved?
Some of my users will need different security settings, how can I easily deal with this?
Do I have to create a configuration file for every end user? Or can I build a generic one?
We get our laptops from a systems builder who delivers them direct to the end user, if they need a login at build time, what's to prevent them gaining access after the system has been delivered?

Operation and Management

How is the system configured?
How can I make changes to the deployed policy?
Can it be centrally managed through Active Directory?
Can I centrally manage the configuration from a management console?
Can I reset a user's password while he's remote and disconnected from the network?
Can I use my favorite defrag tool to mange disk performance?

Identity Management

User Policies

Can I force users to have to use a token to login?
Can I get a DELL engineer to be able to login without the user being there?
Can I prevent someone booting from floppy or CDROM?

I have several laptops that are used by several people, how can these users operate in the pool without sharing passwords?
How can my IT staff log in to every laptop in the field without all of them having a login on all of the machines, again without sharing passwords?
If I need to keep users data very confidential can I prevent IT staff / engineers from gaining access to that data even if they have Administrator rights on the local machine?
The end user data is very confidential and may involve child protection data, can I store this safely on the network when a protected mobile device returns to the office?
Can I use smart cards to control user's identity?

Passwords

Can I force a user to use a strong password?
Can I make him change the password regularly?
Can I make sure he doesn't use stupid passwords such as 'password1'?
What happens if a user forgets his password?
Does this system address the issue of identifying the user who is at the end of a telephone requesting a password re-set?
How does the help desk wizard work? And what's to prevent anyone from gaining access to another user's laptop if they have a copy of the RC wizard and guess the user's name?

Application logon

If I use smart cards does the user have to log into the smart card each time an application requests it?
If I also have PBA SGE installed can I use that login to automatically log me into the network?

Encryption Policies

Can encrypt data that's saved to a CD or r/w devices such as memory sticks?
Can I give that encrypted data to someone else for them to use, or do they have to have a copy of the software too?
The end user data is very confidential and may involve child protection data, can I store this safely on the network when a protected mobile device returns to the office?

Device Management

USB memory sticks pose a considerable threat to the security of my network, how do I prevent their unauthorised use?
While some users should be allowed to use them, how can I prevent users running executables from these kinds of devices?
I want to ensure that users can't write confidential data to these devices, can I do this selectively?
Can I apply these rules to other type of devices such as FireWire and USB hard disk drives?
Can I control the use of CD-ROMs within the network to prevent users running or importing data from magazine cover disks?
Can I control the use of USB Memory sticks, or pen drives?
Can I control the use of any other removable HDD such as USB or Fire-wire drives?
Can I control the use of other removable media such as ZIP or Jazz drives?

Summary

Don't get hung up on encryption algorithms or key length, these should not be the differentiators between any of the products that you should seriously consider. The real issues in a commercial environment are mainly to do with deployment and the usability and manageability of the system once installed.

Aladdin eToken PRO

The Aladdin eToken PRO USB form factor smartcard provides two factor authentication at pre boot when used with SafeGuard Easy. The tokens can be managed using the Aladdin Token Management System together with the Utimaco TMS SafeGuard® Plugin, together this provides a seamless way to manage SafeGuard credentials in an Active Directory environment.

Aladdin eToken NG-OTP

The recent introduction of the new Aladdin NG-OTP token combines the tried and trusted USB form factor smartcard together with a One Time Password generator. When used with the Token Management System (TMS) this token delivers a more easily managed, better integrated, more cost effective and future proof solution for identity management than the traditional alternative.

Aladdin TMS

The Aladdin Token Management System (TMS™) is a robust management system that enables the deployment, provisioning and maintenance of all eToken devices, including security tokens, smartcards and ID badges, within an organization. It supports a comprehensive range of security applications such as network logon, VPN, web access, one-time password authentication, secure e-mail, data encryption and many others.