I have extensive experience in this field but don’t come up against these
solutions much. The vendors our colleague mentioned might have addressed their drawbacks and missing features lately. I would suggest looking at pure play encryption solutions such as WinMagic and a few others. I’m partial to one in particular that I didn’t
mention, however I can suggest other solutions depending on size and
requirements.
Ponemon contacted over 10,000
organizations in enterprise commercial and government/public sector agencies
and determined the average cost to stage and manage commercial off-the-shelf encryption solutions. A significant percentage of management cost comes from staging a machine and managing day-to-day activities such as password changes, etc. The ability to manage the encryption in the enterprise at a pre-boot level saves the average organization thousands of dollars per year.
Microsoft
BitLocker
Regarding MS, there's the old and rarely used Encrypted
File System (EFS). or BitLocker. Due to the fact that these modules are “built
in” and are essentially “free” (or already paid for), they are very tempting to
implement and use. A proof of the poor usability and limited functionality of
these two encryption modules is their current limited install base, key management and user recovery
issues and the need to stop users from turning off encryption. Fully baked competitors have the ability to
manage BitLocker.
Microsoft
BitLocker – Main Drawbacks:
· BitLocker is only applicable on the most
expensive versions: Vista Ultimate and Enterprise versions of Vista, Windows 7 & the Pro and Enterprise editions of Windows 8, Windows Server 2008 and later.
· BitLocker installation requires the
creation of a special partition on the system boot drive for all endpoints,
which makes BitLocker installation and configuration very complicated.
· BitLocker requires either a TPM
module or a USB Flash drive to store logon keys. When using TPM, TPM modules must be deployed,
activated and manually managed, on all protected endpoints. (Microsoft does not
provide a management solution for TPM.) Keys stored on USB flash drives have many drawbacks: they provide weak security (since they are usually kept with the machine), they can be lost – rendering the machine useless, and are
generally hard to manage and control.
· Microsoft does not provide a central
management console for BitLocker, this means that each administrative action is
performed through a different, hard to use, management tool (Group Policy,
command line, etc.).
· Microsoft requires the modification
of the enterprise Active Directory schema in order to escrow recovery keys from
BitLocker endpoints.
BitLocker Missing
Features:
· Single Sign-on
· Network Pre-Boot Authentication
· Wireless Pre-Boot Authentication
· Mac OS X support
· Linux Support
· OPAL Support
· SED Support
· Intel AT Support
· Container Encryption Solution
· Removable Media Encryption (Limited)
· Removable Media Container Encryption
· Dynamic Key Provisioning
· File and Folder Encryption
· Multi-factor Authentication
· Lenovo ThinkVantage Tools Support
In Summary:
BitLocker does not support encryption of
endpoints with multiple volumes or multiple hard drives installed, is only
applicable on the most expensive versions of MS operating systems, requires the
creation of a special partition on the system boot drive for all endpoints,
requires either a TPM module or a USB Flash drive to store logon keys, etc. --
which all adds up to weak security, lack of central management and
complications (e.g. requires the modification of the enterprise AD schema in
order to escrow recovery keys from BitLocker endpoints).
As Gartner noted in the 2013 MQ for Mobile Device Protection, companies that allow editions of Windows 7 or 8 that do not support BitLocker, as well as other
platforms such as Mac and legacy XP, will need to maintain additional encryption
products and services.
Symantec
PGP/GuardianEdge
It took their engineers 54
days just to install it for one of my clients. Search the PGP customer forum for
“Outlook Crash” and you’ll see common threads. PGP is so tied to their email
product that it causes major problems with Outlook email.
Several customers who implemented PGP for full-disk encryption because
they were the incumbent for email encryption quickly encountered numerous problems. I cannot claim that all of the points outlined are valid today but nonetheless, you would be well advised to investigate these claims if any
appear to negatively impact your requirements. Some customer comments:
· Without much effort, our security team
found major holes in PGP encryption software by modifying and updating packages allowing users to decrypt encrypted hard drives.
· When the initial encryption was taking
place the PGP client machines were basically useless during the entire four or
five hour process.
· PGP does not have full reporting
functionality; you could not tell which machine was encrypted.
· PGP does not support multiple user
accounts on a single PC.
· PGP does not offer port/device control
so you need another Symantec solution that can be bolted on.
· PGP’s core architecture is based on
email encryption. Their full-disk encryption was an “after-thought” that
they bolted on.
· PGP utilizes a proprietary management
console that is not familiar to most administrators.
· PGP requires that an end user be
connected to the internet and/or call the helpdesk in order to reset a
password.
· PGP lacks wake-on-LAN functionality.
· PGP lacks client “lock-out”
functionality.
· PGP is not fully compatible with EnCase
forensic software.
I believe PGP utilizes LDAP synch, which is very different than native
integration into Active Directory. Below are a summary of points:
· Doesn’t Leverage Existing Active
Directory Hierarchy – PGP requires a synching operation to establish this and
to keep the hierarchy current.
· Slow Time to Value and Increased
Training Time and Expenses - Administrators will be required to learn how to
perform LDAP queries to synch the management console with the data in Active
Directory. Furthermore, LDAP synching results in another component which
can later develop problems.
· Doesn’t Use Existing Infrastructure For
Policy Distribution – I believe that PGP requires their own servers to
distribute policies. When only one server is needed, this may not be that
big of a deal. However, for large multinational companies, where multiple
replicated servers would likely be needed, using existing domain controllers becomes a significant challenge.
Another point to consider is that PGP was not one of the Awardees
for the government BPA which leads one to speculate that PGP failed in some
critical DOD requirements.
Symantec – Missing Features:
Network
Pre-Boot Authentication
Wireless
Pre-Boot Authentication
Removable
Media Container Encryption
Lenovo
ThinkVantage Tools Support
Dell Credant
As Gartner noted in the 2013 MQ for Mobile Device Protection, Dell didn't have a
health and configuration scanner to detect and resolve installation issues (for
example, involving SED retrofits). If you like pain…
Endpoint Encryption ensures data on devices is secure, protecting sensitive information from unauthorized access. It encrypts files on laptops, desktops, and other devices, making data accessible only to authorized users. As data breaches become more sophisticated, Endpoint Encryption provides a robust method for safeguarding information. This technology encrypts data at rest, ensuring only individuals with decryption keys can access it. This layer of security is vital for organizations...
I have extensive experience in this field but don’t come up against these
solutions much. The vendors our colleague mentioned might have addressed their drawbacks and missing features lately. I would suggest looking at pure play encryption solutions such as WinMagic and a few others. I’m partial to one in particular that I didn’t
mention, however I can suggest other solutions depending on size and
requirements.
Ponemon contacted over 10,000
organizations in enterprise commercial and government/public sector agencies
and determined the average cost to stage and manage commercial off-the-shelf encryption solutions. A significant percentage of management cost comes from staging a machine and managing day-to-day activities such as password changes, etc. The ability to manage the encryption in the enterprise at a pre-boot level saves the average organization thousands of dollars per year.
Microsoft
BitLocker
Regarding MS, there's the old and rarely used Encrypted
File System (EFS). or BitLocker. Due to the fact that these modules are “built
in” and are essentially “free” (or already paid for), they are very tempting to
implement and use. A proof of the poor usability and limited functionality of
these two encryption modules is their current limited install base, key management and user recovery
issues and the need to stop users from turning off encryption. Fully baked competitors have the ability to
manage BitLocker.
Microsoft
BitLocker – Main Drawbacks:
· BitLocker is only applicable on the most
expensive versions: Vista Ultimate and Enterprise versions of Vista, Windows 7 & the Pro and Enterprise editions of Windows 8, Windows Server 2008 and later.
· BitLocker installation requires the
creation of a special partition on the system boot drive for all endpoints,
which makes BitLocker installation and configuration very complicated.
· BitLocker requires either a TPM
module or a USB Flash drive to store logon keys. When using TPM, TPM modules must be deployed,
activated and manually managed, on all protected endpoints. (Microsoft does not
provide a management solution for TPM.) Keys stored on USB flash drives have many drawbacks: they provide weak security (since they are usually kept with the machine), they can be lost – rendering the machine useless, and are
generally hard to manage and control.
· Microsoft does not provide a central
management console for BitLocker, this means that each administrative action is
performed through a different, hard to use, management tool (Group Policy,
command line, etc.).
· Microsoft requires the modification
of the enterprise Active Directory schema in order to escrow recovery keys from
BitLocker endpoints.
BitLocker Missing
Features:
· Single Sign-on
· Network Pre-Boot Authentication
· Wireless Pre-Boot Authentication
· Mac OS X support
· Linux Support
· OPAL Support
· SED Support
· Intel AT Support
· Container Encryption Solution
· Removable Media Encryption (Limited)
· Removable Media Container Encryption
· Dynamic Key Provisioning
· File and Folder Encryption
· Multi-factor Authentication
· Lenovo ThinkVantage Tools Support
In Summary:
BitLocker does not support encryption of
endpoints with multiple volumes or multiple hard drives installed, is only
applicable on the most expensive versions of MS operating systems, requires the
creation of a special partition on the system boot drive for all endpoints,
requires either a TPM module or a USB Flash drive to store logon keys, etc. --
which all adds up to weak security, lack of central management and
complications (e.g. requires the modification of the enterprise AD schema in
order to escrow recovery keys from BitLocker endpoints).
As Gartner noted in the 2013 MQ for Mobile Device Protection, companies that allow editions of Windows 7 or 8 that do not support BitLocker, as well as other
platforms such as Mac and legacy XP, will need to maintain additional encryption
products and services.
Symantec
PGP/GuardianEdge
It took their engineers 54
days just to install it for one of my clients. Search the PGP customer forum for
“Outlook Crash” and you’ll see common threads. PGP is so tied to their email
product that it causes major problems with Outlook email.
Several customers who implemented PGP for full-disk encryption because
they were the incumbent for email encryption quickly encountered numerous problems. I cannot claim that all of the points outlined are valid today but nonetheless, you would be well advised to investigate these claims if any
appear to negatively impact your requirements. Some customer comments:
· Without much effort, our security team
found major holes in PGP encryption software by modifying and updating packages allowing users to decrypt encrypted hard drives.
· When the initial encryption was taking
place the PGP client machines were basically useless during the entire four or
five hour process.
· PGP does not have full reporting
functionality; you could not tell which machine was encrypted.
· PGP does not support multiple user
accounts on a single PC.
· PGP does not offer port/device control
so you need another Symantec solution that can be bolted on.
· PGP’s core architecture is based on
email encryption. Their full-disk encryption was an “after-thought” that
they bolted on.
· PGP utilizes a proprietary management
console that is not familiar to most administrators.
· PGP requires that an end user be
connected to the internet and/or call the helpdesk in order to reset a
password.
· PGP lacks wake-on-LAN functionality.
· PGP lacks client “lock-out”
functionality.
· PGP is not fully compatible with EnCase
forensic software.
I believe PGP utilizes LDAP synch, which is very different than native
integration into Active Directory. Below are a summary of points:
· Doesn’t Leverage Existing Active
Directory Hierarchy – PGP requires a synching operation to establish this and
to keep the hierarchy current.
· Slow Time to Value and Increased
Training Time and Expenses - Administrators will be required to learn how to
perform LDAP queries to synch the management console with the data in Active
Directory. Furthermore, LDAP synching results in another component which
can later develop problems.
· Doesn’t Use Existing Infrastructure For
Policy Distribution – I believe that PGP requires their own servers to
distribute policies. When only one server is needed, this may not be that
big of a deal. However, for large multinational companies, where multiple
replicated servers would likely be needed, using existing domain controllers becomes a significant challenge.
Another point to consider is that PGP was not one of the Awardees
for the government BPA which leads one to speculate that PGP failed in some
critical DOD requirements.
Symantec – Missing Features:
Network
Pre-Boot Authentication
Wireless
Pre-Boot Authentication
Removable
Media Container Encryption
Lenovo
ThinkVantage Tools Support
Dell Credant
As Gartner noted in the 2013 MQ for Mobile Device Protection, Dell didn't have a
health and configuration scanner to detect and resolve installation issues (for
example, involving SED retrofits). If you like pain…
Dell Credant
Missing Features:
· Single Sign-on - ?
· Network Pre-Boot Authentication
· Wireless Pre-Boot Authentication
· Linux Support
· Intel AT Support
· Container Encryption Solution
· Removable Media Container Encryption
· Dynamic Key Provisioning - ? (Escrow
Keys)
· File and Folder Encryption
· Lenovo ThinkVantage Tools Support