Nov 04 2008

Safe in Transit

GuardianEdge Hard Disk Encryption protects data on mobile devices and removable media.

Let’s face facts: Users are not big fans of security. If you force them to change passwords every 60 days, they grumble. Apply a password scheme to their mobile phones and they start sharpening pitchforks. How in the world do you avoid a full-scale rebellion when you tell them you want to encrypt their entire hard drive (and any removable media they might stick into it)?

GuardianEdge Hard Disk Encryption has taken pains to ensure that your end users (and IT staff) will keep their cool by providing:

• easily administered, centralized management;

• enhanced, nearly invisible end-user experience;

• excellent data security;

• seamless enterprise integration; and

• flexibility for the future.

With GuardianEdge, the entire disk contents are encrypted — not only the folders or data that end users know to protect, but also hibernation and page files that even some IT staff may forget.

And the process is nearly transparent to the user. Because the encryption sits between the operating system and hard drive, any data written to disk is secured on the fly (and conversely, decrypted as it is read). GuardianEdge also includes single sign-on capabilities that synchronize the user’s Microsoft Windows password with the required pre-boot authentication, so the user logs on only once.

When the software is first rolled out, it can take several days to encrypt a drive, depending on size, free space and fragmentation. GuardianEdge is configured to use only 20 percent of the computer’s central processing unit during this time, to minimize the impact on the user. Once the drive has been secured, the actual encrypting of new data (while writing) or decrypting (as it’s being read) is not perceptible, unless the end user is performing a disk-heavy activity, such as video editing and processing.

Why It Works for IT

GuardianEdge Hard Disk Encryption meets all industry standards, using a solid 256-bit Advanced Encryption Standard with a public key infrastructure. Because PKI is used, your security team maintains the keys needed to unlock drives. That way, if a user leaves the agency or you need to slave the drive onto another system to recover data, you can still gain access to the data by using the encryption keys.

The solution integrates well with Active Directory, using Microsoft Active Directory Application Mode. This lets the application store specific personalization data in its own database but still allows authentication and publication of the application through Active Directory. The software is then configured and published through Active Directory Group Policy. This makes deployment as simple as dragging and dropping a computer object from one organizational unit to another.

The admin console is based on the familiar Microsoft Management Console, so you simply add it to the list of other tools you manage in the same console. All of the encrypted computers report back to the central server, including the status of the encryption process. This means that if a notebook is lost or stolen, when you report the theft, you’ll have confirmation (and peace of mind) that the data on the disk is safe.

GuardianEdge Device Control is a separate product that integrates with Hard Disk Encryption to provide extra security. With Device Control, removable media, such as external hard drives and USB thumb drives, can be encrypted upon insertion into a protected notebook. (Warn your users before you pull the trigger on this, or personal devices may be affected.)

Device Control also protects against network bridging. For example, when a user is connected wirelessly to one network and then plugs in an Ethernet cable, “bridging” the wired and wireless networks, Device Control can disable the wireless network as soon as the wired connection is made.

What to Watch For

As noted clearly in the documentation, 64-bit operating systems are not supported. Exclude these systems using Group Policy; if you don’t, the software installs, encrypts the hard drive, and promptly goes to blue screen the next time it boots up, resulting in catastrophic data loss.

Also, booting to a USB drive should be disabled in the BIOS. If USB booting is enabled, the system will take a long time to reach the pre-boot authentication screen and the result will be many unhappy users.

CDW•G Price: $133.66