When sensitive data must travel with employees on a Lenovo laptop, the new SecureDoc for Lenovo full-disk encryption-management tool for self-encrypting hard drives helps ensure data security without placing an undue management burden on central IT.
WinMagic teamed up with Lenovo to provide SecureDoc for Lenovo, which also offers managed software encryption for PCs equipped with traditional non-encrypting drives, thus offering a migration bridge for organizations making the transition to tighter mobile-data security.
Remember, though, carrying data so sensitive that it would warrant significant user and IT-management efforts should be evaluated against other methods-including cloud storage-in terms of cost, actual effectiveness and suitability for business users.
If the decision is made to send regulated or highly sensitive data on the road, the SecureDoc for Lenovo combo showed itself to be a tightly controlled, user-friendly package of hardware and software. In addition to hard-disk encryption, SecureDoc can also encrypt data on removable media, including a USB drive, CD or DVD. Before being given a chance to log on to Windows, SecureDoc forced me to perform "pre-boot" authentication to gain access to my system.
I tested SecureDoc for Lenovo on a T410 ThinkPad system equipped with a Seagate Momentus Thin 250GB, self-encrypting hard drive. The laptop came with Windows 7 Professional with SecureDoc for Lenovo preinstalled. The first thing I noticed was that the password shipped with the system was PASSWORD, all uppercase. When I used the caps lock, the log-on failed. If I held down the shift key and typed in the password, it worked. With this type of pre-boot environment software, I wasn't surprised by this behavior, but it is worth considering when configuring secure systems that are jostling for priority before the OS loads.
I loaded the Kaspersky tool to see how antivirus tools-which are well-known for conflicting with other products that modify the boot process-affected SecureDoc for Lenovo. I was able to use SecureDoc alongside Kaspersky Antivirus 2011 without problems. Both products started correctly and did not interfere with each other at boot time.
During my tests, I was able to use two-factor authentication, including the built-in fingerprint reader on the Lenovo T410. Using the fingerprint reader was a transparent user process, which means that the fingerprint request appeared as part of the SecureDoc log-on process, not as a distinct step.
While SecureDoc for Lenovo can be implemented with minimal impact on users' productivity, the product does have a sophisticated and wide-ranging set of configuration options. The administrative console covers drive encryption, key management and boot control, and provides optional tools for controlling USB ports, external media encryption, audit logging and extensive control over the user interface.
SecureDoc in Action
I used SecureDoc for two weeks at eWEEK Labs as a general-purpose notebook and as a client system in a VMware View (VDI virtual desktop infrastructure) test. The only time I noticed the tool was at boot-up time. In all other cases, the SecureDoc for the Lenovo management interface was out of sight. I noticed no impact on performance when running remote-desktop sessions in the VDI tests nor when processing normal office workloads.
Setting up the finer aspects of SecureDoc for Lenovo was relatively simple. While the user interface is easy to navigate, only expert security administrators should make decisions about how to implement SecureDoc for Lenovo features so that data is protected in accordance with the organizations' needs, and users are not unduly burdened as they go about their work.
While the Seagate Momentus drive and SecureDoc for Lenovo are oriented toward full-disk encryption, it is possible to limit encryption to files and folders using the product. I was able to selectively encrypt "data at rest" on my test system to reduce system-processing overhead.
For compliance and reporting, it is possible to use SecureDoc to monitor disk access. For example, I was able to lock the USB drives that were attached to my test system. Locking limits the user's ability to encrypt or decrypt data on the USB drive, thus ensuring that even data copied onto a USB stick could be audited to ensure that it wasn't being taken to an unsecured location.
I was also able to monitor drives in my system so that I was notified when an access attempt was made. The system also enabled me to log basic disk-write activity, including tracking who made the change as well as the file and sector that was modified. SecureDoc for Lenovo can also be used to block writing to the USB drive and other drives as defined in the policy.