Security Through Obscurity

Review: Secuware Security Framework 4.0 uses encryption to lock down data.

While chock-full of other features, Secuwares Secuware Security Framework 4.0 specializes in requiring encryption for data saved to devices and network shares. However, the products reliance on built-in Windows capabilities may limit reporting for auditing purposes. Nonetheless, eWEEK Labs found Secuwares solution a relatively simple way to quickly enforce encryption policies—particularly for companies not already using encryption elsewhere in the network.

For 1,000 users, SSF 4.0 costs $169 per user and includes one license for its server component. This pricing includes access to Crypt2000, the feature that enables encryption for USB drives, hard drives and network folders; device management, to limit exactly what devices end users can use; application filtering, to determine what processes and applications are allowed to run on a host; and auditing, to track changes to a specified file or folder. For larger, distributed networks, additional server licenses can be purchased for $10,000 each.

With SSF 4.0s two-pronged management framework, policy creation and management is performed via the SSF Console, an MMC (Microsoft Management Console) snap-in. During tests, we used the SSF Console to set up a Crypt2000 policy that allowed users to read CD/DVD devices (but not write to them) and also required the use of encryption when using USB drives. To enable the device encryption, we also needed to set up an encrypted device in the SSF Console, which is a roundabout way of saying that we needed to create the encryption keys. The only encryption grade available to us was AES (Advanced Encryption Standard) 256.

SSF 4.0 will fit best in organizations that do not have other encryption programs in use. SSF 4.0 takes care of its own key management and key distribution in a tidy package, but companies already using encryption for e-mail or other transports may find maintaining a second key management system to be unwieldy.

Although theres an agent on each SSF-secured client, Secuware lets Windows built-in capabilities handle policy distribution. SSF 4.0 extends the Microsoft Active Directory schema, so administrators apply policies to Active Directory users, groups or OUs (Organizational Units); these policies are automatically applied to computers with the SSF agent installed when Microsofts Group Policy gets refreshed.

While this type of policy distribution and enforcement will be instantly familiar to Active Directory administrators, Secuwares solution also suffers from some of the limitations of Group Policy-based management. Policies are refreshed only at the clients designated refresh time (every 90 minutes, at reboot or with a manual GPUpdate command), and there is no way to ensure that a client has actually been updated with the latest policies, short of manually verifying the host.

In addition, with a policy deployed, we found that users had to perform a little bit of work to use encrypted drives. (And, when it comes to encryption, we find less is more with user interaction.) From the client agent, users must select the correct encryption key from the ones assigned by the administrator and then format and encrypt the USB drive.

/zimages/6/28571.gifTo encrypt or not to encrypt. That is the question when planning for removable storage. Click here to read more.

However, formatting a USB drive requires a Windows privilege reserved for administrators by default, so in locked-down domains where users do not have local administrator rights, administrators will need to push out a Group Policy setting to allow limited-rights users to perform that step.

Once the USB drive was encrypted, we could securely copy data to it to our hearts content, and we could share the USB drive and its contents with other users on other computers—as long as the users and computers were in the same group or OU to which the Crypt2000 policy was applied.

We found we could further restrict device usage through the device management feature, which allowed us to pinpoint the permitted devices make and model and thus standardize on a device type. To create a device policy, we could poll any protected client in the network to see what USB and FireWire devices were currently and had been previously connected. The device policy was rolled out in the same way as the Crypt2000 policies—via Active Directory.

Technical Analyst Andrew Garcia is at

Check out eWEEK.coms Security Center for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEKs Security Watch blog.