eWEEK Labs tested two product families that add layers of protection to corporate clients: New products from Pointsec Mobile Technologies Inc. and WinMagic Inc. provide data encryption and tightened authentication on Microsoft Corp. Windows desktops and notebooks, as well as on Pocket PC-based devices.
These products and others like them increase the management and performance overhead of the mobile systems on which theyre installed, but organizations that allow employees to carry sensitive data out of the relative protection of their campus walls cant afford to be without the protections they afford.
The PC versions of WinMagics SecureDoc and Pointsecs self-named product both support Windows 98 to Windows 2003. SecureDoc PDA supports Pocket PC 2003 and Windows CE. Pointsec for Pocket PC supports Pocket PC 2002 and Pocket PC 2003, including the Phone editions of both versions. Pointsec also sells versions of its product for Palm OS and Symbian OS and for wireless handsets running the smart-phone version of Microsofts Mobile OS.
SecureDoc 3.91 is priced at $189 per license; SecureDoc PDA costs $29.95 per license. Both products began shipping in April. Pointsec for PC 5.1 costs $129 per seat; Pointsec for PocketPC 2.3 costs $76 per seat. Both products began shipping in March.
The PC versions of Pointsec and SecureDoc prompt users for authentication information before Windows begins to boot. Pointsec and SecureDoc allow for multifactor authentication at boot time, as opposed to the fixed BIOS passwords available on any notebook machine.
With Pointsecs software, a dynamic password or a USB or smart-card token can be used for boot-time authentication. eWEEK Labs used a software-based token—intended for testing purposes only—by entering a four-digit PIN and then a challenge string from the Pointsec software. The token then returned a response string, which we could use to authenticate.
Similarly, at boot time, SecureDoc prompted us to select the key against which we wanted to authenticate. We could plug into a PKI (public-key infrastructure) system, authenticate against a USB token or smart card, or enter a fixed password, depending on the configuration options wed chosen at the time of deployment.
The Pointsec log-in screen offers remote help options for users who are locked out of their systems. These remote help facilities can present a potential security vulnerability, however, so companies should carefully weigh their benefit. This feature can be disabled through Pointsecs management tools.
Lacking a preboot or token-based element, Pointsec for Pocket PC offers a less rigorous authentication upgrade than does its PC-oriented sibling. However, Pointsec for Pocket PC provides some improvement over Pocket PCs built-in access control tools by offering the option of assigning and entering a password made up of a series of pictures. We found the password-by-pictures approach simpler to use than tapping out a PIN on the Pocket PCs tiny soft keyboard.
Our experience with device authentication using SecureDoc PDA wasnt as smooth: After installing the application on a Dell Inc. Axim X50 running Windows Mobile 2003 Second Edition, we configured SecureDoc PDA to prompt us for our password when the devices display turned on. However, we werent prompted. Soft-resetting the device did elicit a log-in screen.
Pointsec for PC provides for 128-bit CAST and 256-bit Blowfish encryption. Its also available in a version compliant with FIPS (Federal Information Processing Standard), which offers Triple DES (Data Encryption Standard) or 256-bit AES (Advanced Encryption Standard). SecureDoc uses 256-bit AES and is FIPS-compliant.
Both Pocket PC products provide full-disk encryption, as compared with the per-file or per-folder encryption thats available natively in Windows XP. By encrypting the whole disk, these products ensure the security of easily overlooked or hidden files that may still contain sensitive information—such as temporary files or the systems page file.
The Pointsec and SecureDoc products encrypt and decrypt data as its written to and read from the hard disk without user intervention. Although this certainly adds to system overhead, we scarcely noticed their presence on our test systems.
Pointsec for Pocket PC provides 128-bit AES for data stored on the devices, as does its bigger sibling. Most of the data stored on handheld computers resides in RAM, however, and the Pointsec application prompted us to specify the folders of our test device we wished to encrypt, such as its My Documents folder. Similarly, but less transparently, SecureDoc PDA prompted us to create virtual disks, which we then encrypted with the same SecureDoc keys we used to encrypt files on our SecureDoc-protected notebook.
Pointsec for PC ships with an administration utility that let us create profiles to control the installation, update and uninstall of the Pointsec software on individual clients. SecureDoc ships with Control Center, a configuration utility that let us set log-in and encryption options on our test notebook.