To Encrypt or Not to Encrypt

Analysis: That is the question when planning for removable storage.

On those occasions when it is deemed appropriate for an authorized employee to transfer confidential data to a removable storage device, a best practice is to ensure that the data is encrypted while stored on the device to reduce the threat from prying eyes should the device be misplaced or lost.

Before implementing a security solution to lock down removable storage devices, IT managers should sketch out how encryption fits into their plans, including how encryption should be implemented, who can encrypt data, from where can users access encrypted data, how much responsibility falls on the user to encrypt data and how the solutions under consideration will help accomplish these goals.

First of all, IT implementers need to decide whether to implement encryption in software or hardware.

Many USB security solutions will integrate software encryption capabilities into their products, allowing customers to fully encrypt off-the-shelf USB drives for secured data transports.

eWEEK Labs reviewed endpoint security solutions from SecureWave and Secuware, and both companies products encrypt the entire disk. However, we saw variability in how that was achieved. Secuwares product, Security Framework 4.0, requires the user to encrypt the drive by selecting the correct encryption key from the client agent application. With SecureWaves Sanctuary 4.1, on the other hand, the administrator encrypts the drive and supplies the key to the user.

Key management also will vary within these products, and IT implementers should ensure that the schemes fit in with existing key implementations. For example, its unlikely that administrators will want to deal with managing encryption keys for USB devices and file services in different consoles or applications. Companies such as PGP are easing this process through partnerships, allowing administrators to extend their encryption and key management capabilities to different devices and media.

Hardware encryption usually comes in the form of U3-enabled USB drives that automatically launch an authentication application when inserted into a computer. The encryption key is stored on the device so that the device can be accessed from any computer. Some devices also include an encryption coprocessor to alleviate encryptions computational burden from the host computers CPU.

Some encrypted hardware is fully encrypted, while other hardware offers encrypted and unencrypted partitions. However, as with software solutions, the encryption decision should be kept out of users hands, and we therefore recommend the use of fully encrypted hardware.

/zimages/7/28571.gifClick here to read about a new generation of products that go a long way in protecting against accidental data loss.

It seems logical that a company could implement a policy that requires the use of only encrypted USB storage devices, such as the Kingston Technology DataTraveler Secure-Privacy Edition we tested. However, we recommend that companies thoroughly test the interoperability of their security solutions and encrypted devices before deploying the devices on a wide scale, as the more complicated devices may cause problems.

For example, we had trouble getting the Kingston drive to work correctly with Secuwares Security Framework. Generally, U3-enabled devices will launch a virtual CD that contains the drives security applications; a second drive then appears, representing the encrypted USB storage area. During tests, we could not enable write access to the drive because the virtual CD seemed to confuse the Secureware software, even when we explicitly permitted user access to CDs and USB drives via policy.

Secuware delivers its own encryption via software, so working with third-party hardware encryption solutions may not be a priority for the company or its customers. Nonetheless, our experience serves as a reminder of the importance of interoperability testing when evaluating USB lockdown solutions.

Administrators also should consider whether encrypted data saved to a USB drive should be viewable on unmanaged PCs.

With a hardware security solution, this is likely and therefore inevitable, since the device carries the key and the decryption capabilities on board.

With software solutions, it varies from product to product. For example, with Secuwares Security Framework, encrypted keys are unusable on unmanaged PCs, so taking data out of the company is not an option. But with SecureWaves Sanctuary 4.1, it depends on how an administrator deploys security: The drive can be encrypted internally (a la Secuware), or it can be formatted to include a management application that allows decryption on unmanaged PCs. The latter would likely increase productivity but reduce security.

Technical Analyst Andrew Garcia can be reached at

Check out eWEEK.coms Security Center for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEKs Security Watch blog.