Simply having an encrypted device is not enough to satisfy regulatory compliance requirements, enterprises need to also be able to manage encrypted devices. It’s a challenge that encryption management vendor Wave Systems is tackling with its Wave Cloud solution.
Wave Systems this week launched its Wave Cloud 2014 solution enabling enterprises to manage self-encrypting drives (SED) as well as Windows BitLocker and Mac FileVault devices.
Most companies are deploying encryption to meet compliance requirements, and that requires proof that a given device is in fact encrypted, Wave Systems CEO Steven Sprague told eWEEK.
“An enormous advantage of using a cloud service like ours to manage machines is that you can prove to the regulators that a device was encrypted when it was lost,” Sprague said. “Because once a device is lost, you no longer have the device.”
Enterprises should think of Wave Cloud as an access control solution for encryption rather than thinking about it as a solution that manages encryption keys, Sprague said.
“The keys never actually leave your local device,” Sprague said. “In BitLocker and FileVault, the keys are held within the operating system, and with SEDs they are held within the drive controller silicon.”
What Wave Cloud is managing then are the credentials to gain access to a given machine or SED and then have that machine properly mount its own encryption keys. As such, with an SED for example, Wave Cloud controls the list of authorized users that can unlock the device.
The other key capability that Wave Cloud provides is for lost passwords
“What happens when you fire an employee at 5 o’clock, then at 6 o’clock, you realize you need to unlock his laptop,” Sprague said. “Some mechanism for a recovery key is important.”
One feature that Wave Cloud does not provide is the ability to remotely wipe a device when lost. In Sprague’s view, remote wipe is not an effective solution to the problem of lost or stolen encrypted devices.
“If you lose your machine and the entire operating system is encrypted, the only time you would have the opportunity to wipe the machine is if a really dumb thief guesses your password and puts your machine on the Internet,” Sprague said. “What’s more important than remote wipe is the ability to remotely change a user’s password.”
Sprague noted that if an administrator changes a user’s password by mistake, they can roll back the change. Rolling back a device-wipe is not as easy.
NSA Impact
Recent revelations about the U.S. National Security Agency (NSA) being able to intercept and read encrypted data are actually increasing demand for Wave System’s solutions, according to Sprague.
“In Europe, the use of encryption will rise, since the effectiveness of network security is going down,” Sprague said.
Sprague argued that the NSA has done an effective job of network monitoring, which is why encryption is more important than ever before. He added that the big question for many will be about where a given cloud is hosted. The NSA could potentially get a court order to view material hosted by a U.S. cloud provider.
What Sprague sees happening is individual enterprises and large corporations running their own managed encryption services. It’s a model for which Wave Systems is also prepared.
“Our service already supports the concept that an enterprise can get started quickly in the cloud and then can migrate to an on-premises enterprise solution,” Sprague said.
That said, while there are some concerns about government snooping, Sprague argued that’s not the primary driver for encryption overall.
“For the vast majority of users, it’s not about encryption for the purposes of protecting data from a nation-state,” Sprague said. “It’s about being able to prove that a device was encrypted when lost.”
Sprague added, “So when a machine is lost, you can assert that all the records that were on the device were actually encrypted.”
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.