In-Depth

Lock Down Your Data: 5 Encryption Tools for IT Pros

In wake of last year's revelations of government surveillance, IT can protect files from prying eyes. When it comes to encryption, you're better protected when you hold the keys.

• By Chris Paoli
• 02/26/2014

As the United States government hashes out how to maintain surveillance programs intended to predict or investigate criminal or terrorist acts while complying with privacy rights and laws, you can ensure your organizations' data isn't accessed without your permission and knowledge.

Enterprises are finding new ways to lock down their business-­critical files by employing new encryption techniques or using a handful of privilege management tools that let you assign rights at the document and file-share level (see "Manage Your Permissions" ). Another option is implementing the new Active Directory Rights Management Services(AD RMS) in Windows Server 2012 ). In this report, we look at all three approaches including a detailed walk-through implementing AD RMS.

The Snowden Effect
The notion of securing files, whether stored in the cloud or on-premises, has taken on new importance in wake of last year's revelations by rogue IT contractor Edward Snowden that the National Security Agency (NSA) monitors telephone calling metadata and data communications activity by foreigners connecting with those in the United States.

As reported last year, 70 percent of Redmond readers said they were either concerned or very concerned about the threat that the government can access data stored in off-site and cloud-based datacenters (see "Shattered Trust," October 2013). Making matters worse, the NSA could do this sometimes without your knowledge, thanks to cooperation from key IT providers including Apple Inc., Google Inc., Microsoft and Verizon Communications, among others.

Not only are you worried about potential government surveillance, but your mistrust has also extended to the major telecommunications and cloud services providers. The providers have countered back that their hands are tied by law and argue they only do so when compelled by a court order. The government has loosened some of those restrictions on what providers can disclose but not to the extent that has satisfied them or their customers. In a response to a comprehensive proposal by President Barak Obama in January, Microsoft chief counsel Brad Smith last month published some details on those requests (see his post here).

"It's important to remember that receipt of an order does not mean the information that was sought was ultimately disclosed," Smith noted. "Microsoft has successfully challenged requests in court, and we will continue to contest orders that we believe lack legal validity."

One alternative to ensuring your cloud provider can't decrypt your data is to hold on to the keys. By encrypting data with third-party tools and services, only the holder of the encryption keys, not the provider or anyone else, can decrypt the data. "Many customers moving to the cloud do not understand that they're ultimately responsible for the entire security posture of their data and applications in the cloud," says Luke Probasco, marketing manager at Townsend Security, a provider of enterprise data encryption tools. "Cloud providers do not, and cannot, address all of the data protections that you need to have."

While waiting to see if the government will back away from its controversial surveillance program -- either through legislation or through the courts -- IT organizations can't sit idly by. "The solution to government surveillance is to encrypt everything," said Google Chairman Eric Schmidt, in a speech last November.

Silver Lining
The notion of using data encryption for privacy and security in the IT landscape is nothing new. However, if the Snowden leaks have accomplished anything, it's woken up first-party cloud providers to step up encryption for customers trusting them with their sensitive data and have provided a landscape where third-party encryption services are in high demand.

And for enterprises storing their data in the cloud, it's going to take the combination of built-in security and privacy features from cloud providers and encryption tools from outside sources to ensure their data is as safe as possible. The important factor for corporations looking for a comprehensive encryption plan for their cloud data lies with the key.

"Encryption key management is crucial to any encryption deployment, and even more so for the cloud," says Michele Borovac, chief marketing officer at HighCloud Security Inc. "If you want to ensure that only you have access to your data, make sure you have the ability to control the encryption keys yourself, ideally on your premises, not your CSP [cloud services provider]. Further, you want a system that follows key management best practices to prevent any administrators from having overly broad access."

This separation of key management from cloud providers should be the top priority when evaluating a move to the cloud. Using an outside source such as a third-party cryptographic services provider will provide the adequate level of separation, according to the Cloud Security Alliance (CSA).

However, just as enterprises must fully vet cloud providers, you should evaluate third-party firms to ensure they meet your enterprise's needs. Thankfully, with the combination of public concern over data privacy, the competitive growing marketplace of Security as a Service providers and the strict guidelines many organizations strictly adhere to with concern to data and infrastructure, vendors adhere to policies that bring a level of visibility and assurance that users demand.

Intended customer: Organizations using Infrastructure as a Service (IaaS) services of major cloud providers, including Amazon Web Services and Microsoft Windows Azure.

Overview: HighCloud Security provides encryption for virtualized environments. The Mountain View, Calif.-based company offers a suite of encryption and key management software. Its Data Security Module encrypts data using AES-128/256 in a virtual machine (VM). It protects data from the moment it's created in a VM and ensures your data remains fully encrypted as it moves between different VM environments.

Because the data is encrypted within the OS (and stays encrypted until the data is released), that ensures the data will stay secured at rest, in transit and in use. The HighCloud Key and Policy Server [KPS], a virtual appliance installed on the user's side, handles key management providing only the users with key access. "HighCloud doesn't own manage, or have the ability to access keys," says Borovac. "Customers can determine if they want to run the KPS on their premises, or they can choose to run it at a cloud services provider."

No surprise, Borovac says her company has seen an up-tick in HighCloud Security services since the government surveillance leaks began. "It would seem that people recognize the value of the cloud, and in many cases, it's becoming critical to their IT strategy," she says. "However, they are absolutely concerned about Snowden's disclosures. Consequently, they're looking for ways to ensure data security and privacy stay independent of their CSP."

Intended customer: Organizations with private data in Microsoft Office 365 online services. Overview: CipherPoint focuses on securing data stored in Microsoft cloud-based services. Its Eclipse service is aimed at securing data before it travels to Microsoft Office 365. The encryption service for Office 365 is part of the company's Eclipse Data Security Suite.

Along with encrypting data for Microsoft online services, CipherPoint Eclipse also provides in-depth reporting features that can keep track of denied and permitted access.

Data is encrypted before linking with a Web gateway administrators deploy locally on networks. This ensures data is secure in transit and at rest in Microsoft cloud services and it transparently lets users know when data has been decrypted during use.

CipherPoint sees key management on the client side as an important factor when choosing a cloud security and privacy vendor, and that's exactly what it provides. The company says its namesake encryption offering gives users control of their keys, letting enterprises manage who can decrypt data.

Intended customer: Organizations using services like OneDrive, Dropbox, Google Drive and Box for data storage.

Overview: PKWARE cloud encryption service compresses and encrypts data stored in public cloud-based storage services. Though many of those services, such as the newly renamed Microsoft SkyDrive service, OneDrive, already provide a level of encryption, this provides a second layer of protection for those storing off-premises. Encryption takes place in a client found on the desktop or mobile device before syncing up in the private cloud. "This gives a `tunnel' of protection without disrupting the way they already work in the public cloud," says Matt Little, vice president of product development at PKWARE. "In addition, users of Viivo Pro get an additional layer of customer service and Viivo for Business provides an administrative console for visibility and management of public cloud users and devices."

Viivo secures all files with AES-256-based encryption before they're transferred online. Once stored, the data remains encrypted and only is decrypted once an authorized user downloads it to his desktop. For mobile users, the data stays encrypted, even when retrieved from the device.

The user has complete control of the keys at all time. Viivo creates a pair of 2048-bit keys for the user to exchange between the original data uploader and the retriever. To provide another level of security, password recovery for the service can only be done from the device or computer in which the service was activated. "The Viivo cloud infrastructure has been designed with a `trust no one' approach," says Little. "We have zero-knowledge about which encrypted keys go with which identities."

Intended customer: Organizations looking to meet key management-compliance regulations for data transferred to and from the cloud.

Overview: The Townsend Security key manager service, launched late 2013, provides enterprises FIPS 140-2-compliant encryption key management for apps running in services such as Windows Azure, Amazon Web Services and Rackspace, to name a few. The service doesn't require any hardware nor client-side endpoint licensing. "You get all of the compliance benefits of a NIST-certified key server without needing standard IT infrastructure," Probasco says.

Also available for Key Manager Cloud HSM customers for no extra cost is the firm's client-side encryption app for Microsoft SQL Server and SharePoint.

All data managed by the key admin stays encrypted at rest and in transit and all keys are encrypted with AES-256. Further, "mutually authenticated TLS sessions are required for key management, key retrieval and encryption services." The company insists that at no time does it have access to customers' key servers.

Probasco says Townsend has avoided consumer distrust by using only the strong connection methods and requiring 2048-bit RSA encryption. Also, making sure the company's key management solution is FIPS 140-2-compliant means its app has been independently analyzed by security pros.

Intended customer: Enterprises wanting to protect data stored in Microsoft's SharePoint Online.

Overview: The Sweden-based Cryptzone specializes in IT security and offers a solution for those looking to secure documents and data in Microsoft SharePoint Online. Not only will its Secured eCollaboration provide encryption services through its Simple Encryption Platform, but its audit reporting capabilities allows network managers to identify and locate threats, set user access levels and view data movement occurring in SharePoint Online. Mobile security features also allow users access to authorized data through approved devices and its search capabilities allow for users to quickly find the encrypted documents they're looking for.

The security firm's Secured eCollaboration encrypts data using AES-256 before uploading to Microsoft servers and is unencrypted when in use by authorized users. "While data is being worked, it's available to view decrypted on the endpoint," says Cryptzone CTO Anders Hansson. "Once the user has finished working with the file, it's automatically encrypted and returned to SharePoint with all traces of the file removed from the end user's machine."

Keys are automatically distributed to authorized individuals by the key server and can be centrally managed to fine-tune who gets what. "For example, a policy can state that encryption keys can only be retrieved from the server dependent on business need, or it can state that keys are stored and protected at the users' endpoint -- allowing for offline use," says Hansson. Users have complete control of the encryption keys and Cryptzone will never have access to them.

Hansson said he welcomes Microsoft's recent commitment for improving encryption and privacy settings in its own service, but the need and demand of third-party vendors providing additional layers of security on Redmond's products will continue. "We believe security vendors should actively contribute in getting security back to where it belongs in the hands of experts like Cryptzone. Enterprises typically require more than what comes out of the box from Microsoft."