had to perform a little bit of work to use
Security through obscurity encrypted drives. (And, when it comes
to encryption, we find less is more with
user interaction.) From the client agent,
REVIEW: FRAMEWORK 4.0 USES ENCRYPTION TO LOCK DOWN DATA users must select the correct encryp-
tion key from the ones assigned by the
By Andrew Garcia administrator and then format
While chock-full and encrypt the USB drive.
o f o t h e r f e a t u r e s , However, formatting a USB
Secuware’s Secuware drive requires a Windows privi-
Security Framework 4.0 spe- lege reserved for administrators
cializes in requiring encryp- by default, so in locked-down
tion for data saved to devices domains where users do not
and network shares. How- have local administrator rights,
ever, the product’s reliance on administrators will need to
built-in Windows capabilities push out a Group Policy setting
may limit reporting for audit- to allow limited-rights users to
ing purposes. Nonetheless, perform that step.
eWeek Labs found Secu- Once the USB drive was
ware’s solution a relatively We allowed our computers to read from CD/DVD drives, but we encrypted, we could securely copy
simple way to quickly enforce required encryption to either write or read to USB drives. data to it to our heart’s content,
encryption policies—particu- that do not have other encryption pro- and we could share the USB drive
larly for companies not already using grams in use. SSF 4.0 takes care of its own and its contents with other users on other
encryption elsewhere in the network. key management andkey distributionina computers—as longastheusers andcom-
For 1,000 users, SSF 4.0 costs $169 tidy package, but companies already using puters were in the same group or OU to
per user and includes one license for its encryption for e-mail or other transports which the Crypt2000 policy was applied.
server component. This pricing includes may find maintaining a second key man- We found we could further restrict
access to Crypt2000, the feature that agement system to be unwieldy. device usage through the device manage-enables encryption for USB drives, hard Althoughthere’sanagentoneach SSF- ment feature, which allowed us to pin-drives and network folders; device man- secured client, Secuware lets Windows’ point the permitted device’s make and
agement, to limit exactly what devices built-in capabilities handle policy distribu- model and thus standardize on a device
end users can use; application filtering, tion. SSF 4.0 extends the Microsoft Active type. To create a device policy, we could
to determine what processes and appli- Directoryschema, soadministrators apply poll any protected client in the network
cations are allowed to run on a host; and policies to Active Directory users, groups to see what USB and Fire Wire devices
auditing, to track changes to a specified or OUs (Organizational Units); these poli- were currently and had been previously
file or folder. For larger, distributed net- cies are automatically applied to comput- connected. The device policy was rolled
works, additional server licenses can be ers with the SSF agent installed when out in the same way as the Crypt2000
purchased for $10,000 each. Microsoft’s Group Policy gets refreshed. policies—via Active Directory. ´
With SSF 4.0’s two-pronged manage- While this type of policy distribution
ment framework, policy creation and and enforcement will be instantly famil- Technical Analyst Andrew Garcia is at
management is performed via the SSF iar to Active Directory administrators, firstname.lastname@example.org.
Console, an MMC (Microsoft Manage- Secuware’s solution also suf-ment Console) snap-in. During tests, fers from some of the limita-we used the SSF Console to set up a tions of Group Policy-based
Crypt2000 policy that allowed users to management. Policies are
read CD/DVD devices (but not write refreshed only at the client’s
to them) and also required the use of designatedrefreshtime(every
encryption when using USB drives. To 90 minutes, at reboot or with
enable the device encryption, we also a manual GPUpdate com-needed to set up an encrypted device in mand), and there is no way to
the SSF Console, which is a roundabout ensure that a client has actu-way of saying that we needed to create ally been updated with the lat-the encryption keys. The only encryption est policies, short of manually
grade available to us was AES (Advanced verifying the host.
Encryption Standard) 256. In addition, with a policy The Pre-Boot Authentication screen forces users to identify
SSF 4.0 will fit best in organizations deployed, we found that users themselves to the protected computer before Windows boots.