Credant's new mobile encryption platform gives administrators ample choice in terms of encryption standards, managing removable storage media, defining encryption policies, and more

April 18, 2006

3 Min Read
Review: Credant Mobile Guardian 5.1 Enterprise Edition

Microsoft's Encrypting File System has its limits--it doesn't support detailed data management and cannot keep information secure when it's legitimately (or not) copied to PDAs and removable storage media. Other encryption tools aim to do better, with most taking the full-disk encryption approach. The Credant Mobile Guardian (CMG) takes a different route. It lets administrators define policies that list which file types and directories should be encrypted, which encryption standard should be used, whether to encrypt data copied to removable storage media and much more.

The data-encryption process is completely transparent to end users, and concerns over data loss from lost or corrupted encryption keys is addressed through automatic key escrow on the enterprise server when the keys are first created.


CMG Web Interface allows for easy management of enterprise policies for all desktops, laptops, and PDAs.
Click to enlarge in another window

There are trade-offs in choosing Credant's approach over the full-disk approach, though. File directory information on desktops, laptops, PDAs and removable storage media is accessible. On the other hand, with a full-disk-encryption product, booting the OS decrypts the hard drives. Credant avoids that by not encrypting the Windows and Program Files folders, so rebooting is possible. The files and folders you do encrypt are decrypted only as needed.

CMG Enterprise comprises Enterprise Server, PDA and Windows Shields, and Gatekeepers. The CMG Enterprise Server provides central services for management and integration with LDAP directories. CMG Windows —and PDA Shields are installed on desktops, laptops and PDAs. Local Gatekeepers are placed on desktops and laptops to monitor and protect data copied to removable storage media. CMG's encryption is FIPS 140-2-certified.

Working at the University of Florida Real-World Labs®, I installed the software into an Active Directory environment with Windows Server 2003 and several Windows XP hosts. Installation was quick and easy.

Management is performed through an SSL-protected Web interface on the host where the Enterprise Server is installed. But the Web interface supports only Internet Explorer. That's unfortunate.

Credant provides a good default security policy template that should be sufficient for most organizations. I modified it to ensure the C: drive and any files written to removable media would be encrypted using AES 256. Credant has predefined the Windows and Program Files directories as "protected directories" that don't get encrypted, so an attacker could analyze the directory contents. However, it can encrypt the swap file and password hashes stored in the Registry, which is useful for avoiding password disclosure. If there were proprietary software in the Program Files directory or sensitive information stored in the Registry, I could have copied it to a USB drive.

The newest feature--which was in beta when I tested the software--identifies the processes running under the login user (such as those associated with Microsoft Word) and encrypts all data written by that process, no matter where it's saved. I opened up Microsoft Word, typed in some text into a new document and saved it to an unencrypted directory. Rebooting verified that the file was encrypted even though the surrounding files weren't. Credant has put together a pretty good encryption solution and policy framework that won't hinder end users' productivity.

Good

  • Intelligent encryption based on user running process, not just file location

  • Wide range of PDAs supported • Encrypts swap file and password hashes stored in Registry

Bad

  • Management interface only supports Internet Explorer • Lack of full hard disk encryption could allow information leakage from visible file names and directories • Only supports Windows desktop OSs

Credant Tecnologies Mobile Guardian Enterprise. Starts at $78 per user
Credant Technologies

— John H. Sawyer is an IT security engineer at the University of Florida. Write to him at [email protected].

Subscribe and receive the latest news from the industry.
Join 62,000+ members. Yes it's completely free.

You May Also Like