Credant Mobile Guardian 5.1 Enterprise Edition

Microsoft's Encrypting File System (EFS) has its limits--it doesn't support detailed management of data across the enterprise and lacks the technology to keep information secure when it's legitimately (or not) copied to PDAs and removable storage media. Other encryption tools aim to do better, with most vendors taking the full hard disk encryption approach. The Credant Mobile Guardian (CMG) takes a different tack. The Enterprise Edition lets administrators define central policies to incorporate what file types and directories should be encrypted, what encryption standard to use, whether to encrypt data copied to removable storage media and much more.

The data encryption process is completely transparent to end users, and concerns over data loss from lost or corrupted encryption keys is addressed through automatic key escrow on the enterprise server when the keys are first created.

There are trade-offs in choosing Credant's approach over the full hard disk approach favored by vendors such as Pointsec. Because it's not a full hard disk encryption product, file directory information on desktops, laptops, PDAs and removable storage media is accessible. On the other hand, with a full disk encryption product, booting the OS completely decrypts the hard drives. That's something Credent avoids by not encrypting the Windows and Program Files folders, enabling systems to boot easily. Plus, the files and folders you do encrypt are decrypted only on the fly as needed, which may be the better route to take when dealing with highly sensitive data, especially as it moves across mobile platforms.

CMG Enterprise is made up of three components: Enterprise Server, PDA and Windows Shields, and Gatekeepers. The CMG Enterprise Server consists of central services for management and integration with LDAP directories such as Active Directory, iPlanet and Novell. CMG Windows and PDA Shields are installed on desktops, laptops and PDAs to protect data at rest. Local Gatekeepers are installed on desktops and laptops to monitor and protect data copied to removable storage media. Windows 2000, XP Professional and Server 2003 are the supported desktop, laptop and server OSs (note the lack of support for Linux). CMG's encryption is FIPS 140-2-certified and includes AES 128, AES 256, Triple DES and Blowfish.

Working at the University of Florida Real World Labs, I installed the software into an existing Active Directory environment with Windows Server 2003 and several Windows XP hosts. The Java-based Enterprise Server requires a database and supports both MySQL and Microsoft SQL Server. Installation was quick and easy. There are several options that can be configured during setup, such as installation directories and network ports, but I found the defaults worked well with my existing environment.

Management is performed through an SSL-protected Web interface on the host where the Enterprise Server is installed. I tried to log in using the Mozilla Firefox Web browser, but quickly realized that the Web interface only supports Internet Explorer, unless you install a Firefox extension that lets you trick the Web interface into believing you're using IE. That's unfortunate.

Credant provides a good default security policy template that should be sufficient for most organizations, but can be customized to suit individual needs. I modified the policy to ensure that the C: drive and any files written to removable media would be encrypted using AES 256 encryption. Credant has predefined the Windows and Program Files directories as "protected directories" that don't get encrypted, so an attacker could analyze the directory contents. However, it does support encrypting the swap file and password hashes stored in the Registry, which is useful for avoiding password disclosure through swap file and Registry examination. I booted the machine with a Helix Linux LiveCD and was able to browse the contents of both the Windows and Program Files folders, open files within each one, and analyze the Registry. If there was proprietary software located in the Program Files directory or sensitive information stored in the Registry, I could have easily copied it to a USB thumb drive and stolen it without the system administrator's knowledge. However, this is the same risk you take with a full hard disk encryption product because once the system is booted, you lose the protection of encryption.

I installed the Windows Shield on several Windows XP hosts and found the installer easy to customize for use via logon scripts or Active Directory's Group Policy. The Shield communicates directly with the remote Gatekeeper running on the Enterprise Server. If you're using host-based firewalls, make sure you take this into consideration--I had to modify my firewall settings to allow outbound TCP port 9000 and 9001 to the Enterprise Server.Following my boot-up with the Helix Linux CD, I verified that the Windows Shield was encrypting my files (aside from the Windows and Program Files directories). I could view the directory structure and file names on the hard drive, but not the contents of the files themselves. Again, that's more protection than you'd get with a full hard disk encryption product, where all the data is unencrypted once the system is booted, but it does leave open some risk of data leakage if files and directory folders are named based on information considered sensitive within your organization, such as client names, account numbers, project names and so on. I saw the same behavior with removable storage media. I copied files from My Documents onto my iPod and then plugged the iPod into my Apple PowerBook. I could read the file names on the iPod, though the contents were encrypted and unreadable.

The local Gatekeeper detects and reports all PDAs connected to a computer running the Gatekeeper. Support for PDAs is excellent, covering all major manufacturers and OSs, including Palm, Windows Mobile and BlackBerry. The Gatekeeper will automatically install the PDA Shield or block the PDA from synching as defined by policy. My test policy was to install the Shield upon the first synchronization, and I verified that by plugging in my HP iPaq and watching as it installed the PDA Shield. My iPaq's documents were encrypted right after entering my password and establishing a PIN through the initial PDA Shield screen. Every time I turned on the iPaq, it prompted me to enter my PIN. That's enough to discourage at least a casual snooper from taking a quick look at my calendar or address book.

The newest feature--which was in beta when I tested the software--is the ability to identify the processes running under the login user (such as those associated with Microsoft Word) and encrypt all data written by that process, no matter where they're saved, be it to file shares, unencrypted directories, iPods, or what have you. For example, I opened up Microsoft Word, typed in some random text into a new document, and saved it to an unencrypted directory. Rebooting with the Helix CD verified that the file was encrypted even though the surrounding files weren't. This is an important addition given that this isn't a full disk encryption product.

Credant has put together a pretty good encryption solution and policy framework that focuses on securing sensitive data at rest without hindering end users' productivity. Any company looking to solve data security issues with lost laptops, PDAs and removable storage media should take a close look at Credant's Mobile Guardian Enterprise.

John H. Sawyer is an IT security engineer at the University of Florida and a GIAC-certified firewall analyst, incident handler and forensic analyst. Write to him at [email protected].0