Solved

Encryption tool / strategy

Posted on 2011-03-04
20
226 Views
Last Modified: 2012-06-22
All,

We are trying to comply with some regulatory bodies that requires certain file shares with sensitive material to be encrypted. What we don't want is for someone to email this data, transfer the data to an external device, and then any recipient will be able to view this information. So we would like to encrypt this data at the source, the share, so that even if the data leaves the premise, it will not be in readable form.  We don't want to have to individually encrypt/decrypt every file, and want to minimize user impact and rather do this on the back end if possible. What do you guys recommend as a solution? TIA.
0
Comment
Question by:ReservoirNY
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 6
  • 5
  • 4
  • +2
20 Comments
 
LVL 10

Expert Comment

by:abbright
ID: 35036920
0
 
LVL 10

Expert Comment

by:Martin_J_Parker
ID: 35036933
Sounds like you need to encrypt the disk.
Take a look at this: http://www.truecrypt.org/
0
 
LVL 10

Expert Comment

by:abbright
ID: 35037277
Windows Rights Management Services encrypts single files so that these can be opened only by authorized persons. Even distributing anywhere else does not remove the protection.
0
Optimize your web performance

What's in the eBook?
- Full list of reasons for poor performance
- Ultimate measures to speed things up
- Primary web monitoring types
- KPIs you should be monitoring in order to increase your ROI

 

Author Comment

by:ReservoirNY
ID: 35037330
I like the truecrypt Idea. it looks like it requires less user intervention, but it being open source and with less support. I'm not sure if my managers will like that.

As for Windows rights management... that looks good too. I will have to look into it more indepth. to see how people can "decrypt" it and if we have to somehow assign permissions to every SINGLE file. if that's the case, then it's way too much administrative work. if you can assign it similar to how to assign "permissions" for regular windows files shares, then that is ideal...
do you guys know how resource intensive it is to install/operate the WRMS system? we probably have a  few thousand files we need to encrypt and total size is maybe 20-30 gigs? thanks.
0
 
LVL 10

Expert Comment

by:abbright
ID: 35037368
The problem with truecrypt is that once a user has access to a file he can copy it unencrypted anywhere he wants and you have no control over it anymore. RMS keeps the protection wherever the file goes.
I have only tried RMS in a test environment once but if I remember correctly you can set permissions similar to permissions on windows file shares, but I'm not absolutely sure.
0
 

Author Comment

by:ReservoirNY
ID: 35037392
abbright: if that is the case, that would probably be the optimal solution. I'm assuming that this is a paid feature that is extra cost in addition to the standard windows server 2003/8 license?
0
 
LVL 10

Expert Comment

by:abbright
ID: 35037396
Regarding the resources needed: RMS is a feature / plugin in Microsoft office products, so it is not more resource intensive than encrypting the file itself using the integrated encryption capability of the office products. The needed server infrastructure likely does not need a lot of performance as it only needs to manage keys and stuff not do the actual en-/decryption.
But to see whether this really works for you I guess you need to setup a test environment and see for yourself.
0
 
LVL 10

Expert Comment

by:abbright
ID: 35037404
Yes, it is a separate paid feature and you need RMS licenses to activate it.
0
 
LVL 10

Expert Comment

by:Martin_J_Parker
ID: 35037442
If it is Server 2003 it looks like there is an evaluation kit available:
http://www.microsoft.com/windowsserver2003/technologies/rightsmgmt/evaluation.mspx
0
 
LVL 25

Expert Comment

by:Lionel MM
ID: 35043497
You said
We don't want to have to individually encrypt/decrypt every file
So Windows Rights Management Services encrypts single files and is on a file by file basis and is only for Microsoft products so I do not think that will work for what you say you want. What types of files do you want to control--just Microsoft or all files and folders on a drive?
0
 

Author Comment

by:ReservoirNY
ID: 35056779
lionelmm: When I said we don't do it on a file per file basis, I meant that we didn't want to have users go and have to take action on each file and enter in a encryption/decryption key, etc. If we do this all on the back end, and it's like normal windows file shares, then that is not an issue at all.
0
 
LVL 25

Expert Comment

by:Lionel MM
ID: 35057192
Windows Rights Management Services functionality is engaged by users--each time they want a Microsoft document to be protected and controlled they have to click on the menu in that application and engage/turn it on--that is by the users and file by file. That is why I do not use it. Tried it several years ago and it had to be turned on by users on those documents that they want to enforce security on.

Check this link and then click on RMS Demo
http://www.microsoft.com/windowsserver2003/technologIEs/rightsmgmt/default.mspx
0
 

Author Comment

by:ReservoirNY
ID: 35057385
According to abbright, you can do it by windows file shares.

abbright:
The problem with truecrypt is that once a user has access to a file he can copy it unencrypted anywhere he wants and you have no control over it anymore. RMS keeps the protection wherever the file goes.
I have only tried RMS in a test environment once but if I remember correctly you can set permissions similar to permissions on windows file shares, but I'm not absolutely sure.

I will have to look at the demos and maybe call up PSS to see if that's the case. if the users have to encrypt each file individually, then that is a little too much work. But if that's the only way to do it, then that's too bad for them.

0
 
LVL 25

Expert Comment

by:Lionel MM
ID: 35057526
RMS is not encryption--RMS is like file permissions--only those who have permissions can access the files. The end-user decides who can read, write, to the files they want to share. Since your goal is to save guard your data a user can decide to email a file to someone, give them permissions to access it and they can. They are deciding who and who cannot access their files--view the demo and see.
0
 
LVL 10

Expert Comment

by:Martin_J_Parker
ID: 35057679
There are some webinars linked from here: http://www.cryptzone.com/resourcecenter/?Leadtype=Webinar&item=Data%20Leak%20Prevention%20As%20easy%20as%201,%202,%203 which may contain what you are after - but it doesn't look cheap!

It looks like you may be able to protect at the network hardware level:
http://www.cryptzone.com/products/agsecurityserver/
0
 
LVL 10

Accepted Solution

by:
abbright earned 500 total points
ID: 35058255
From http://download.microsoft.com/download/a/4/2/a4262821-6f21-450f-85d3-ebbba001a6ef/How%20to%20Use%20Information%20Rights%20Management.doc
"IRM/RMS creates restricted or protected content, which is information in a file or stream that is encrypted and requires a license to decrypt it. "

Basically you cannot restrict the access to a distributed document unless it is encrypted. The reason is the following: A user who, though he may not be authorized to access the file but has physical access to it / can copy it and thus has access to all the information in it. This can only be prevented by encrypting the contents such that a user may have access to all the data but cannot use it unless he has access to the right key.
And that's exactly what IRM/RMS does. It encrypts the contents such that they can only be decrypted by the authorized users. This is done transparently in the background so users don't have to manually encrypt / decrypt the file but actually the system does it anyway.
0
 

Author Comment

by:ReservoirNY
ID: 35111701
thanks guys. still looking into RMS
0
 
LVL 27

Expert Comment

by:Rainer Meller
ID: 35381953
This question has been classified as abandoned and is being closed as part of the Cleanup Program. See my comment at the end of the question for more details.
0
 
LVL 25

Expert Comment

by:Lionel MM
ID: 35383001
So ReservoirNY--what did you end up doing and how, if you don't mind me asking--for my own knowledge can you share what you did and how much it cost--thanks!
0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The conference as a whole was very interesting, although if one has to make a choice between this one and some others, you may want to check out the others.  This conference is aimed mainly at government agencies.  So it addresses the various compli…
This article provides a convenient collection of links to Microsoft provided Security Patches for operating systems that have reached their End of Life support cycle. Included operating systems covered by this article are Windows XP,  Windows Server…
Windows 8 came with a dramatically different user interface known as Metro. Notably missing from that interface was a Start button and Start Menu. Microsoft responded to negative user feedback of the Metro interface, bringing back the Start button a…
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…

632 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question