Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Encryption tool / strategy

Posted on 2011-03-04
20
Medium Priority
?
229 Views
Last Modified: 2012-06-22
All,

We are trying to comply with some regulatory bodies that requires certain file shares with sensitive material to be encrypted. What we don't want is for someone to email this data, transfer the data to an external device, and then any recipient will be able to view this information. So we would like to encrypt this data at the source, the share, so that even if the data leaves the premise, it will not be in readable form.  We don't want to have to individually encrypt/decrypt every file, and want to minimize user impact and rather do this on the back end if possible. What do you guys recommend as a solution? TIA.
0
Comment
Question by:ReservoirNY
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 6
  • 5
  • 4
  • +2
20 Comments
 
LVL 10

Expert Comment

by:abbright
ID: 35036920
0
 
LVL 10

Expert Comment

by:Martin_J_Parker
ID: 35036933
Sounds like you need to encrypt the disk.
Take a look at this: http://www.truecrypt.org/
0
 
LVL 10

Expert Comment

by:abbright
ID: 35037277
Windows Rights Management Services encrypts single files so that these can be opened only by authorized persons. Even distributing anywhere else does not remove the protection.
0
When ransomware hits your clients, what do you do?

MSPs: Endpoint security isn’t enough to prevent ransomware.
As the impact and severity of crypto ransomware attacks has grown, Webroot fought back, not just by building a next-gen endpoint solution capable of preventing ransomware attacks but also by being a thought leader.

 

Author Comment

by:ReservoirNY
ID: 35037330
I like the truecrypt Idea. it looks like it requires less user intervention, but it being open source and with less support. I'm not sure if my managers will like that.

As for Windows rights management... that looks good too. I will have to look into it more indepth. to see how people can "decrypt" it and if we have to somehow assign permissions to every SINGLE file. if that's the case, then it's way too much administrative work. if you can assign it similar to how to assign "permissions" for regular windows files shares, then that is ideal...
do you guys know how resource intensive it is to install/operate the WRMS system? we probably have a  few thousand files we need to encrypt and total size is maybe 20-30 gigs? thanks.
0
 
LVL 10

Expert Comment

by:abbright
ID: 35037368
The problem with truecrypt is that once a user has access to a file he can copy it unencrypted anywhere he wants and you have no control over it anymore. RMS keeps the protection wherever the file goes.
I have only tried RMS in a test environment once but if I remember correctly you can set permissions similar to permissions on windows file shares, but I'm not absolutely sure.
0
 

Author Comment

by:ReservoirNY
ID: 35037392
abbright: if that is the case, that would probably be the optimal solution. I'm assuming that this is a paid feature that is extra cost in addition to the standard windows server 2003/8 license?
0
 
LVL 10

Expert Comment

by:abbright
ID: 35037396
Regarding the resources needed: RMS is a feature / plugin in Microsoft office products, so it is not more resource intensive than encrypting the file itself using the integrated encryption capability of the office products. The needed server infrastructure likely does not need a lot of performance as it only needs to manage keys and stuff not do the actual en-/decryption.
But to see whether this really works for you I guess you need to setup a test environment and see for yourself.
0
 
LVL 10

Expert Comment

by:abbright
ID: 35037404
Yes, it is a separate paid feature and you need RMS licenses to activate it.
0
 
LVL 10

Expert Comment

by:Martin_J_Parker
ID: 35037442
If it is Server 2003 it looks like there is an evaluation kit available:
http://www.microsoft.com/windowsserver2003/technologies/rightsmgmt/evaluation.mspx
0
 
LVL 25

Expert Comment

by:Lionel MM
ID: 35043497
You said
We don't want to have to individually encrypt/decrypt every file
So Windows Rights Management Services encrypts single files and is on a file by file basis and is only for Microsoft products so I do not think that will work for what you say you want. What types of files do you want to control--just Microsoft or all files and folders on a drive?
0
 

Author Comment

by:ReservoirNY
ID: 35056779
lionelmm: When I said we don't do it on a file per file basis, I meant that we didn't want to have users go and have to take action on each file and enter in a encryption/decryption key, etc. If we do this all on the back end, and it's like normal windows file shares, then that is not an issue at all.
0
 
LVL 25

Expert Comment

by:Lionel MM
ID: 35057192
Windows Rights Management Services functionality is engaged by users--each time they want a Microsoft document to be protected and controlled they have to click on the menu in that application and engage/turn it on--that is by the users and file by file. That is why I do not use it. Tried it several years ago and it had to be turned on by users on those documents that they want to enforce security on.

Check this link and then click on RMS Demo
http://www.microsoft.com/windowsserver2003/technologIEs/rightsmgmt/default.mspx
0
 

Author Comment

by:ReservoirNY
ID: 35057385
According to abbright, you can do it by windows file shares.

abbright:
The problem with truecrypt is that once a user has access to a file he can copy it unencrypted anywhere he wants and you have no control over it anymore. RMS keeps the protection wherever the file goes.
I have only tried RMS in a test environment once but if I remember correctly you can set permissions similar to permissions on windows file shares, but I'm not absolutely sure.

I will have to look at the demos and maybe call up PSS to see if that's the case. if the users have to encrypt each file individually, then that is a little too much work. But if that's the only way to do it, then that's too bad for them.

0
 
LVL 25

Expert Comment

by:Lionel MM
ID: 35057526
RMS is not encryption--RMS is like file permissions--only those who have permissions can access the files. The end-user decides who can read, write, to the files they want to share. Since your goal is to save guard your data a user can decide to email a file to someone, give them permissions to access it and they can. They are deciding who and who cannot access their files--view the demo and see.
0
 
LVL 10

Expert Comment

by:Martin_J_Parker
ID: 35057679
There are some webinars linked from here: http://www.cryptzone.com/resourcecenter/?Leadtype=Webinar&item=Data%20Leak%20Prevention%20As%20easy%20as%201,%202,%203 which may contain what you are after - but it doesn't look cheap!

It looks like you may be able to protect at the network hardware level:
http://www.cryptzone.com/products/agsecurityserver/
0
 
LVL 10

Accepted Solution

by:
abbright earned 2000 total points
ID: 35058255
From http://download.microsoft.com/download/a/4/2/a4262821-6f21-450f-85d3-ebbba001a6ef/How%20to%20Use%20Information%20Rights%20Management.doc
"IRM/RMS creates restricted or protected content, which is information in a file or stream that is encrypted and requires a license to decrypt it. "

Basically you cannot restrict the access to a distributed document unless it is encrypted. The reason is the following: A user who, though he may not be authorized to access the file but has physical access to it / can copy it and thus has access to all the information in it. This can only be prevented by encrypting the contents such that a user may have access to all the data but cannot use it unless he has access to the right key.
And that's exactly what IRM/RMS does. It encrypts the contents such that they can only be decrypted by the authorized users. This is done transparently in the background so users don't have to manually encrypt / decrypt the file but actually the system does it anyway.
0
 

Author Comment

by:ReservoirNY
ID: 35111701
thanks guys. still looking into RMS
0
 
LVL 27

Expert Comment

by:Tolomir
ID: 35381953
This question has been classified as abandoned and is being closed as part of the Cleanup Program. See my comment at the end of the question for more details.
0
 
LVL 25

Expert Comment

by:Lionel MM
ID: 35383001
So ReservoirNY--what did you end up doing and how, if you don't mind me asking--for my own knowledge can you share what you did and how much it cost--thanks!
0

Featured Post

What is SQL Server and how does it work?

The purpose of this paper is to provide you background on SQL Server. It’s your self-study guide for learning fundamentals. It includes both the history of SQL and its technical basics. Concepts and definitions will form the solid foundation of your future DBA expertise.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This paper addresses the security of Sennheiser DECT Contact Center and Office (CC&O) headsets. It describes the DECT security chain comprised of “Pairing”, “Per Call Authentication” and “Encryption”, which are all part of the standard DECT protocol.
Since pre-biblical times, humans have sought ways to keep secrets, and share the secrets selectively.  This article explores the ways PHP can be used to hide and encrypt information.
With the advent of Windows 10, Microsoft is pushing a Get Windows 10 icon into the notification area (system tray) of qualifying computers. There are many reasons for wanting to remove this icon. This two-part Experts Exchange video Micro Tutorial s…
With the advent of Windows 10, Microsoft is pushing a Get Windows 10 icon into the notification area (system tray) of qualifying computers. There are many reasons for wanting to remove this icon. This two-part Experts Exchange video Micro Tutorial s…

688 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question