Solved

Encryption tool / strategy

Posted on 2011-03-04
20
221 Views
Last Modified: 2012-06-22
All,

We are trying to comply with some regulatory bodies that requires certain file shares with sensitive material to be encrypted. What we don't want is for someone to email this data, transfer the data to an external device, and then any recipient will be able to view this information. So we would like to encrypt this data at the source, the share, so that even if the data leaves the premise, it will not be in readable form.  We don't want to have to individually encrypt/decrypt every file, and want to minimize user impact and rather do this on the back end if possible. What do you guys recommend as a solution? TIA.
0
Comment
Question by:ReservoirNY
  • 6
  • 5
  • 4
  • +2
20 Comments
 
LVL 10

Expert Comment

by:abbright
ID: 35036920
0
 
LVL 10

Expert Comment

by:Martin_J_Parker
ID: 35036933
Sounds like you need to encrypt the disk.
Take a look at this: http://www.truecrypt.org/
0
 
LVL 10

Expert Comment

by:abbright
ID: 35037277
Windows Rights Management Services encrypts single files so that these can be opened only by authorized persons. Even distributing anywhere else does not remove the protection.
0
 

Author Comment

by:ReservoirNY
ID: 35037330
I like the truecrypt Idea. it looks like it requires less user intervention, but it being open source and with less support. I'm not sure if my managers will like that.

As for Windows rights management... that looks good too. I will have to look into it more indepth. to see how people can "decrypt" it and if we have to somehow assign permissions to every SINGLE file. if that's the case, then it's way too much administrative work. if you can assign it similar to how to assign "permissions" for regular windows files shares, then that is ideal...
do you guys know how resource intensive it is to install/operate the WRMS system? we probably have a  few thousand files we need to encrypt and total size is maybe 20-30 gigs? thanks.
0
 
LVL 10

Expert Comment

by:abbright
ID: 35037368
The problem with truecrypt is that once a user has access to a file he can copy it unencrypted anywhere he wants and you have no control over it anymore. RMS keeps the protection wherever the file goes.
I have only tried RMS in a test environment once but if I remember correctly you can set permissions similar to permissions on windows file shares, but I'm not absolutely sure.
0
 

Author Comment

by:ReservoirNY
ID: 35037392
abbright: if that is the case, that would probably be the optimal solution. I'm assuming that this is a paid feature that is extra cost in addition to the standard windows server 2003/8 license?
0
 
LVL 10

Expert Comment

by:abbright
ID: 35037396
Regarding the resources needed: RMS is a feature / plugin in Microsoft office products, so it is not more resource intensive than encrypting the file itself using the integrated encryption capability of the office products. The needed server infrastructure likely does not need a lot of performance as it only needs to manage keys and stuff not do the actual en-/decryption.
But to see whether this really works for you I guess you need to setup a test environment and see for yourself.
0
 
LVL 10

Expert Comment

by:abbright
ID: 35037404
Yes, it is a separate paid feature and you need RMS licenses to activate it.
0
 
LVL 10

Expert Comment

by:Martin_J_Parker
ID: 35037442
If it is Server 2003 it looks like there is an evaluation kit available:
http://www.microsoft.com/windowsserver2003/technologies/rightsmgmt/evaluation.mspx
0
Better Security Awareness With Threat Intelligence

See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

 
LVL 24

Expert Comment

by:lionelmm
ID: 35043497
You said
We don't want to have to individually encrypt/decrypt every file
So Windows Rights Management Services encrypts single files and is on a file by file basis and is only for Microsoft products so I do not think that will work for what you say you want. What types of files do you want to control--just Microsoft or all files and folders on a drive?
0
 

Author Comment

by:ReservoirNY
ID: 35056779
lionelmm: When I said we don't do it on a file per file basis, I meant that we didn't want to have users go and have to take action on each file and enter in a encryption/decryption key, etc. If we do this all on the back end, and it's like normal windows file shares, then that is not an issue at all.
0
 
LVL 24

Expert Comment

by:lionelmm
ID: 35057192
Windows Rights Management Services functionality is engaged by users--each time they want a Microsoft document to be protected and controlled they have to click on the menu in that application and engage/turn it on--that is by the users and file by file. That is why I do not use it. Tried it several years ago and it had to be turned on by users on those documents that they want to enforce security on.

Check this link and then click on RMS Demo
http://www.microsoft.com/windowsserver2003/technologIEs/rightsmgmt/default.mspx
0
 

Author Comment

by:ReservoirNY
ID: 35057385
According to abbright, you can do it by windows file shares.

abbright:
The problem with truecrypt is that once a user has access to a file he can copy it unencrypted anywhere he wants and you have no control over it anymore. RMS keeps the protection wherever the file goes.
I have only tried RMS in a test environment once but if I remember correctly you can set permissions similar to permissions on windows file shares, but I'm not absolutely sure.

I will have to look at the demos and maybe call up PSS to see if that's the case. if the users have to encrypt each file individually, then that is a little too much work. But if that's the only way to do it, then that's too bad for them.

0
 
LVL 24

Expert Comment

by:lionelmm
ID: 35057526
RMS is not encryption--RMS is like file permissions--only those who have permissions can access the files. The end-user decides who can read, write, to the files they want to share. Since your goal is to save guard your data a user can decide to email a file to someone, give them permissions to access it and they can. They are deciding who and who cannot access their files--view the demo and see.
0
 
LVL 10

Expert Comment

by:Martin_J_Parker
ID: 35057679
There are some webinars linked from here: http://www.cryptzone.com/resourcecenter/?Leadtype=Webinar&item=Data%20Leak%20Prevention%20As%20easy%20as%201,%202,%203 which may contain what you are after - but it doesn't look cheap!

It looks like you may be able to protect at the network hardware level:
http://www.cryptzone.com/products/agsecurityserver/
0
 
LVL 10

Accepted Solution

by:
abbright earned 500 total points
ID: 35058255
From http://download.microsoft.com/download/a/4/2/a4262821-6f21-450f-85d3-ebbba001a6ef/How%20to%20Use%20Information%20Rights%20Management.doc
"IRM/RMS creates restricted or protected content, which is information in a file or stream that is encrypted and requires a license to decrypt it. "

Basically you cannot restrict the access to a distributed document unless it is encrypted. The reason is the following: A user who, though he may not be authorized to access the file but has physical access to it / can copy it and thus has access to all the information in it. This can only be prevented by encrypting the contents such that a user may have access to all the data but cannot use it unless he has access to the right key.
And that's exactly what IRM/RMS does. It encrypts the contents such that they can only be decrypted by the authorized users. This is done transparently in the background so users don't have to manually encrypt / decrypt the file but actually the system does it anyway.
0
 

Author Comment

by:ReservoirNY
ID: 35111701
thanks guys. still looking into RMS
0
 
LVL 27

Expert Comment

by:Tolomir
ID: 35381953
This question has been classified as abandoned and is being closed as part of the Cleanup Program. See my comment at the end of the question for more details.
0
 
LVL 24

Expert Comment

by:lionelmm
ID: 35383001
So ReservoirNY--what did you end up doing and how, if you don't mind me asking--for my own knowledge can you share what you did and how much it cost--thanks!
0

Featured Post

Threat Intelligence Starter Resources

Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

Join & Write a Comment

You cannot be 100% sure that you can protect your organization against crypto ransomware but you can lower down the risk and impact of the infection.
Article by: btan
Provide an easy one stop to quickly get the relevant information on common asked question on Ransomware in Expert Exchange.
Windows 8 came with a dramatically different user interface known as Metro. Notably missing from that interface was a Start button and Start Menu. Microsoft responded to negative user feedback of the Metro interface, bringing back the Start button a…
With the advent of Windows 10, Microsoft is pushing a Get Windows 10 icon into the notification area (system tray) of qualifying computers. There are many reasons for wanting to remove this icon. This two-part Experts Exchange video Micro Tutorial s…

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now