Link to home
Start Free TrialLog in
Avatar of ReservoirNY
ReservoirNY

asked on

Encryption tool / strategy

All,

We are trying to comply with some regulatory bodies that requires certain file shares with sensitive material to be encrypted. What we don't want is for someone to email this data, transfer the data to an external device, and then any recipient will be able to view this information. So we would like to encrypt this data at the source, the share, so that even if the data leaves the premise, it will not be in readable form.  We don't want to have to individually encrypt/decrypt every file, and want to minimize user impact and rather do this on the back end if possible. What do you guys recommend as a solution? TIA.
Avatar of abbright
abbright
Flag of Germany image

Sounds like you need to encrypt the disk.
Take a look at this: http://www.truecrypt.org/
Windows Rights Management Services encrypts single files so that these can be opened only by authorized persons. Even distributing anywhere else does not remove the protection.
Avatar of ReservoirNY
ReservoirNY

ASKER

I like the truecrypt Idea. it looks like it requires less user intervention, but it being open source and with less support. I'm not sure if my managers will like that.

As for Windows rights management... that looks good too. I will have to look into it more indepth. to see how people can "decrypt" it and if we have to somehow assign permissions to every SINGLE file. if that's the case, then it's way too much administrative work. if you can assign it similar to how to assign "permissions" for regular windows files shares, then that is ideal...
do you guys know how resource intensive it is to install/operate the WRMS system? we probably have a  few thousand files we need to encrypt and total size is maybe 20-30 gigs? thanks.
The problem with truecrypt is that once a user has access to a file he can copy it unencrypted anywhere he wants and you have no control over it anymore. RMS keeps the protection wherever the file goes.
I have only tried RMS in a test environment once but if I remember correctly you can set permissions similar to permissions on windows file shares, but I'm not absolutely sure.
abbright: if that is the case, that would probably be the optimal solution. I'm assuming that this is a paid feature that is extra cost in addition to the standard windows server 2003/8 license?
Regarding the resources needed: RMS is a feature / plugin in Microsoft office products, so it is not more resource intensive than encrypting the file itself using the integrated encryption capability of the office products. The needed server infrastructure likely does not need a lot of performance as it only needs to manage keys and stuff not do the actual en-/decryption.
But to see whether this really works for you I guess you need to setup a test environment and see for yourself.
Yes, it is a separate paid feature and you need RMS licenses to activate it.
If it is Server 2003 it looks like there is an evaluation kit available:
http://www.microsoft.com/windowsserver2003/technologies/rightsmgmt/evaluation.mspx
Avatar of Lionel MM
You said
We don't want to have to individually encrypt/decrypt every file
So Windows Rights Management Services encrypts single files and is on a file by file basis and is only for Microsoft products so I do not think that will work for what you say you want. What types of files do you want to control--just Microsoft or all files and folders on a drive?
lionelmm: When I said we don't do it on a file per file basis, I meant that we didn't want to have users go and have to take action on each file and enter in a encryption/decryption key, etc. If we do this all on the back end, and it's like normal windows file shares, then that is not an issue at all.
Windows Rights Management Services functionality is engaged by users--each time they want a Microsoft document to be protected and controlled they have to click on the menu in that application and engage/turn it on--that is by the users and file by file. That is why I do not use it. Tried it several years ago and it had to be turned on by users on those documents that they want to enforce security on.

Check this link and then click on RMS Demo
http://www.microsoft.com/windowsserver2003/technologIEs/rightsmgmt/default.mspx
According to abbright, you can do it by windows file shares.

abbright:
The problem with truecrypt is that once a user has access to a file he can copy it unencrypted anywhere he wants and you have no control over it anymore. RMS keeps the protection wherever the file goes.
I have only tried RMS in a test environment once but if I remember correctly you can set permissions similar to permissions on windows file shares, but I'm not absolutely sure.

I will have to look at the demos and maybe call up PSS to see if that's the case. if the users have to encrypt each file individually, then that is a little too much work. But if that's the only way to do it, then that's too bad for them.

RMS is not encryption--RMS is like file permissions--only those who have permissions can access the files. The end-user decides who can read, write, to the files they want to share. Since your goal is to save guard your data a user can decide to email a file to someone, give them permissions to access it and they can. They are deciding who and who cannot access their files--view the demo and see.
There are some webinars linked from here: http://www.cryptzone.com/resourcecenter/?Leadtype=Webinar&item=Data%20Leak%20Prevention%20As%20easy%20as%201,%202,%203 which may contain what you are after - but it doesn't look cheap!

It looks like you may be able to protect at the network hardware level:
http://www.cryptzone.com/products/agsecurityserver/
ASKER CERTIFIED SOLUTION
Avatar of abbright
abbright
Flag of Germany image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
thanks guys. still looking into RMS
This question has been classified as abandoned and is being closed as part of the Cleanup Program. See my comment at the end of the question for more details.
So ReservoirNY--what did you end up doing and how, if you don't mind me asking--for my own knowledge can you share what you did and how much it cost--thanks!