Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 232
  • Last Modified:

Encryption tool / strategy

All,

We are trying to comply with some regulatory bodies that requires certain file shares with sensitive material to be encrypted. What we don't want is for someone to email this data, transfer the data to an external device, and then any recipient will be able to view this information. So we would like to encrypt this data at the source, the share, so that even if the data leaves the premise, it will not be in readable form.  We don't want to have to individually encrypt/decrypt every file, and want to minimize user impact and rather do this on the back end if possible. What do you guys recommend as a solution? TIA.
0
ReservoirNY
Asked:
ReservoirNY
  • 6
  • 5
  • 4
  • +2
1 Solution
 
abbrightCommented:
0
 
Martin_J_ParkerCommented:
Sounds like you need to encrypt the disk.
Take a look at this: http://www.truecrypt.org/
0
 
abbrightCommented:
Windows Rights Management Services encrypts single files so that these can be opened only by authorized persons. Even distributing anywhere else does not remove the protection.
0
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
ReservoirNYAuthor Commented:
I like the truecrypt Idea. it looks like it requires less user intervention, but it being open source and with less support. I'm not sure if my managers will like that.

As for Windows rights management... that looks good too. I will have to look into it more indepth. to see how people can "decrypt" it and if we have to somehow assign permissions to every SINGLE file. if that's the case, then it's way too much administrative work. if you can assign it similar to how to assign "permissions" for regular windows files shares, then that is ideal...
do you guys know how resource intensive it is to install/operate the WRMS system? we probably have a  few thousand files we need to encrypt and total size is maybe 20-30 gigs? thanks.
0
 
abbrightCommented:
The problem with truecrypt is that once a user has access to a file he can copy it unencrypted anywhere he wants and you have no control over it anymore. RMS keeps the protection wherever the file goes.
I have only tried RMS in a test environment once but if I remember correctly you can set permissions similar to permissions on windows file shares, but I'm not absolutely sure.
0
 
ReservoirNYAuthor Commented:
abbright: if that is the case, that would probably be the optimal solution. I'm assuming that this is a paid feature that is extra cost in addition to the standard windows server 2003/8 license?
0
 
abbrightCommented:
Regarding the resources needed: RMS is a feature / plugin in Microsoft office products, so it is not more resource intensive than encrypting the file itself using the integrated encryption capability of the office products. The needed server infrastructure likely does not need a lot of performance as it only needs to manage keys and stuff not do the actual en-/decryption.
But to see whether this really works for you I guess you need to setup a test environment and see for yourself.
0
 
abbrightCommented:
Yes, it is a separate paid feature and you need RMS licenses to activate it.
0
 
Martin_J_ParkerCommented:
If it is Server 2003 it looks like there is an evaluation kit available:
http://www.microsoft.com/windowsserver2003/technologies/rightsmgmt/evaluation.mspx
0
 
Lionel MMSmall Business IT ConsultantCommented:
You said
We don't want to have to individually encrypt/decrypt every file
So Windows Rights Management Services encrypts single files and is on a file by file basis and is only for Microsoft products so I do not think that will work for what you say you want. What types of files do you want to control--just Microsoft or all files and folders on a drive?
0
 
ReservoirNYAuthor Commented:
lionelmm: When I said we don't do it on a file per file basis, I meant that we didn't want to have users go and have to take action on each file and enter in a encryption/decryption key, etc. If we do this all on the back end, and it's like normal windows file shares, then that is not an issue at all.
0
 
Lionel MMSmall Business IT ConsultantCommented:
Windows Rights Management Services functionality is engaged by users--each time they want a Microsoft document to be protected and controlled they have to click on the menu in that application and engage/turn it on--that is by the users and file by file. That is why I do not use it. Tried it several years ago and it had to be turned on by users on those documents that they want to enforce security on.

Check this link and then click on RMS Demo
http://www.microsoft.com/windowsserver2003/technologIEs/rightsmgmt/default.mspx
0
 
ReservoirNYAuthor Commented:
According to abbright, you can do it by windows file shares.

abbright:
The problem with truecrypt is that once a user has access to a file he can copy it unencrypted anywhere he wants and you have no control over it anymore. RMS keeps the protection wherever the file goes.
I have only tried RMS in a test environment once but if I remember correctly you can set permissions similar to permissions on windows file shares, but I'm not absolutely sure.

I will have to look at the demos and maybe call up PSS to see if that's the case. if the users have to encrypt each file individually, then that is a little too much work. But if that's the only way to do it, then that's too bad for them.

0
 
Lionel MMSmall Business IT ConsultantCommented:
RMS is not encryption--RMS is like file permissions--only those who have permissions can access the files. The end-user decides who can read, write, to the files they want to share. Since your goal is to save guard your data a user can decide to email a file to someone, give them permissions to access it and they can. They are deciding who and who cannot access their files--view the demo and see.
0
 
Martin_J_ParkerCommented:
There are some webinars linked from here: http://www.cryptzone.com/resourcecenter/?Leadtype=Webinar&item=Data%20Leak%20Prevention%20As%20easy%20as%201,%202,%203 which may contain what you are after - but it doesn't look cheap!

It looks like you may be able to protect at the network hardware level:
http://www.cryptzone.com/products/agsecurityserver/
0
 
abbrightCommented:
From http://download.microsoft.com/download/a/4/2/a4262821-6f21-450f-85d3-ebbba001a6ef/How%20to%20Use%20Information%20Rights%20Management.doc
"IRM/RMS creates restricted or protected content, which is information in a file or stream that is encrypted and requires a license to decrypt it. "

Basically you cannot restrict the access to a distributed document unless it is encrypted. The reason is the following: A user who, though he may not be authorized to access the file but has physical access to it / can copy it and thus has access to all the information in it. This can only be prevented by encrypting the contents such that a user may have access to all the data but cannot use it unless he has access to the right key.
And that's exactly what IRM/RMS does. It encrypts the contents such that they can only be decrypted by the authorized users. This is done transparently in the background so users don't have to manually encrypt / decrypt the file but actually the system does it anyway.
0
 
ReservoirNYAuthor Commented:
thanks guys. still looking into RMS
0
 
TolomirAdministratorCommented:
This question has been classified as abandoned and is being closed as part of the Cleanup Program. See my comment at the end of the question for more details.
0
 
Lionel MMSmall Business IT ConsultantCommented:
So ReservoirNY--what did you end up doing and how, if you don't mind me asking--for my own knowledge can you share what you did and how much it cost--thanks!
0

Featured Post

What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

  • 6
  • 5
  • 4
  • +2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now