What if your organization’s leadership directed you to deploy an enterprise encryption solution in 120 days? Could you do it?
I received that message in May 2011 and our basic business goals were full disk encryption (FDE), low laptop performance impact, and low administrative overhead (easy to support). Our IT organization is pretty lean and our fear was introducing the encryption solution would dramatically increase our support requirements to our end users.
We began researching the industry and came up with some exciting concepts. From http://www.trustedcomputinggroup.org/resources/selfencrypting_drives_sed_overview:
1. Transparency: No system or application modifications required; encryption key generated in the factory by on-drive random number process; drive is always encrypting.
2. Ease of management: No encryption key to manage; software vendors exploit standardized interface to manage SEDs, including remote management, pre-boot authentication, and password recovery
3. Disposal or re-purposing cost: With an SED, erase on-board encryption key
4. Re-encryption: With SED, there is no need to ever re-encrypt the data
5. Performance: No degradation in SED performance; hardware-based
6. Standardization: Whole drive industry is building to the TCG/SED specifications
7. Simplified: No interference with upstream processes.
|Wave Technologies||- Dell recommended technology. |
- Supports SED drives.
- Sales staff helpful and knowledgeable.
|- Not web-based. |
- Multiple applications.
- Deployment rocky during test deployment.
- Most expensive solution.
|Performed a test but testing team did not choose due to the multiple applications required to manage the encryption functions, not intuitive to manage, and cost/value questions. |
|Microsoft||- Easy to deploy and with MDOP, very manageable! |
- Enforceable through AD GPO.
|- Does not support SED technologies |
- Poor reporting / auditing.
|Did not test as the solution did not meet technical requirements, although testing team liked the solution. |
|Symantec||- Solid web demo. |
- Likeable UI, easy to use.
|- Sales people not very excited by SED drive support. Tried pushing us to software client. ||Did not test as there was a perceived uncertainty from sales staff that made us uncomfortable. |
|McAfee||- Another solid web demo. |
- UI consistent with every other McAfee product.
- Awesome sales staff. Super helpful.
|- Bloated client and administration console. |
- Really only a contender if using other McAfee products.
- No SED drive support.
Performed a test but did not choose due to a EPO Orchestrator requirement and lack of SED drive support.
|Credant||- Dell recommended technology. |
- Supports SED drives (Seagate and OPAL).
- Very knowledgeable sales staff.
|- Horrid UI. Inconsistent. Font was super small. |
- Credant initially offered to send us an engineer to help us get the test environment up, but reneged. When we ran into trouble, took us a long time to resolve.
- Cost/value questions.
|Performed a test but did not choose due to difficulty with getting the test environment running and successfully managing SED drives. 2nd highest cost.|
|WinMagic||- Easy to install, configure, and deploy. Testing went quick. |
- Full SED drive support (both Seagate and OPAL support)
- Support for Intel Anti-Theft using vPro technology
|- 80s UI |
- Easy to get overwhelmed due to the multitude of features and options.
- Was on the cusp of a buy-out from Trend Micro. Rumors flying around of staff reductions and viable future.
|Performed a test and was product was chosen. 3rd highest cost, but met all requirements.|
WinMagic’s SecureDoc was selected and we began the next phase… deployment.