Credant Technologies adds system file encryption to its Windows-based laptop data defense software, Credant Mobile Guardian.
Credant Technologies has released a new version of its enterprise software for securing Windows-based laptops with a feature that now can encrypt low-level system files without requiring users to input a second username-password combination.
This new feature is based on what the vendor calls system data encryption, which gives Credant Mobile Guardian the basic capability of specialized full disk encryption products without the additional authentication step for users, or the additional management burdens for administrators, according to company officials.
Also new in Credant Mobile Guardian (CMG) Enterprise Edition 6.0 are:
* CMG StandAlone Windows Shield, a small program that loads via CD or the Web onto a laptop owned by a visiting contractor or business partner, and automatically encrypts any company data the visitor receives.
* Protection for CD/DVD media.
* Enhanced audit reports that now quickly confirm the encryption status of data on a given laptop, in case the PC is lost or stolen.
Previously, Credant Mobile Guardian combined two different encryption keys: a user key that lets an executive, for example, encrypt Excel spreadsheets with company financial data, and a common key that will let someone like a help desk technician log into the laptop to work with system files or applications but not unscramble the spreadsheets.
In doing so, Credant uses a technique that relies on the user’s standard, Windows authentication user name and password. A user simply logs into a laptop and accesses the encrypted files without doing anything different. Behind the scenes, the Windows credentials are passed in effect to a Credant “vault” on the laptop, which confirms their validity, and then opens the encryption keys to the scrambled files on the disk. The vault is part of the CMG Enterprise Edition Shield for Windows client application, which communicates with the CMG server.
With Version 6.0, Credant preserves that same technique even though it extends encryption to most system-level files. Without encryption, these underlying files, such as swap files, temp files and the registry, potentially are vulnerable to attackers, who could use them to gain control of the computer.
Full disk encryption has traditionally been handled by software, available from numerous vendors, including Check Point, GuardianEdge, McAfee, and Utimaco Safeware (but some disk drive manufacturers are building it into their hardware). The software products typically (though not always) require users to enter a separate username-password combination in order to unlock the system files needed to boot the computer. Credant executives contend that managing the second encryption password system, including master keys or passwords, and help desk support when users forget them and are locked out of their laptops, can be major headaches when dealing with hundreds or thousands of laptop users.
(Researchers have just uncovered another potential vulnerability with these products: At start-up their encryption keys are held in dynamic RAM longer than originally thought, where they can be found by an attacker.)
Mobile Guardian 6.0 retains the ability to selectively encrypt data files, based on policies using criteria such as file types, user identity or group affiliation, and adds the system file encryption. But not all the system-level files are encrypted. “We [can] encrypt everything on the desk except the files we need to boot the operating system,” says Scott Renegar, a Credant sales engineer.
That would seem to leave the laptop vulnerable, but Renegar says that even if an attacker gets to these unencrypted system files, the new version of Mobile Guardian effectively blocks every action that an attacker can take by using them. “Typically, an attacker starts with ‘can I get to the credentials?’” Renegar says. Mobile Guardian blocks that by encrypting Windows’ local Security Accounts Manager and protecting the underlying registry, which SAM uses for persistent storage. Mobile Guardian also can detect any changes to these and other files.
The new release can work seamlessly with smartcards or other two-factor authentication systems, something that’s much harder for conventional full disk encryption products to do, according to Renegar. “If you’re using your SecureID token today, you can use it tomorrow with our software,” he says. “We’re not going to get in the way of that.”
Credant Mobile Guardian 6.0 is available now, starting at $92 per user, and decreases with volume discounts.