- Silicon Valley's 19 Coolest Places to Work
- Is Windows 8 Development Worth the Trouble?
- 8 Books Every IT Leader Should Read This Year
- 10 Hot Hadoop Startups to Watch
Network World - Credant Technologies has released a new version of its enterprise software for securing Windows-based laptops with a feature that now can encrypt low-level system files without requiring users to input a second username-password combination.
This new feature is based on what the vendor calls system data encryption, which gives Credant Mobile Guardian the basic capability of specialized full disk encryption products without the additional authentication step for users, or the additional management burdens for administrators, according to company officials.
Also new in Credant Mobile Guardian (CMG) Enterprise Edition 6.0 are:
* CMG StandAlone Windows Shield, a small program that loads via CD or the Web onto a laptop owned by a visiting contractor or business partner, and automatically encrypts any company data the visitor receives.
* Protection for CD/DVD media.
* Enhanced audit reports that now quickly confirm the encryption status of data on a given laptop, in case the PC is lost or stolen.
Previously, Credant Mobile Guardian combined two different encryption keys: a user key that lets an executive, for example, encrypt Excel spreadsheets with company financial data, and a common key that will let someone like a help desk technician log into the laptop to work with system files or applications but not unscramble the spreadsheets.
In doing so, Credant uses a technique that relies on the user’s standard, Windows authentication user name and password. A user simply logs into a laptop and accesses the encrypted files without doing anything different. Behind the scenes, the Windows credentials are passed in effect to a Credant “vault” on the laptop, which confirms their validity, and then opens the encryption keys to the scrambled files on the disk. The vault is part of the CMG Enterprise Edition Shield for Windows client application, which communicates with the CMG server.
With Version 6.0, Credant preserves that same technique even though it extends encryption to most system-level files. Without encryption, these underlying files, such as swap files, temp files and the registry, potentially are vulnerable to attackers, who could use them to gain control of the computer.
Full disk encryption has traditionally been handled by software, available from numerous vendors, including Check Point, GuardianEdge, McAfee, and Utimaco Safeware (but some disk drive manufacturers are building it into their hardware). The software products typically (though not always) require users to enter a separate username-password combination in order to unlock the system files needed to boot the computer. Credant executives contend that managing the second encryption password system, including master keys or passwords, and help desk support when users forget them and are locked out of their laptops, can be major headaches when dealing with hundreds or thousands of laptop users.
(Researchers have just uncovered another potential vulnerability with these products: At start-up their encryption keys are held in dynamic RAM longer than originally thought, where they can be found by an attacker.)