Secuware Security Framework offers interesting functionality

The long view of security strategies for your network.

Organizations differ in the amount of control that is necessary and appropriate for information circulating among people who work together.

In some organizations, it makes sense to maintain a liberal policy of openness and sharing of corporate data; the philosophy behind such openness is that information exchange can lead to unexpected benefits well beyond the risks of sharing. Entrepreneurial startups with small groups of enthusiastic, creative people collaborating closely on new ways of doing business can be ideal places for a permissive security posture based on the need to conceal rather than the need to know.

On the other hand, for organizations with highly sensitive data pertinent to limited subsets of employees, a more restrictive need-to-know posture might make more sense. Controlling access to information within an organization while fostering appropriate information exchange by authorized personnel are conflicting challenges for enterprise security managers.

To continue reading, register here and become an Insider. You'll get free access to premium content from CIO, Computerworld, CSO, InfoWorld, and Network World. See more Insider content or sign in.

Organizations differ in the amount of control that is necessary and appropriate for information circulating among people who work together.

In some organizations, it makes sense to maintain a liberal policy of openness and sharing of corporate data; the philosophy behind such openness is that information exchange can lead to unexpected benefits well beyond the risks of sharing. Entrepreneurial startups with small groups of enthusiastic, creative people collaborating closely on new ways of doing business can be ideal places for a permissive security posture based on the need to conceal rather than the need to know.

On the other hand, for organizations with highly sensitive data pertinent to limited subsets of employees, a more restrictive need-to-know posture might make more sense. Controlling access to information within an organization while fostering appropriate information exchange by authorized personnel are conflicting challenges for enterprise security managers.

I recently received a white paper on this subject from Secureware entitled “Closed Circuits for Information: 360-degree Data Protection for the Enterprise” and found it to be unusually well-written and informative.

The Secuware Security Framework (SSF) is an add-on for the Windows operating system. According to the white paper, it offers strong identification and authentication coupled with whole-system encryption that can be extended to network devices and removable media. Some of the significant features I noted include the following:

* Pre-boot authentication that is resistant to typical bypasses such as booting from alternative media;
* Whole-disk encryption with an additional performance overhead of only 0.15%;
* Controls over application execution using white lists;
* Extensive security-management functions for policy definition and user configuration;
* Granularity extending to individual devices such as specific flash drives;
* User profiles that can apply to individual users or to groups of users in specific functional areas (e.g., departments or branches);
* Easy definition of restricted subsets of information exchange equivalent to subnets on a partitioned network without having to change network topology;
* Entirely client-based - no security servers to manage;
* Centralized security-policy administration for all systems on a network.

The white paper includes a comparative analysis with Microsoft Vista BitLocker, the new whole-disk encryption functions available under Vista Enterprise.

I hope that some readers of this column will find the white paper interesting and useful.

[Disclaimer: I have no relationship whatever with Secuware.]

Read more about security in Network World's Security section.

M. E. Kabay, PhD, CISSP-ISSMP, specializes in security and operations management consulting services and teaching. He is Chief Technical Officer of Adaptive Cyber Security Instruments, Inc. and Associate Professor of Information Assurance in the School of Business and Management at Norwich University. Visit his Web site for white papers and course materials.