Vormetric's agent-based approach provides strong key management across all apps

The Vormetric Data Security Expert Security Server is not a direct competitor to the Thales and Venafi systems. Rather than managing keys used by other certificate authorities or encryption solutions, it manages its own encryption solution across multiple systems. It provides encryption services to file systems or to IBM DB2 or IDS database backups.

The system involves two components, an agent that runs on each server to be managed, and the appliance. The appliance must be set up first, using a serial terminal for network configuration, then the serial terminal or an SSH session for the rest of the initial configuration. After setting up the network interfaces and generating a security certificate, the rest of the configuration can be done via browser..

After you configure a domain, you can begin setting up policies and hosts that will have agents deployed. The software on each managed system must be able to resolve the hostname of the Vormetric appliance to connect to the system. 

To continue reading, register here and become an Insider. You'll get free access to premium content from CIO, Computerworld, CSO, InfoWorld, and Network World. See more Insider content or sign in.

The Vormetric Data Security Expert Security Server is not a direct competitor to the Thales and Venafi systems. Rather than managing keys used by other certificate authorities or encryption solutions, it manages its own encryption solution across multiple systems. It provides encryption services to file systems or to IBM DB2 or IDS database backups.

The system involves two components, an agent that runs on each server to be managed, and the appliance. The appliance must be set up first, using a serial terminal for network configuration, then the serial terminal or an SSH session for the rest of the initial configuration. After setting up the network interfaces and generating a security certificate, the rest of the configuration can be done via browser..

After you configure a domain, you can begin setting up policies and hosts that will have agents deployed. The software on each managed system must be able to resolve the hostname of the Vormetric appliance to connect to the system. 

Once the agent is registered, you can set up policies that control how keys are deployed and how encryption is managed on the specified servers. The policy editor is very flexible, though not terribly user friendly. Creating policies is more like scripting than the drop-down menus of the other products. This approach is more flexible, but requires more study to understand how to create policies, as well as testing to ensure that the policy is doing what you think it is. Setting up policies is well documented, and most people will need to refer to the documentation regularly.

Click to see: Net results

The next software release, 4.3.4, which should be available before this article goes to print, makes creating policies much easier, with the ability to browse to users, applications to be controlled and resources to be protected.

The Vormetric appliance encrypts data in place, intercepting system calls and ensuring that any request for data comes from an authorized user, and that both data and backups are safely encrypted. The hardware is FIPS compliant, and has failover capability to handle the demands of a large enterprise.

In addition to encryption, the Vormetic appliance and agents allow you to control access to specific data and applications controlling which users can see or access data and applications, and which rights they have to specific files. While some of this can be accomplished using the standard user rights systems in Windows or Linux, the Vormetric system establishes an audit trail, showing which users attempted to access protected data.

The appliance can also ensure that applications are only run by authorized users, so that a guest, for example would not be allowed to run the del command, or that users would not be allowed to use notepad to read configuration files. This approach isn't foolproof because if you limit notepad, but not other text editors, users could circumvent the prohibition. While you can prohibit everything not allowed, this could cause problems because many applications may make use of calls to other applications.