Continuation of part 1 of the article:
Data Proximity – Security that enables data at work.
We can apply our understanding of inward and outward facing data, encrypted data at work as well as endpoint security and devise a solution based on Data Proximity. Data Proximity is the ability to access secure data while “proximal” (in the proximity) to the workplace without the worry of key mobility, the overhead of full system encryption, and outward data loss.
Data Proximity provides an encrypted data store on each system into which any type of data file can be placed. Once placed in the data store, the file is encrypted and can only be accessed while the system itself is within connected proximity to the enterprise work environment. The key necessary for opening the encrypted files can only be accessed when the system is connected to the key store manager which is responsible for key storage and randomization. Placing and retaining the key store within the corporate infrastructure removes the issue of key mobility and adds the extra security of randomization. Keys are never written to the disk of a client and are therefore not available away from the workplace.
This approach is further enhanced by the extensive logging of actions on data (read, writes, deletes) and the disabling of memory-sourced data copies. Many applications will leave data memory or scratch-pad residue, allowing the user to make untracked copies of data to other unknown data files.
Data Proximity is designed to be a lightweight information security solution that supports a mobile workforce without negatively impacting their ability to be productive. When an employee is at work, they should be able to work. When they are mobile, the ability to access and use data should not be impeded, but the company’s information must be safe from intentional and unintentional security risk.
Summary
Whole Disk Encryption:
• Extreme system performance degradation due to Operating System and application decryption overhead
• Total system loss if key corruption occurs
• Keys follow the mobile system making them or their users susceptible to compromise
• Problematic when mobile systems require new applications or updates.
• Memory resident copies may be enabled depending on vendor configuration
Data Proximity:
• Better overall system performance as compared to whole disk encryption
• All keys are kept at the place of business and do not follow the mobile system
• Memory resident copies are disabled.
• High level of file interaction logging.
• Employee access to files only while at work (customizable).
• Systems are always bootable since the operating system is never encrypted
• Control of external device attachment and use (memory sticks, CD drives, external drive, etc).
About the Author
Ken Steinberg, CEO of Savant Protection (savantprotection.com); brings a track record of over two decades in computing and high technology. Prior to Savant, he held senior positions with DEC, Hughes, Hitachi, Softbank and at the John Von Neumann Super Computing Center for the National Science Foundation. A thought leader in the security/ encryption field, Steinberg has addressed national conferences and tradeshows as well as being a columnist and contributing author to several regional newspapers and technology publications.
Savant Protection is the industry pioneer in preemptive malware spread mitigation and containment technology for all business environments. Founded in 2004, Savant Protection quickly established itself as an innovator in its approach to product development, design and the implementation of advanced technologies.