A number of encryption products are designed to protect data from unauthorised access, three of which I recently had an opportunity to test: Credant Mobile Guardian Enterprise Edition v. 4.3.(this week's review), and two others which will follow: 1 Control Break SafeBoot Device Encryption 4.2 and Utimaco SafeGuard Easy 4.11 (A fourth vendor, PointSec, declined to participate).

All three products were originally designed to protect the information on mobile devices, such as laptops, from being accessible if the device was stolen. However, all three companies are now selling them as solutions for ensuring compliance with regulations such as HIPAA and Sarbanes-Oxley. They’re also pitching these wares as protection against the loss of commercial data that could lead to action under Visa and MasterCard’s PCI (Payment Card Industry) requirements.

The products from Control Break and Utimaco, however, only encrypt a machine’s hard disk, which may be adequate for protecting mobile devices but not much else. The third product, from Credant, is much more useful. Despite the marketing hype, none of these products is more than a limited solution to a much bigger problem.

Power Off vs. Power On
Control Break and Utimaco use whole-disk encryption, also called power-off encryption, encrypting a machine’s hard disk and modifying the Windows master boot record so that the machine requests a log-on name and password at startup. The idea is that the data is completely inaccessible if someone turns on the machine without the proper authentication. Thus, it’s protected when the power is off.

The companies that provide whole-disk encryption products claim the encryption is unbreakable. That’s fairly accurate, except that the machines are safe only when they’re turned off. When the correct log-on information has been entered and the machine is in use, the material on the hard disk is automatically decrypted. At that point, anyone else who gets in, say, through a remote admin account can see what’s on the hard disk. Likewise, a worm can still mine the information and send it to a third party. Therefore, machines running whole-disk encryption will require additional protection. Most enterprises already employ such means anyway, but with these devices it becomes vital.

Taking an alternative approach to whole-disk encryption, Credant’s product encrypts individual folders and files, an approach known as power-on encryption, because information is protected even when the computer is running - as well as when the power is off.

Power-on encryption methods are not without weaknesses. To ensure effectiveness, an administrator must see that all necessary file types are listed in the configuration and that all material to be encrypted is saved in folders flagged for encryption. Therefore, it’s possible for users to save sensitive data in such a way that it’s available in an unencrypted form.

For my test, I installed each of these products into a test enterprise consisting of Windows machines, PDAs, and servers. None of these solutions is intended to encrypt servers, although they can use your server’s directory service to create their user list. In practice, this means they’ll use Windows Active Directory. Although you’ll see claims that the products work with LDAP or Novell directory services, I wasn’t able to use these products that way.

How it works
Credant Mobile Guardian encrypts files and directories, including temporary files, swap files, or files created when a computer goes into hibernation -- basically, everything but Windows OS and program files. Admins also can set it to encrypt files only in specific locations or of a specific type. The Enterprise Edition lets you set enterprise-wide policies for fixed and mobile workers.

If an unauthorised person - be it an intruder or support staff - gains access to the protected machine, he or she will not be able to access protected material. This means that a network administrator can help solve a problem on a computer containing financial or medical records without being able to view them, even though he or she can see that the information exists.

Likewise, if someone steals a laptop or PDA, he or she gains access to the device but not to the protected information. In an intriguing tech-support practice, when Credant gets a call from someone trying to open a protected file, the company alerts the registered owner, reporting on who is in possession of the computer and that person’s location.

Credant supports PocketPC and Palm devices as well as smart phones using the Symbian OS. It’s also the only company in this test offering RIM Blackberry support.

Getting the server installed and setting up clients
Installing the Enterprise Server is mostly a process of running the setup files on the CD and letting the process happen. In addition to installing the management software, Credant installs a copy of Apache, which provides a Web-based management console, and a copy of MySQL on the server. If you’re already running MySQL, you can use your existing database installation. You’ll need to initialise the database after the install using a batch file provided by Credant.

After you have the server up and running, you then create installation files for the client machines on your network. The software for the client machines is called a Gatekeeper and its configuration is embedded in the installer that the server creates. Keep the installer in a shared directory on the network, or install using the deployment wizard, SMS, Tivoli, or other software-distribution package. Feel free to specify your policies for the Gatekeeper in significant detail; those policies will be part of the installation.

After everything is installed, the server provides the means to control the encryption policies for your network as well as ways to keep tabs on the status of devices currently attached to the network. In fact, you can even keep an eye on battery levels for mobile devices. The product is transparent to end-users. There was no apparent impact on performance and authorised users never noticed the encryption.

Useful and well-designed
I found Credant Mobile Guardian to be a useful, well-designed product that can work anywhere in the enterprise. More important, it’s useful on machines that are on the go or sitting on a desktop. It gives you a single solution for managing your office computers and most of your mobile devices, all with one interface.

Credant had the most flexible, and most useful, solution and would be effective for enterprise-wide deployment. This is the preferred choice of the three products reviewed, unless your policy mandates whole-disk encryption.


This easy-to-manage, easy-to-implement solution encrypts only the data that needs it, including temporary files. Furthermore, it protects files from intrusion even while the machine is up and running. Given its reasonable pricing and minimal impact on managers, users, and system performance, there?s little reason to look beyond Credant Mobile Guardian.