Utimaco's SafeGuard Easy employs whole-disk encryption, also called power-off encryption. It encrypts a machine’s hard disk and modifies the Windows master boot record so that the machine requests a log-on name and password at startup. The idea is that the data is completely inaccessible if someone turns on the machine without the proper authentication. Thus, it’s protected when the power is off.

Products that protect when the power is on also, by encrypting specific files, include Credant Mobile Guardian (reviewed two weeks ago).

SafeGuard Easy is a whole-disk encryption product similar in some ways to SafeBoot (reviewed last week). Unlike the former product, however, SafeGuard is limited to Windows platforms only. PDA support for Windows Mobile platforms is available as a separate product, called SafeGuard PDA, which I did not test. The company offers no support for non-Windows systems of any kind.

Utimaco has designed SafeGuard Easy as essentially a stand-alone package that can be administered centrally. First, you install the administration package on the admin machine, then create a Windows installation file for distribution to other machines. This, and a standard configuration file, is distributable via the SafeGuard Easy Central Administration software or a software distribution package of your choice. You may also install it using a CD or a shared folder on the network.

Log-in sequence starts the encryption
Post-installation, you start encryption by using the local administrator and clicking on a blank spot in a column until a key appears. Save that setting, then encryption begins. On my HP machine, the process took about two hours, but I could use the machine during that time. On my IBM Z Pro, the process took somewhat longer, but unlike with SafeBoot, the encryption process did not cause the Z Pro to reboot.

As was the case with SafeBoot, SafeGuard Easy writes a modified version of the master boot record, which then runs a log-on sequence as the boot process begins. It synchronises the preboot log-on information with the Windows log-on information, which means you can use a single sign-on, making it easier to use. There is little if any impact on the user with this product after installation and encryption.

But it doesn't work with XP service pack 2!
Unfortunately, the life of the SafeGuard Easy administrator is made a little more difficult by the Central Administration console’s failure to work properly with Windows XP Service Pack 2, which has been the standard version of Windows for about a year. The Central Administration requires that either anonymous log-ins be enabled or that an administrator’s log-on that allows full remote access be provided.

Microsoft turned off anonymous log-ons for Windows as a way to plug a serious security hole. Enabling anonymous log-ons reverses that security fix. The other choice - providing a system-wide administrator log-on - is no better. Either way, you’re effectively opening up your SP2 machines to people who may not be authorised to view the contents of the machine they’re able to access. Utimaco says you can avoid this problem by not using the Central Administration console. In reality, this is a problem that should have been fixed already, but instead it leaves administrators with a lose-lose situation.

Power-on encrypption is coming
Utimaco does make a content encryption package, LAN Crypt, but it was not made available for this review. Utimaco claims that with LAN Crypt you can define certain files or folders that will be encrypted even while the machine is running, decrypting the information on demand. Without that software, however, SafeGuard Easy is at best a partial solution, best for the limited use of protecting mobile Windows machines against loss of protected information in the event of the machine’s loss or theft.

Unfortunately, SafeGuard Easy is the most limited and most expensive product in this review. You’re limited to Windows, and you may end up exposing your machines to more risk than you were prepared to take. If all you need to protect are mobile Windows machines, and if you don’t need to use the Central Administration package, this could be an acceptable product, but there are better choices available.

Overall, I was less than thrilled by the choices. Although these products did, in fact, encrypt the material they were designed to encrypt, they were a lot less useful than they could have been given today’s security and compliance environment.

OUR VERDICT

Limited and expensive, this full-disk encryption product has not kept up with current security requirements. Not only does it not protect against intrusion, it increases the likelihood of such intrusion because it requires users of Windows XP SP2 to defeat an important security feature in order to use the Central Administration package.