The market for desktop encryption products continues its slow, fragmented evolution, with a host of small companies vying to convince the corporate wallets that encrypting data at rest is not a huge management and support headache-in-waiting.
One new name is PrimX, which made its first appearance outside its native France at this year’s Infosecurity Europe Show in London. The company seems to have started much as every other company in this field starts, with a small group of crypto “experts” getting together one day to practice their mathematical magic for money.
What they have come up with is an AES-based encryption software product of great promise even if there is still some fine tuning to be done here and there. To name just the obvious issues, it still needs UK distribution and support, better-written English documentation, and an install program that doesn’t confront one with a French-language license agreement, but these will come in time.
There are two parts to the software; the ZoneCentral software itself, and a program for creating encrypted containers (more on this later). As ZoneCentral is meant for use in small and medium companies, there is also a standalone install called ZoneExpress, which is so new that the English-language manual has yet to be written.
PrimX would reject the notion that ZoneExpress has been cut down, and it is true that it can be used on a single PC to encrypt and decrypt data to a high degree of security. But it also lacks some important capabilities which allow the software to be managed securely in a centralised manner, and so is not suitable for use in a company of more than a few people.
PrimX describes the difference between ZoneCentral and ZoneExpress as one of perimeter. With ZoneCentral, the secure and encrypted perimeter is any place that data can be shared between users, including network drives; with ZoneExpress, by contrast, the secure perimeter is any resource that can be accessed by a single user. In other words, if shared encryption (as opposed to single user encryption) is needed on any type of external volume or directory, then the more grown-up ZoneCentral is required. That, in turn, needs the management features that ZoneCentral comes with, but which are missing from ZoneExpress.
The simplest purpose of ZoneCentral is to encrypt and decrypt all data files transparently as they are opened and closed from folders or “zones”, on-the-fly, but its biggest plus is that it does a lot more than this behind the scenes. For example, it also automatically encrypts the pagefile.sys swap file, which can contain fragments of data as they are being moved from virtual to actual memory, and back. In addition, any deleted file is securely overwritten first, and the product claims to secure passwords (including its own) through a special keyboard driver as a way of stopping keylogging.
Using the product is intuitive from the user’s point of view. Encrypted zones (folders, network drives, physical volumes, etc) appear in Windows with a small padlock on them. Entering and leaving these encrypted areas requires a passphrase at all times, a feature that can be set to re-engage if the user leaves the PC unattended long enough for the screensaver to run.
Encrypting or interacting with an already encrypted zone is as simple as following the Windows right click menu, where ZoneCentral installs itself as an extra set of commands. Logging out of a zone manually is buried too far down the command interface and should be on the same menu in our view.
Network shares can be set up for clients running ZoneCentral and access to them managed in a serverless way by an administrator using the supplied admin interface or command line console. As well as managing the user passphrases (and their backup), access can also be provided using tokens such as USB devices and some smartcards, or controlled using policies interacting with a domain controller. An interesting plus is the ability to force workstations to encrypt all data sent to USB drives, to stop users inadvertently bypassing data security when they copy or back up files.
The software can enforce passphrase complexity, and also allows for a “transcription” process to be carried out at set intervals by which all data folders of volumes are decrypted and then re-encrypted using brand new keys. The company recommends this is done at least around once every year or two.
When shuttling data between two locations, it is possible to create an encrypted container, a sort of encrypted zip file into which files can be moved for sending to a specified recipient. The receiver can then open the container and access to documents either by specifying an RSA certificate or, more simply, by agreeing a password in advance. Not perfectly secure, but better than sending files in open text, as attachments.
The bottom line
Powerful as it is, this is not a product that will necessarily decrease the average security manager’s workload. And therein lies the paradox of so many encryption products, in a sentence. They offer a high degree of security but often in a way that is hard to manage without configuration taking up time. ZoneCentral is a powerful product but it is not for the security dabbler.
On the upside, it is a brave and mostly successful attempt to tame the complex technical problems of having to manage desktop encryption on a company scale. Stay with it, hike up the learning curve, and its rewards in stability, security and feature sophistication will be worth it for some.
PrimX’s website can be visited here.
Standalone encryption can be had quite cheaply. Add management and the costs rise substantially. Where this sort of product might work well is for a laptop workforce, so that only a subset of users would be using it at one time. If the thought of going to full-disk encryption sounds heavy, then this halfway house might be worth looking at. Longer term, transparent full-disk encryption on devices such as corporate laptops is probably where the industry is going.