How should enterprises correctly select encryption software?

After testing a lot of encryption software on the market, I feel that each has its own advantages! The two types of products have different design concepts and functions, and are constantly developing and learning from each other. It should be pointed out that most customers often do not pay enough attention to the choice of data leakage prevention products, and treat them as common software products. In fact, data leakage prevention projects are closely related to existing enterprise information systems, rather than simply encrypting some files or hard disks. According to the application in the past few years, in addition to choosing the right product, the data leak prevention project requires the customer's attention and cooperation, which is no less difficult than the ERP project. If you do not know much about it, the failure rate of the project is almost 100% when you select and implement the product in a rush. There are countless negative cases.

The following describes the differences between the two:

The design idea of transparent file encryption is based on the Windows File System (filtering) Drive (IFS) technology, working on the Windows kernel layer. When installing computer hardware, we often need to install its drivers, such as printers and USB flash drives. A file system driver is a virtual driver that treats a file as a device. When an application operates on a file with a certain suffix, the file driver monitors the operation of the program and changes its operation method. When the user opens or edits a specified file, the system automatically decrypts the encrypted data so that the user can see the plaintext. When saving data, the system automatically encrypts the data and stores the ciphertext. If you do not have the permission, you cannot read the confidential data to achieve the effect of data confidentiality.

Advantages: for small office files, such as some simple reports, word and other files, the processing efficiency is good, intuitive, and high efficiency.

Disadvantage: it is difficult for the development industry. Because of the encryption process, the processing speed of the original program will be affected, and when the program or system crashes due to instability, the encryption process is not completed, and the final file cannot be identified. This is commonly known as a corrupt file.

 

The main function of Environment encryption is to set up a working mode for employees. This mode is called sandbox mode. Place all work-related data in the sandbox mode. Employees must enter the sandbox mode to open confidential data. After entering the sandbox mode, all operations that can be leaked, for example, file upload, USB flash drive, external computer, copy and paste, mail, CD burning, screenshot, printing, upload, Hard Disk theft, redo system, and so on are all restricted. If you want to obtain the file, you must follow the approval process. If an employee does not enter the sandbox mode, all confidential files in the sandbox mode cannot be viewed and accessed. Sandbox is a container that throws the sensitive software and files into the container for encryption. The container is transparent and the user cannot feel its existence. Use the most advanced Disk Filter Driver, file filter driver, network filter driver, and other kernel-level in-depth encryption anti-leak technology. Each module is only the one that you are best at, so it is very stable. People who do not enter the sandbox mode and those who enter the encryption mode are separated from each other and isolated from each other, so there is no need to worry about leaks.

Advantages: no program or file is bound, no file size is differentiated, no speed is affected, no Internet access is affected, and any file is encrypted upon landing, the system should be limited (such products are the best effective to prevent leaks due to source code development ).

Disadvantage: The software features are huge and complicated during installation and deployment. Installation must be implemented with the assistance of Party B's staff to get started quickly, and maintenance is very comfortable after implementation.

 

In a discussion with Manager Li, the leader of the famous encryption vendor sinda, Manager Li also made some specific analysis on the two encryption products and their impact:

 

Project risks are divided into the following types:

1. Risk of cracking after Data Encryption

Document encryption controls the application software. The generated document is written into the key when it is saved. However, when the ciphertext is opened on a computer with the encrypted product client, the encryption software automatically decrypts the ciphertext before it can be opened normally. That is to say, the encrypted file still exists in plaintext in the memory, and the plaintext can be directly extracted through the "Read Memory, attackers can bypass encryption and have a low security level. Environmental encryption uses overall protection to encrypt illegal outgoing files. to crack the attack, the only method is brute force cracking, which is quite difficult, high security level.

2. Changes in people's habits

The smaller the usage habits change, the less resistance the project has to push forward. No matter what type of products, once launched, employees will inevitably be constrained by their previous behaviors. For example, in the past, you can use QQ to send files. Currently, all files that cannot be sent or sent are ciphertext. At this point, document encryption products have little changes to people's habits. Employees can freely send non-encrypted files, which is better than the overall protection products, however, the risk is also high, and employees may forge sensitive data into non-encrypted files. However, no matter what kind of products, employees must re-regulate their behaviors in a set way, which requires top-down promotion from the Enterprise.

3. Data Damage Probability

Encryption requires decryption, and there must be a risk of failed encryption and decryption. The resulting result is data corruption, which greatly affects the daily work of employees, resulting in the system being unable to be launched. In this regard, the overall protection products are far better than document encryption, because document encryption directly and frequently performs encryption and decryption on data, resulting in a high data damage rate, encryption of the overall protection products is at the data transmission boundary

The data itself is not processed, and the damage rate is very small. From past project experience, damaged data has almost become synonymous with document encryption products and insurmountable bottlenecks (especially in R & D and manufacturing enterprises with complex terminal environments ), this is not the case for overall protection products.

4. Application System Upgrade risks

As mentioned above, document encryption is encrypted by control software, which will inevitably involve software versions. For example, a document encryption software can now support word2010 and Microsoft will launch word2012 in the future, at this time, developers must add word2012 as a controlled software to implement encryption, and users may need to increase a series of fees for this upgrade. However, environmental encryption does not pose such risks.

5. Management System Change risks

Management System Change Risk Index after the launch of the data confidentiality system, the enterprise's management systems and processes have changed. At this time, the data confidentiality system must be adjusted accordingly. If the adjustment cannot be completed quickly and methodically, it will cause great interference to the normal management and production order of the enterprise. Document encryption products can only take "documents" as the main management dimension, and there is no direct correspondence with the management system. When the system changes, the personnel who are familiar with the document encryption system and management process must make adjustments. This adjustment does not involve standard steps and procedures, which poses a high operational risk. The design philosophy of the overall protection product based on the "Data Risk Management System" is closely related to the enterprise's management process. Any data confidentiality policy must correspond to an explicit or invisible management system. For example, the Black/White List Management and encryption control during external mail are exactly the same as the enterprise's external mail management system. When the enterprise management system and process change, you only need to find the corresponding policy and modify it to complete the corresponding adjustment work, which is simple and fast.

6. Product deprecation risks

Deprecation risks are the risks that enterprises face when they need to uninstall the data confidentiality system and restore it to the status before the system goes online.

For document encryption products, encrypted data is scattered on various terminals on the Intranet in the form of a single encrypted file, canceling data encryption will affect the business system and recover data. This is a complex and long process. The deprecation cost is no less than the online cost. This makes the enterprise's application information system completely held by the encryption system "hold", becoming a huge potential risk, may cause the enterprise to pay a heavy price in the near future.

For overall protection products, all data is transmitted and applied in plain text without any controlled policies. administrators can delete the encryption policies at the data egress at any time, quickly eliminate the impact of the encryption system on the original information system, and the risk of deprecation is extremely low.

 

Through the comparison of the above six points, we can draw a conclusion that for large and medium-sized R & D and manufacturing enterprises, the overall concept of protection products is more suitable. In the final analysis, the overall protection products focus more on matching and integrating with existing information systems and management systems, and document encryption products focus more on the impact and changes on operator habits. Therefore, environmental encryption requires enterprises to make certain investments and concessions to ensure the smooth launch of the anti-leak system. However, once launched, the operation will be smoother and later management and maintenance will be easier; file encryption is more in line with customers' general views on encryption products, "No data leakage, no impact on work", but there is a great potential risk. Environmental encryption is more like a system, file encryption is more like software. Environmental encryption is more suitable for the overall management needs of large and medium-sized enterprises, and file encryption is more suitable for the rapid application of small-scale enterprises.

The above analysis is mainly based on the design concepts of the two types of products, but good ideas may not be included in the implementation. Therefore, it is very important to evaluate the manufacturer's strength and cases. Is the specific case true, the application environment requires more field visits and exchanges.

How should enterprises correctly select encryption software?