18

We have certain client data which must be encrypted at all times. The part we have been struggling with is encrypting files on network shares.

Currently we have network folders encrypted using PGP Netshare. This works pretty well for file encryption but it sucks for files which need to be accessed by two or more people simultaneously, i.e. Microsoft Access. If two people access the file the file will become corrupt.

We have tried Microsoft EFS, which is pretty straight forward, but difficult to configure for multiple users. You can't set multiple users to decrypt a file without explicitly adding their cert to the file though Windows Explorer (from what we have discovered).

Bitlocker was suggested as a clean way to encrypt files and configure across the enterprise. From what I read it appears like it will work for us. It states that the system drive needs to be encrypted as well and that is where issues come into play. It is a lot of configuration to setup bitlocker properly and I am not sure if it is a good solution for what I need to do.

So I ask you, security specialists, what is the industry standard for securing, encrypting data files on a windows file server?

Steve
  • 15,155
  • 3
  • 37
  • 66
Brettski
  • 521
  • 3
  • 8
  • 14
  • You may want to consider using BitLocker anyway; if the machines are only for work-related purposes you can re-image them and apply BitLocker pretty easily. Plus, having your work machines' disks fully encrypted is a pretty good idea. – KnightOfNi Dec 15 '14 at 18:07

5 Answers5

8

Ehmn, the 'industry standard' for client-side (laptop/desktop) and server-side (network share) workgroup file encryption in a Microsoft SMB environment is -- you're not going to like this -- don't do it. Seriously, very very few people do this, for many good reasons.

OK, you said "requirement", so the next best solution is Microsoft Encrypting File System together with Active Directory for management.

The good properties of EFS are:

  • The encryption is almost completely transparent to end users. EFS files are used just as plain un-encrypted files are; decryption permissions are inherited from the logged on Windows user account.

  • Pretty good performance, EFS is integrated with NTFS and decently fast.

  • Advanced management capabilities. Via Active Directory you can create multiple layers of admin accounts for unlocking files in an emergency; handle team / group / department permissions, etc.

Bad sides:

  • If you ever loose all keys, then you're in deep deep trouble.

  • Setting up a good, robust & safe EFS infrastructure for a company is a lot of work, and requires very careful risk assessment. You might start by reading this overview, and read the "Recovery" section twice.

  • A few applications, mostly client-server style apps which run on a desktop PC but use user credentials other than the logged in user, will fail to run. Or worse yet, run, but silently fail.

  • A few applications may have strange bugs. For example, with EFS my Google Chrome browser is frequently complaining about an unclean shutdown and looses its settings. Without EFS I do not have this issue.

  • EFS can be counter-intuitive. For example, the default behavior is that if you copy an EFS file to an unencrypted destination via common icon drag'n'drop, then the file is transparently de-crypted. But if you do the exact same via some command line tools, then the file remains encrypted. This has tricked more than one file backup, and caused data loss.

You can't set multiple users to decrypt a file without explicitly adding their cert to the file though Windows Explorer (from what we have discovered)

The solution is Active Directory & Group Policies. Active Directory can be daunting. No offense intended, but if this is new to you, then maybe you should find an experienced Microsoft sysadmin to lend a hand with the design.

Regarding Truecrypt: Personally, I would never use Truecrypt for this. I love Truecrypt, and use it every day on my own PC's. But at heart it is a single-computer solution, with no group management / multi-PC deployment tools / multi-layered key management capabilities. It's not the right tool for workgroups / companies, other than perhaps full-disk laptop harddisk encryption (and even there, Bitkeeper is stronger on management capabilities).

  • 1
    @Jesper - not sure your point about industry standard is absolutely correct:-) For certain industries it is mandated, and for others it is at least desirable. And I have seen TrueCrypt used successfully at enterprise level on this (once!) – Rory Alsop Apr 18 '11 at 21:12
  • @Rory Alsop: You are of course correct. And as a security professional, you're seeing the organizations that are compelled to use encryption. But what is the mix, realistically? Do maybe 2% - 5% of all the worlds companies use wide-scale encryption, and 95%+ do not (excluding government, and excluding simple endpoint encryption like laptop & smartphone devices)? I don't have any statistics to reference, but my guess is the ratio is somewhere in that neighborhood. :-) –  Apr 18 '11 at 21:32
  • @Jesper - very good point. I mostly see the Fortune 350, FTSE 100 etc, however for smaller orgs some industries are good: Financial services companies do a good job with credit card data - this is strongly mandated so most (>75%) comply. In the UK and US personal data are encrypted by the majority of organisations. Database encryption is being successfully implemented at smaller orgs - especially with POSTGreSQL having a robust security implementation for free! – Rory Alsop Apr 18 '11 at 21:38
  • @Rory Alsop: Ahh, I'm sorry. I meant "wide scale file & network share encryption". Updating my answer to make this more clear. Your point about more application-specific systems, such as PCI compliant credit card storage in a database, is of course entirely correct. –  Apr 18 '11 at 21:57
  • 1
    @Jesper - understood, and I agree with you. I think your stats (2%-5%) might even be a tad optimistic in reality :-) – Rory Alsop Apr 18 '11 at 22:06
  • The open source aspect of TruCrypt has shied me away from it. Without 100% understanding of this type of software, we really need a support contract. We have deployed EFS as explained, and it really is a pain to add certificates to files to allow users to access them. – Brettski Apr 19 '11 at 02:49
3

TrueCrypt does offer the option of providing network shares:

Sharing over Network

If there is a need to access a single TrueCrypt volume simultaneously from multiple operating systems, there are two options:

  1. A TrueCrypt volume is mounted only on a single computer (for example, on a server) and only the content of the mounted TrueCrypt volume (i.e., the file system within the TrueCrypt volume) is shared over a network. Users on other computers or systems will not mount the volume (it is already mounted on the server).

    Advantages: All users can write data to the TrueCrypt volume. The shared volume may be both file-hosted and partition/device-hosted.

    Disadvantage: Data sent over the network will not be encrypted. However, it is still possible to encrypt them using e.g. SSL, TLS, VPN, or other technologies.

    Remarks: Note that, when you restart the system, the network share will be automatically restored only if the volume is a system favorite volume or an encrypted system partition/drive (for more information on how to configure a volume as a system favorite volume, see the chapter System Favorite Volumes).

  2. A dismounted TrueCrypt file container is stored on a single computer (for example, on a server). This encrypted file is shared over a network. Users on other computers or systems will locally mount the shared file. Thus, the volume will be mounted simultaneously under multiple operating systems.

    Advantage: Data sent over the network will be encrypted (however, it is still recommended to encrypt them using e.g. SSL, TLS, VPN, or other appropriate technologies to make traffic analysis more difficult and to preserve the integrity of the data).

    Disadvantages: The shared volume may be only file-hosted (not partition/device-hosted). The volume must be mounted in read-only mode under each of the systems (see the section Mount Options for information on how to mount a volume in read-only mode). Note that this requirement applies to unencrypted volumes too. One of the reasons is, for example, the fact that data read from a conventional file system under one OS while the file system is being modified by another OS might be inconsistent (which could result in data corruption).

Although used widely there is still an amount of stigma associated with the use of TrueCrypt in the enterprise, mainly based on the anonymity of the developers (which some may see as a good thing!), see this write up

Truecrypt’s source code has never been the subject of a thorough review, nor is there any reason to rely on the credentials of the developers, since they remain anonymous.

So part of the question would have to be, can I deploy this within my organisation rather than does it do what we need.

Hope this helps.

David Stubley
  • 2,886
  • 1
  • 17
  • 28
3

The only one i have experience with is CREDANT. It should be able to provide all the services that you need. It is not open source, which seems not to be a problem from how your question reads.

I know that CheckPoint (the sec appliance company) has a product that has been called Pointsec. I'm not too familiar with it, but it's also something to investigate.

On a side note, TrueCrypt is by no means an enterprise grade tool. It lacks basic administration options. I am not saying that TrueCrypt is not a good tool, i use it at home all the time, but it's not built to serve even a small business.

If CREDANT or CheckPoint doesn't have what you're looking for,use them as a place to start your research. Also, please let us know what you came up with, I'm interested if there are any more applicable options on the market.

Another idea is to contact any current security appliance vendor you have (assuming that you like their products). Talk to your PaloAlto people, CheckPoint people, Cisco people, Juniper people, etc... and see what they have to say.

Ormis
  • 1,940
  • 13
  • 18
  • True, it does not require to be open source. Plus with the headaches I have had with PGP Netshare I would want some type of support contract. I plan to try out CREDANT based out your suggestion, thank you. – Brettski Apr 19 '11 at 02:30
  • No problem. If you don't mind telling me, is this for a SMB or a larger company? – Ormis Apr 19 '11 at 13:22
  • Small, < 250 Employees. – Brettski Apr 20 '11 at 02:51
2

Have you tried using True Crypt?

It wont do any networking but it will behave just like a normal drive. But you can use true crypt to secure the files on the HDD and the use any other secure network delivery system that supplies data from a folder.

KilledKenny
  • 1,662
  • 4
  • 19
  • 28
2

Pointsec can do this really well, and it ties in simply with Active Directory. It is the most common solution I have seen in global corporates where they had to encrypt volumes.

Where it is just data that needs to be encrypted, most of the solutions I have seen store the data in either a database which supports encryption, or encrypted SANs.

Rory Alsop
  • 61,367
  • 12
  • 115
  • 320
  • Yours is the second recommendation for Pointsec and I plan to review it along with CREDANT. I appreciate your feedback. – Brettski Apr 19 '11 at 02:32