Best encryption software for business in 2020: BitLocker, FileVault, Guardium, and more - ZDNet

Best encryption software for business in 2020: BitLocker, FileVault, Guardium, and more - ZDNet

Best encryption software for business in 2020: BitLocker, FileVault, Guardium, and more - ZDNet

Posted: 08 May 2020 12:00 AM PDT

When mass data collection and big data analysis exploded on the technology scene, security and encryption, unfortunately, took a back seat. 

In a world where data breaches are commonplace -- involving everything from device theft to vulnerability exploitation and open AWS buckets exposed to the world -- businesses both large and small must now educate themselves and employ encryption software to enhance the data they have become controllers of. 

Encryption can help protect information stored, received, and sent. Readable information is scrambled through the use of encryption keys, algorithms that can sort through this text and return it to a readable format. Today, the Advanced Encryption Standard (AES) using 128- and 256-bit key lengths, the successor to DES, is in common use worldwide. 

If strong encryption and security practices are not in place, businesses are not only opening themselves up to potential cyberattacks, but also the loss of corporate and customer information, fines for non-compliance with laws including HIPAA and GDPR, financial damage, and the loss of reputation. 

Below, we list our favorite encryption solutions, suitable for users, SMBs, and enterprise players. 

Disclosure: ZDNet may earn an affiliate commission from some of the products featured on this page. ZDNet and the author were not compensated for this independent review. 

Free

win.jpg

Best suited for: Windows users who need onboard device encryption
 
Microsoft's BitLocker, available on business editions of the OS and server software, is the name given to a set of encryption tools providing either AES 128-bit or AES 256-bit device encryption.
 
The Redmond giant's solution is focused on the encryption of drives on a device out of the box and can also be used to protect removable drives through BitLocker To Go. Recovery keys can also be set to retrieve data should firmware issues or errors prevent IT administrators from accessing encrypted drives. 
 
A set of administration tools, including features such as enabling the encryption of full drives and other media, as well as domain or Microsoft account linking, are included. 
 
BitLocker's hardware specifications require an onboard Trusted Platform Module (TPM) chip and Modern Standby support, two elements generally supported on modern Windows PCs.  
 
BitLocker is built into the Windows operating system but only a limited set of tools are included with Home editions, the standard OS that many PCs consumers purchase. Instead, users must upgrade to Windows 10 Pro or Windows 10 Enterprise to take full advantage of Microsoft's encryption. 
 
Interested in BitLocker? You can check out our user guide here.

View Now at Microsoft

Subscription

obm.jpg

Best suited for: Enterprise users who need flexible encryption across multiple environments

IBM Guardium is a data protection platform that pulls together a suite of security tools in an effort to streamline data management and reduce vendor product disparity. 
 
Encryption services are included for corporate data, alongside data discovery and classification, vulnerability scans, data activity monitoring, analytics, and compliance reports, among other features.
 
IBM Guardium for File and Database Encryption can be used to encrypt on-premise files and databases by leveraging the hardware encryption capabilities of host CPUs including Intel and AMD AES-NI, PowerPC 8 AES, and SPARC. 
 
Data can be encrypted on-the-go without taking business applications offline, levels of encryption can be enabled to match user access rights, and keys can be managed from a central platform.  
 
A useful accompaniment to IBM encryption is access policies that can be set to identify anomalous behavior such as mass copy and deletion of files and directories. Compliance reports can also be generated to adhere to legal requirements set by GDPR, CCPA, HIPAA, PCI-DSS, and SOX.
 
The solution requires a virtual data security module (DSM) virtual appliance deployed on a VMWare hypervisor. IBM says some clients achieve an ROI of up to 343%.
 
IBM Guardium is a subscription-based service provided on request and is most suitable for enterprise companies willing to invest in a one-stop-shop solution for data management and protection. 

View Now at IBM

Free

mac.jpg

Best suited for: Mac users who want on-device encryption.
 
Apple's FileVault is built-in to the macOS operating system. Apple first introduced FileVault in 2013, later upgrading to FileVault2 on macOS Lion and later versions. The onboard system can be enabled to encrypt all information stored on disk to prevent the theft of data by anyone without access or account credentials. iMac Pro and users of devices with Apple T2 chips will have their information encrypted automatically. 
 
Modern CPU power is leveraged to provide AES 128/256-bit encryption. Users can choose to leverage their iCloud account credentials or generate a recovery key to unlock disks if they forget their standard device password. 
 
However, businesses should not consider FileVault to be a full, robust solution for data security; rather, it is a useful addition for ensuring a basic level of encryption and protection. 

View Now at Apple

Subscription

ax.jpg

Best suited for: Protecting information on machines used by multiple individuals, collaboration
 
AxCrypt is an encryption solution that has been widely adopted and should be considered if more than one individual is using the same machine on a regular basis. 
 
Files are secured with AES 128/256-bit encryption on Mac and Windows machines through simple one-click functionality. Once files and directories are secure they can be accessed with a password, of which more than one AxCrypt user can open if they have been given permission to do so. In addition, information can be locked down across mobile devices and encryption standards can be extended to cloud services, such as Google Drive or Dropbox.
 
Business users can manage passwords through a central platform. 
 
A free, limited version of AxCrypt is available. Yearly subscriptions for premium and business versions, including extended features and licensing for more than one machine, are also on offer. 

View Now at AxCrypt

Subscription

kyp.jpg

Best suited for: Users who need strong encryption across multiple operating systems and the cloud
 
Kruptos 2 is a professional encryption suite for Windows, Mac, and Android. The strength of the software lies in its versatility, with encryption for content including files and financial data across operating systems, mobile, portable storage, and cloud services including Dropbox, Microsoft OneDrive, Apple iCloud, and Google Drive. 
 
Information is protected with AES 256-bit encryption and files can be shared across compatible platforms. You can also use Kruptos 2 as a strong password generator as well as a sensitive information vault by taking advantage of the secure note editor. 
 
The software also includes a file shredder for securely wiping data. 
 
Kruptos 2 operates on a license model in which you only need to purchase the software once. The cheapest option is a single license for macOS and Windows machines at $39.95. 
 
A cross-platform bundle is on offer for $64.95 and an additional solution, the Kruptos 2 to Go USB vault, can be purchased as a bolt-on for $24.95 -- or together with the cross-platform option for a total of $79.95.  

$40 at Kruptos2

Subscription

tm.jpg

Best suited for: Users that need enterprise-wide encryption 
 
Trend Micro's Endpoint Encryption software, part of the Smart Protection Suites range, can be used across Macs, Windows machines, and removable media to encrypt either full disks or individual files and folders. 
 
AES 128/256-bit encryption is on offer through passwords and multi-factor authentication across endpoints. Multiple user and administrator accounts can be set for individual devices. 
 
Other functionality includes the release of one-time passwords to access endpoint data, the remote wipe or lock of stolen devices, lockouts automatically enabled in response to failed authentication attempts, and the support of consumer-grade encryption services including BitLocker and FileVault. 
 
The management console for the software and keys can be integrated with other Trend Micro software. In addition, the suite is FIPS certified. 
 
Trend Micro's Endpoint Encryption solution is priced based on request. 

View Now at Trend Micro

Subscription

box.jpg

Best suited for: Those who need end-to-end encryption for cloud storage services
 
Businesses that mainly employ cloud storage rather than on-premise services should investigate Boxcryptor as a possible encryption solution of value. 
 
Boxcryptor is a cloud-focused encryption software supporting a total of 30 cloud services including Dropbox, Google Drive, and Microsoft OneDrive. A combination of AES 256-bit encryption and RSA encryption is utilized. 
 
Boxcryptor calls itself a "zero-knowledge provider" and aims to make spreading encryption across multiple services and mobile devices as easy as possible. 
 
Passwords, password keys, and file keys are kept on user devices, while business user keys, group keys, and company keys are encrypted and stored on the Boxcryptor server. 
 
The vendor uses a data center in Germany that is ISO/IEC 27001:2013 certified.
 
Boxcryptor has a limited, free option available for up to two devices. A personal subscription costs $48 per year, whereas an account for business use is priced at $96 for a yearly subscription. 

View Now at Boxcryptor

Subscription

sop.jpg

Best suited for: Users who require real-time management of encryption and applications
 
Sophos SafeGuard Encryption should be considered by enterprise users that want to ensure content is encrypted the moment it is created. 
 
The SafeGuard Management Center connects to BitLocker and FileVault for the control of access credentials and keys and the AES 128/256-bit encryption of either full disks or individual files. Users and applications are verified in real-time to protect data, and passwords can be created on the fly for sharing content. 
 
Mac, Windows, and Android are supported.
 
Sophos SafeGuard Encryption is on offer through different licensing models depending on whether a client requires web, on-premise, disk encryption, or a central management platform.

View Now at Sophos

Subscription

token.jpg

 
Best suited for: Financial data holders

TokenEx is an encryption offering that specializes in the management and security of financial data. 
 
This data protection suite offers tokenization as a data steward -- the substitute of sensitive information, such as card numbers and PII, with other data "tokens" removing its intrinsic value -- to enhance the security of customer records. 
 
Batch processing of customer financial data takes place through browser platforms and mobile software without the need to store customer information on-premise. AES 256-bit encryption is overlaid across the tokenized data. 
 
TokenEx, which is PCI compliant, is available as a licensed product with a range of payment options.

View Now at TokenEx

What we look for in encryption software

ZDNet's recommendations are based on major themes: Strength, flexibility of use, and multi-device and OS support. 
 
While some users and SMBs may need no more than simple, standalone encryption offerings to protect content on PCs, today's encryption solutions in the enterprise space -- especially important for larger firms -- must also keep hybrid environments and remote working in mind. 
 
Made even more crucial at present due to COVID-19, there is a high demand for encryption solutions able to protect corporate, sensitive data that may be accessed remotely by workers and hosted either in the cloud or in company networks. Strong encryption is now necessary when files must be shared with others not only to maintain your privacy but also to ensure data does not end up in the wrong hands. 

ZDNet Recommends

How Android 10 is making your phone more private and secure - The Next Web

Posted: 04 Sep 2019 12:00 AM PDT

Google released Android 10 last night to all Pixel phones. The update brings some nifty features like system-wide dark mode, a new gesture navigation system, and smart replies in notifications. But the release is actually focused on privacy and security upgrades; let's take a closer look at what's under the hood.

Location restrictions

Prior to Android 10, you could only choose to allow individual apps to track your location all the time or never at all. Starting from this version, you can allow an app to track your location only when the app is in use. The apps will also have to ask explicitly if it needs background location access.

Location permission Android 10

Google has followed Apple's implementation and for good reason.  The iPhone maker upped the ante by introducing the "Allow once" option this year with iOS 13 for apps that need location access for a one-time authentication. I really hope Android implements this as an update or includes it in the next version.

New changes indicate apps that scan for networks using location data will have better protection from snooping.

Protection from device tracking

With Android 10, apps can't access sensitive device information such as device IMEI and serial number. Plus, the new Android version randomizes your MAC address by default when a device is connected to Wi-Fi. 

This effectively prevents apps from relaying sensitive identifying information about your device to remote servers, and reduces the chances of bad actors spying on you.

Limiting app access to external storage

Google is also limiting apps' access to their own folders in your device storage. That means an app can't access other folders stored in your SD card. It can still access media resources such as photos and videos thorugh a secured shared implementation.

Android 10 also prevents apps from starting foreground activities and jumping in front of the queue. Instead, it'll force the app to run in the background or display only relevant notifications.

There are a bunch of new privacy changes that restrict access to camera metadata and turning Wi-Fi on or off. You can check out all the changes here.

Android 10 also offers a dedicated privacy screen in settings where you can manage your permissions, activity controls, and ad settings.

Enterprise security

On the enterprise side, Android 10 will allow IT managers to freeze updates for 90 days and manually push them to push them in the form of a consolidated file if there's some customization needed. Plus, admins can they can prevent the installation of apps from unknown sources when an employee is using a work profile. To increase security, apps can prompt users to create a stronger screen lock password if the requirements are not met.

Device-specific security measures

Starting with Android 10, phone makers have to encrypt data on the device using Google's new Adiantum encryption method. That'll ensure that hackers can't read into your devices. The update also implements stronger security protocols such as TLS 1.3 for increased security while accessing the internet.

The search giant has also made changes to the Biometric API that allows apps and services to use face and fingerprint authentication to make it more robust and secure.

Google's security team says it's working on a system to integrate electronic ID in a device, so you can use your phone as an ID, just as you would your driver's license. However, we might see that in a later version of Android.

You can check out Android 10's security features here.

In the past year, we've seen various security incidents involving Android devices. While these changes might not make them the most secure devices around, it'll make things harder for hackers looking to break into your devices.

Read next: Ethereum market faces bearish 'death cross' pattern, while Bitcoin retains momentum

What if the FBI tried to crack an Android phone? We attacked one to find out - The Conversation US

Posted: 29 Mar 2016 12:00 AM PDT

The Justice Department has managed to unlock an iPhone 5c used by the gunman Syed Rizwan Farook, who with his wife killed 14 people in San Bernardino, California, last December. The high-profile case has pitted federal law enforcement agencies against Apple, which fought a legal order to work around its passcode security feature to give law enforcement access to the phone's data. The FBI said it relied on a third party to crack the phone's encrypted data, raising questions about iPhone security and whether federal agencies should disclose their method.

But what if the device had been running Android? Would the same technical and legal drama have played out?

We are Android users and researchers, and the first thing we did when the FBI-Apple dispute hit popular media was read Android's Full Disk Encryption documentation.

We attempted to replicate what the FBI had wanted to do on an Android phone and found some useful results. Beyond the fact the Android ecosystem involves more companies, we discovered some technical differences, including a way to remotely update and therefore unlock encryption keys, something the FBI was not able to do for the iPhone 5c on its own.

The easy ways in

Data encryption on smartphones involves a key that the phone creates by combining 1) a user's unlock code, if any (often a four- to six-digit passcode), and 2) a long, complicated number specific to the individual device being used. Attackers can try to crack either the key directly – which is very hard – or combinations of the passcode and device-specific number, which is hidden and roughly equally difficult to guess.

Decoding this strong encryption can be very difficult. But sometimes getting access to encrypted data from a phone doesn't involve any code-breaking at all. Here's how:

  • A custom app could be installed on a target phone to extract information. In March 2011, Google remotely installed a program that cleaned up phones infected by malicious software. It is unclear if Android still allows this.
  • Many applications use Android's Backup API. The information that is backed up, and thereby accessible from the backup site directly, depends on which applications are installed on the phone.
  • If the target data are stored on a removable SD card, it may be unencrypted. Only the most recent versions of Android allow the user to encrypt an entire removable SD card; not all apps encrypt data stored on an SD card.
  • Some phones have fingerprint readers, which can be unlocked with an image of the phone owner's fingerprint.
  • Some people have modified their phones' operating systems to give them "root" privileges – access to the device's data beyond what is allowed during normal operations – and potentially weakening security.

But if these options are not available, code-breaking is the remaining way in. In what is called a "brute force" attack, a phone can be unlocked by trying every possible encryption key (i.e., all character combinations possible) until the right one is reached and the device (or data) unlocks.

Starting the attack

A very abstract representation of the derivation of the encryption keys on Android. William Enck and Adwait Nadkarni, CC BY-ND

There are two types of brute-force attacks: offline and online. In some ways an offline attack is easier – by copying the data off the device and onto a more powerful computer, specialized software and other techniques can be used to try all different passcode combinations.

But offline attacks can also be much harder, because they require either trying every single possible encryption key, or figuring out the user's passcode and the device-specific key (the unique ID on Apple, and the hardware-bound key on newer versions of Android).

To try every potential solution to a fairly standard 128-bit AES key means trying all 100 undecillion (1038) potential solutions – enough to take a supercomputer more than a billion billion years.

Guessing the passcode could be relatively quick: for a six-digit PIN with only numbers, that's just a million options. If letters and special symbols like "$" and "#" are allowed, there would be more options, but still only in the hundreds of billions. However, guessing the device-specific key would likely be just as hard as guessing the encryption key.

Considering an online attack

That leaves the online attack, which happens directly on the phone. With the device-specific key readily available to the operating system, this reduces the task to the much smaller burden of trying only all potential passcodes.

However, the phone itself can be configured to resist online attacks. For example, the phone can insert a time delay between a failed passcode guess and allowing another attempt, or even delete the data after a certain number of failed attempts.

Apple's iOS has both of these capabilities, automatically introducing increasingly long delays after each failure, and, at a user's option, wiping the device after 10 passcode failures.

Attacking an Android phone

What happens when one tries to crack into a locked Android phone? Different manufacturers set up their Android devices differently; Nexus phones run Google's standard Android configuration. We used a Nexus 4 device running stock Android 5.1.1 and full disk encryption enabled.

Android adds 30-second delays after every five failed attempts; snapshot of the 40th attempt. William Enck and Adwait Nadkarni, CC BY-ND

We started with a phone that was already running but had a locked screen. Android allows PINs, passwords and pattern-based locking, in which a user must connect a series of dots in the correct sequence to unlock the phone; we conducted this test with each type. We had manually assigned the actual passcode on the phone, but our unlocking attempts were randomly generated.

After five failed passcode attempts, Android imposed a 30-second delay before allowing another try. Unlike the iPhone, the delays did not get longer with subsequent failures; over 40 attempts, we encountered only a 30-second delay after every five failures. The phone kept count of how many successive attempts had failed, but did not wipe the data. (Android phones from other manufacturers may insert increasing delays similar to iOS.)

These delays impose a significant time penalty on an attacker. Brute-forcing a six-digit PIN (one million combinations) could incur a worst-case delay of just more than 69 days. If the passcode were six characters, even using only lowercase letters, the worst-case delay would be more than 58 years.

When we repeated the attack on a phone that had been turned off and was just starting up, we were asked to reboot the device after 10 failed attempts. After 20 failed attempts and two reboots, Android started a countdown of the failed attempts that would trigger a device wipe. We continued our attack, and at the 30th attempt – as warned on the screen and in the Android documentation – the device performed a "factory reset," wiping all user data.

Just one attempt remaining before the device wipes its data. William Enck and Adwait Nadkarni, CC BY-ND

In contrast to offline attacks, there is a difference between Android and iOS for online brute force attacks. In iOS, both the lock screen and boot process can wipe the user data after a fixed number of failed attempts, but only if the user explicitly enables this. In Android, the boot process always wipes the user data after a fixed number of failed attempts. However, our Nexus 4 device did not allow us to set a limit for lock screen failures. That said, both Android and iOS have options for remote management, which, if enabled, can wipe data after a certain number of failed attempts.

Using special tools

The iPhone 5c in the San Bernardino case is owned by the employer of one of the shooters, and has mobile device management (MDM) software installed that lets the company track it and perform other functions on the phone by remote control. Such an MDM app is usually installed as a "Device Administrator" application on an Android phone, and set up using the "Apple Configurator" tool for iOS.

Our test MDM successfully resets the password. Then, the scrypt key derivation function (KDF) is used to generate the new key encryption key (KEK). William Enck and Adwait Nadkarni, CC BY-ND

We built our own MDM application for our Android phone, and verified that the passcode can be reset without the user's explicit consent; this also updated the phone's encryption keys. We could then use the new passcode to unlock the phone from the lock screen and at boot time. (For this attack to work remotely, the phone must be on and have Internet connectivity, and the MDM application must already be programmed to reset the passcode on command from a remote MDM server.)

Figuring out where to get additional help

If an attacker needed help from a phone manufacturer or software company, Android presents a more diverse landscape.

Generally, operating system software is signed with a digital code that proves it is genuine, and which the phone requires before actually installing it. Only the company with the correct digital code can create an update to the operating system software – which might include a "back door" or other entry point for an attacker who had secured the company's assistance. For any iPhone, that's Apple. But many companies build and sell Android phones.

Google, the primary developer of the Android operating system, signs the updates for its flagship Nexus devices. Samsung signs for its devices. Cellular carriers (such as AT&T or Verizon) may also sign. And many users install a custom version of Android (such as Cyanogenmod). The company or companies that sign the software would be the ones the FBI needed to persuade – or compel – to write software allowing a way in.

Comparing iOS and Android

Overall, devices running the most recent versions of iOS and Android are comparably protected against offline attacks, when configured correctly by both the phone manufacturer and the end user. Older versions may be more vulnerable; one system could be cracked in less than 10 seconds. Additionally, configuration and software flaws by phone manufacturers may also compromise security of both Android and iOS devices.

But we found differences for online attacks, based on user and remote management configuration: Android has a more secure default for online attacks at start-up, but our Nexus 4 did not allow the user to set a maximum number of failed attempts from the lock screen (other devices may vary). Devices running iOS have both of these capabilities, but a user must enable them manually in advance.

Android security may also be weakened by remote control software, depending on the software used. Though the FBI was unable to gain access to the iPhone 5c by resetting the password this way, we were successful with a similar attack on our Android device.

This article was updated April 8, 2016, to add a missing word "not" in the sentence beginning "The phone kept count…"
-

Comments

Post a Comment

Popular Posts

Signal, WhatsApp and Telegram: All the major security differences between messaging apps - CNET

Image
Signal, WhatsApp and Telegram: All the major security differences between messaging apps - CNET Signal, WhatsApp and Telegram: All the major security differences between messaging apps - CNET Posted: 19 Feb 2021 04:00 AM PST Brent Lewin/Bloomberg/Getty Images If your choice of encrypted messaging app is a toss-up between Signal , Telegram and WhatsApp , do not waste your time with anything but Signal. This isn't about which has cuter features, more bells and whistles or is most convenient to use -- this is about pure privacy . If that's what you're after, nothing beats Signal. By now you probably already know what happened. On Jan. 7, in a tweet heard 'round the world, tech mogul Elon Musk continued his feud with Facebook by advocating people drop its WhatsApp messenger and use Signal instead. Twitter CEO Jack Dorsey retweeted his call. Around the same time, right-wing social network Parler went dark following the Capito
Read more

VPN browser extensions: Why you shouldn't use then - Tech Advisor

VPN browser extensions: Why you shouldn't use then - Tech Advisor VPN browser extensions: Why you shouldn't use then - Tech Advisor Google Fi calls between Android subscribers will soon be end-to-end encrypted - 9to5Google How to encrypt your computer (and why you should) - Mashable How to encrypt and decrypt a folder on Android with SSE Universal Encryption - TechRepublic 4 ways to send encrypted messages on Android - TechRepublic WhatsApp “end-to-end encrypted” messages aren’t that private after all - Ars Technica ciphertext feedback (CFB) - TechTarget What Is the Windows Encrypting File System (EFS) and How Do You Enable or Disable It? - MUO - MakeUseOf Encrypting your online life is important - Telangana Today Keeper Password Manager Review – Forbes Advisor - Forbes [Update: Screenshot] Google Messages preparing end-to-end encryption for RCS messages - 9to5Google The iOS 15 priva
Read more

Police Target Criminal Users of Sky ECC Cryptophone Service - BankInfoSecurity.com

Image
Police Target Criminal Users of Sky ECC Cryptophone Service - BankInfoSecurity.com Police Target Criminal Users of Sky ECC Cryptophone Service - BankInfoSecurity.com Posted: 11 Mar 2021 12:00 AM PST Cybercrime , Encryption & Key Management , Endpoint Security Investigators Report Recently 'Unlocking' 170,000 Users' 3 Million Daily Messages Mathew J. Schwartz ( euroinfosec ) • March 11, 2021     Source: Sky ECC website Police say they have disrupted Sky ECC, a global encrypted communications network allegedly used by numerous criminals to plan their operations. See Also: Live Webinar | The Role of Passwords in the Hybrid Workforce Law enforcement authorities say Sky's cryptophone service, which includes both infrastructure and apps, is run from the United States and Canada, using infrastructure and private servers based in Europe as well as the service's own SIM cards. Sky ECC devices are available via vari
Read more