Echoworx Corp. has launched a new file and folder-based encryption platform, which integrates public key infrastructure (PKI) encryption into Windows Explorer. And while the company is hoping the security tool catches on amongst public and government organizations, one analyst says large enterprises might need to look elsewhere.
The Toronto-based Echoworx said Secure DOX was developed to address the growing problem of data loss and theft in many enterprises. To avoid becoming the next TJX, the company said, Secure DOX can play a crucial role in data encryption and in every organization’s data loss and leakage prevention strategy.
“It’s about saving people’s information from being released to the public, in an encrypted way,” Chris Erickson, executive vice-president of Echoworx, said. “And if there is a breach, administratively you won’t have to notify people. California data breach laws, for example, say that you have to notify everybody affected by a breach – unless you encrypted your information.”
Secure DOX can encrypt information that’s sitting on hard drives, laptops, thumbnail drives and even memory sticks, using the industry standard PKI encryption technology. Erickson also said that the software was designed to work inside Windows XP and Vista operating systems and uses the identity of the individual users to ensure the encryption.
“This is not a separate application,” he said. “It’s actually built right into Windows Explorer, so it’s very native and very familiar to the user. You can right click a file or simply drag-and-drop a group of files into a folder and automatically encrypt them.”
Echoworx said Secure DOX would cost “a few dollars” per user, per month and is a fully hosted solution that does not require additional IT investments.
But ease-of-use aside, one analyst said the security software was only moderately effective in protecting against data breaches. James Quin, senior research analyst at London, Ont. Info-Tech Research Group, said that a file or folder-based encryption system can mean that some documents slip through the cracks, especially compared with a full-disk encryption tool.
“If a document doesn’t get saved into the appropriate folder, no encryption is going to happen,” he said. “And while you can set up rules, such that all documents get saved to the My Documents folder, it becomes difficult to ensure the swap space and temporary files are encrypted properly, because invariably, they’re not part of the My Documents folder.”
One critical point to consider, according to Quin, is that Microsoft’s Encrypting File System (EFS) freely offers a similar file-based encryption platform in its Windows OS. And with the changes coming with Windows Vista and Windows Server 2008, he said, the EFS now has a lot of built-in manageability that it didn’t have before.
“The Secure DOX platform adds an ease-of-management layer that EFS hasn’t had in the past, but once enterprises have fully deployed Vista and Server 2008, I don’t see the play for this product,” Quin said. “This is something that might appeal to the small and medium enterprises looking to establish some sort of encryption infrastructure. They’re pitching themselves as a less expensive proposition from some of the disk-based solutions out there.”
But whatever encryption tool companies use, both Echoworx and industry analysts agree, integrating security technology along with corporate data security policies is crucial in sniffing out potential data breaches.
“The problem with policies alone is that they rely on individuals to enforce them, whereas technologies can do things automatically,” Erickson said. “With Secure DOX, if your policy is to ensure corporate information is always saved in your encrypted folders, it’s very easy to simply drag things in there. The technology automatically enforces those policies because it’s easy to use, as opposed to saying you always have to lock your filing cabinets at night.”
Quin agreed, saying that having a policy without encryption technology can lead to some potentially dangerous consequences.
“Invariably, the biggest vector to which information is lost internally is employee error,” he said. “You can train people until the cows come home, but unfortunately, people are always going to make mistakes. Encryption covers up those mistakes, so if I inadvertently attempt to send something out that is in an encrypted format, the leak is not going to occur.”
Echoworx also develops an encryption e-mail service and offers its security products through providers such Telus Corp., AT&T Inc. and British Telecom.