Ongoing revelations from the Edward Snowden leaks have put data security in the spotlight, particularly the security of data that resides in the cloud. It is imperative that cloud providers and IT vendors are able to offer potential customers the assurance that their data is safe. To respond to this need, Afore Systems has created a new set of applications (a management console and clients) called Cypher-X that provides an end to end security solution.
How does Cypher-X work?
The management console runs as a virtual machine (or on a physical server) and allows policies to be created to determine which applications are controlled. A controlled application is referred to as a certified application; this means that it can have control policies applied to it. When a client PC checks in with the management application, applications that meet the needed criteria will be able to access the secured information. Figure A below shows both the management console and the client on different PCs.
CypherX fig A.png
Cypher-X console and client
For example, suppose that my organization has confidential Word documents that need to be secured. Cypher-X would be configured to certify Word, using policies to determine which users, groups, and computers (through Active Directory) should be allowed to access this information. When Word data is created on a managed machine, the data stored in a document is encrypted. If my system has the Cypher-X client installed and I am in the correct groups, I will be able to see that data. If I am not in the right groups, the data will appear as an encrypted mess of unreadable text. Also, if I attempt to open the Word doc with Word Pad, the information will remain encrypted.
Figure B shows a file open in Word (the certified application) and Wordpad (a non-certified application). In Word, the data appears but in Notepad it does not.
cypher-x figure B.png
Certified applications vs. non-certified applications
Note: If your environment runs more than one version of an application, like Word, a separate policy will be needed for each version at this time.
If my computer does not have the Cypher-X client on it, I can still use Word, however my data will not be encrypted and I will be unable to open previously encrypted files from that station.
The Cypher-X client sits between the applications being managed and Windows. It is capable of capturing all I/O generated by an application. For certified applications this does several things: first it allows Cypher-X to stay out of the way and remain mostly invisible to the user. Second, it allows data produced within a certified application to be encrypted as soon as it is produced. The benefit here is that I can create data in Excel, which is our example application, and even if I copy information to the clipboard the data sent to the clipboard is encrypted. When pasted into another application, the information there will be encrypted text and no confidential information will be displayed.
Does it only work for client applications?
As great as this is from a client or data creation perspective, this is not the only place Cypher-X can help. If you decide that SQL Server or SharePoint needs to be a certified application, these applications will not function for clients who do not meet the criteria for the policy. Any applications that need to access these things, Internet Explorer in the case of SharePoint, will also need to be certified by Cypher-X. When the applications are both certified, the connection happens and things will move forward as expected. If, in the case of SharePoint, Internet Explorer is not certified, access to the SharePoint environment will be denied with an error message that it is unavailable.
Remember: Errors can be redirected by IIS to show a page with a fuller explanation than the error provides, which can be helpful for your colleagues and reduce helpdesk calls.
How does Cypher-X prevent leaks?
Because data is encrypted as it is written and the encryption client sits in the I/O stream, once the data leaves the secure environment, it will appear as encrypted data. This could be via SkyDrive, DropBox, a USB drive, or even a disconnected laptop.
Currently, the client needs to be online to check in with the management server for the decryption to be performed. Afore mentioned that they are considering features in the future to address the travelling CEO who might need to create or work with secured data offline.
Encourage cloud use… your data will stay secure
Even when documents that are created in certified applications are saved out to services like SkyDrive, the contents are encrypted before the save gets completed. This ensures that file stored in the cloud is the encrypted file. Accessing the file will appear as secured data not as the contents unless the party accessing it meets the policy requirements of user/groups, environment, and certified application.
The encryption keys are managed by the management console and can be stored in Active Directory; they are not managed by or known to any cloud providers. This ensures that cloud providers or other tenants using them will have no way to access your information.
Licensing and pricing
Cypher-X is licensed at $150 per user for perpetual licensing and $15 per user/month for subscription based licensing.
With all of the data leaks and worrying about outside parties accessing information, the encryption solution provided as part of the Cypher-X product is really very innovative. Because many solutions only encrypt data at rest and this solution encrypts data created/edited by application it could really help prevent both leaks and snooping. Certainly, this is something organizations today might want to consider to ensure the security of their data.
For organizations making investments in technologies like DirectAccess this might be a great solution to also deploy. With the availability of domain resources over the Internet, securing information from end to end with managed encryption could be a very complete solution for organizations in need of advanced data security.
Derek Schauland has been tinkering with Windows systems since 1997. He has supported Windows NT 4, worked phone support for an ISP, and is currently the IT Manager for a manufacturing company in Wisconsin.