Home


About Network Testing Labs

Contact Network Testing Labs
Independent Reviews of Network Hardware and Software

 

NETWORK TESTING LABS REVIEW

Secure Islands’ IQProtector


IQProtector Suite 5.0 was highly configurable, and it successfully secured our documents from prying eyes. However, it slows document access and is a bit pricey.
By Barry Nance


Executive Summary

IQProtector uses Microsoft's Rights Management System (RMS) technology to encrypt/decrypt individual documents.

  • IQProtector offers several privacy levels
  • It enforces excellent document security
  • It's quite slow, especially for larger documents
  • It requires a modicum of administrative effort
  • IQProtector is not cheap


The small, camera-equipped drone hovers unobtrusively outside your office window, quietly photographing the confidential documents on your desk and on your computer screen. A dumpster diver retrieves your shredded printouts, scans them into a computer and uses jigsaw-puzzle-solving software to reform the shreds into legible documents. An innocent-looking but virus-infected computer uses nothing more than heat signatures to glean data from your air-gapped (non-networked), “off-the-grid” machines that you thought were perfectly safe from prying eyes (Click here for more detail). And an industrial spy has tapped into your network links to make copies of private documents as they flow around your company.

You’re on your own with the drone, the dumpster diver and the heat-signature-reading computer (good luck!). However, you can use encryption to thwart the industrial spy who wants to steal your digital documents.

Full disk encryption (FDE) – think Microsoft BitLocker – is a particularly effective way to render data illegible and useless to a thief who’s stolen a physical computer. In contrast, file encryption (a la Microsoft Rights Management System, or RMS) protects the data itself, document by document, on any computer and across any network link. RMS technology, which Microsoft includes in many versions of Windows, can encrypt individual files at the time of creation, and it allows decryption by specific users or groups according to Active Directory permissions. Microsoft Office applications are RMS-aware.

But how do you administer and manage RMS? What about file types and applications beyond those of Microsoft Office? Can you force certain users or groups (e.g., the Finance Department’s Mergers and Acquisitions Research Team) to encrypt their files? When a user creates a document containing sensitive information, how can you remind that user to encrypt or otherwise classify the file? How can you monitor encrypted file usage across the enterprise? How do you authorize document access for some people and deny it to others? What about the documents that already exist at the time you decide to begin using digital encryption?

Guarding access to your private digital documents is not a simple or cheap affair. Plan to do a risk assessment before your organization decides to embrace file encryption. Be aware that digital document privacy adds significant costs in the form of administrative effort and user training. These costs are worthwhile expenditures if exposure or disclosure of sensitive information would likely result in even greater costs.

A handful of vendors offer products to help you achieve a high level of digital document confidentiality and privacy. Unfortunately, most of these vendors are quite coy about having anyone evaluate their products. For this review, we invited EMC, Secure Islands, GigaTrust, Seclore and Watchful Software to send us software that we could test in our Alabama laboratory. Only Watchful Software and Secure Islands responded. Watchful Software declined to participate upon learning the vendor could not help us install its server component – a difficult process that is apparently fraught with peril. Secure Islands sent us IQProtector Suite 5.0.

Secure Islands’ IQProtector (in conjunction with Microsoft’s RMS technology) encrypts and decrypts more than 1,000 file types. It secured our files based on a variety of criteria that included content, user ID, user group and user choice. It gave us four security levels from Top Secret through Public and was simple and painless to administer. It monitored access to secure files and produced useful, informative reports. IQProtector even scanned and classified documents we downloaded from (or uploaded to) Web sites.

On the other hand, IQProtector is highly Windows-centric (because it relies on RMS technology), it’s pricey and it slows document access noticeably. IQProtector “paused” the opening or creation of encrypted files by a few seconds even for small documents. For larger files, access was annoyingly slow. We concluded that IQProtector is inappropriate for files of about 25 MB or greater. However, the slower performance is doubtlessly part of the price we paid for privacy. Overall, IQProtector is an effective privacy tool that we recommend you take a close look at.


IQProtector architecture

IQProtector has two server components, a Management Server and a Classification & Protection Server. It stores policies (rules for what and when to encrypt) and event logs in a Microsoft SQL Server database server. It requires that Microsoft RMS be enabled on all the computers that create, store or process encrypted files, and each of these computers also needs an IQProtector agent (an Interceptor). These agents run on client (user) computers, terminal server computers, file servers and application servers (such as Microsoft Exchange, Microsoft SharePoint and OpenText Enterprise Content Management [ECM] servers).

For specialized, customer-unique file types and content, IQProtector has a well-documented and easy-to-use Developer’s Guide API for building Custom Interceptors. Additionally, IQProtector has a Data Scanner component that “crawls” through file systems. It looks for files that according to administrator-configured policies should be encrypted but are not.

Administrators use IQProtector’s Web-based interface to create and manage policies, set up file system discovery parameters for the Data Scanner, audit for compliance with corporate privacy goals and analyze IQProtector’s ongoing operations.

At each file access, an IQProtector endpoint Interceptor sends data to the IQProtector Classification and Protection (C&P) Server. The C&P Server uses policies, data content and other factors to decide if the data should be encrypted, performs the encryption and returns the result to the Interceptor. A Server Interceptor can additionally subsume the role of C&P Server. In a cloud-based environment, the Interceptors are local while both the C&P Server and Management Server reside in the cloud.



The Management Server provides the Web-based user interface. It sends policies to Interceptors and the C&P Server and, in return, gets activity logs, which it stores in the database. The Management Server analyzes and summarizes the encryption activity, and it also displays the results of the Data Scanner’s search for files that should be encrypted.Installation was simpler than this description of IQProtector’s architecture implies. The Management Server and the C&P Servers required just a few minutes each. After IQProtector instantiated its SQL Server database, we set up each endpoint Interceptor on our client computers and used the Management Server’s browser-based interface to configure a dozen initial policies. We installed and fired up the Data Scanner, which gave us a report that accurately identified the test files we expected it to find. IQProtector’s documentation is comprehensive, but it lacks a clear, intuitive explanation of IQProtector’s concepts and terminology. Fortunately, IQProtector is easier to use than it is to explain.

IQProtector supports several versions of Windows: XP Pro, Windows 7, Windows 8, Server 2003, Server 2008 and Server 2012. It works with Microsoft Office 2003, Office 2007, Office 2010, Office 2013 and Office 365, and it requires SQL Server 2008 or SQL Server 2012. Secure Islands’ IQProtector Mobile component provides access to secured email messages and attachments on iOS, Android and Blackberry mobile devices.


Files, emails, clouds and security levels

As directed by policies configured by an administrator, IQProtector secures files, email messages, Web pages and cloud data. These policies use content types (file extensions and MIME types), Web and file folder names (e.g., a directory named TopSecret), specified sender or recipient email addresses, email subject line tags (such as _Top_Secret_), a named application, patterns or phrases in the data itself, Active Directory attributes (such as a department ID), IP addresses and storage device identities (such as a USB drive) to classify a file’s privacy level.

IQProtector gave us complete flexibility regarding the classification and encryption of our documents. For our simulated Audit Department, we configured IQProtector to automatically restrict access to files created by anyone in that department. We used IQProtector to make sure that only people with the appropriate credentials could view our Mergers and Acquisitions plans. IQProtector’s Data Scanner examined the contents of our files and told us which pre-existing documents needed a security classification. It warned us before we sent a secured email message to someone outside the company (in order to access confidential documents or email messages, an external user must be using Microsoft RMS and must be able to authenticate him or herself). In all our tests, IQProtector was always able to secure our files exactly as we wished.

IQProtector understands the file formats of over 1,000 file types and can examine their contents for sensitive data, such as credit card numbers or references to financial information. These are the same 1,000 file types that the H-P file viewer KeyView supports. Secure Islands says that IQProtector has special support for the OpenText company’s Enterprise Content Management (ECM) Suite, but we did not test this. For other, specialized file types, an organization can use Secure Islands’ .NET SDK or Web Services REST API to customize and extend IQProtector’s ability to examine file contents. We found the process of programming a Custom IQProtector Interceptor to be quite straightforward and simple in our simulated automatic document processing system (See “Beyond spreadsheets, email and word processing”).



IQProtector has four default data sensitivity levels: Public, Internal, Secret and Top Secret. A person creating a document, if directed by an administrator’s policy configuration, chooses one of these four levels. Or, during (possibly unattended) file creation, IQProtector assigns each file a data sensitivity level according to a rule set up by an administrator. In the form of metadata, IQProtector attaches to each file or email message the data sensitivity level, the data security type (such as Customer Information, Personal Identification Information, Financial Information, or Personal Credit Card Information) and other security-related characteristics.

IQProtector’s ability to identify sensitive data content was impressive. We could flag documents based on words, phrases, regular search expressions, credit card data and other criteria. And IQProtector contains special logic to identify Payment Card Industry (PCI) data.

Note that, while administrators do not see the data content you designate as confidential, they do necessarily see the words and phrases that they insert into rules and policies. Accordingly, administrators will know the names of companies involved in a merger or acquisition and thus need a special security clearance.

IQProtector’s security was top-notch in our tests. We tried various hacking methods to decrypt files, alter a file’s metadata and otherwise defeat IQProtector’s security – to no avail.


Administering and using IQProtector

IQProtector selectively encrypts files and email messages based on what Secure Islands calls Information Profiles, Data Classes and Classification Rules. An Information Profile specifies an information category, such as “new product sales forecast spreadsheets” or “merger/acquisition plans.” An Information Profile can be defined by metadata such as file type, data source or data contents, and it can contain references to other Information Profiles. A Data Class is an administrator-supplied label that describes a security characteristic, such as Data Sensitivity. A Data Class can have multiple values (such as Public, Internal, Secret and Top Secret), and an administrator can put Data Classes into named groups.

A Classification Rule tells IQProtector the circumstances in which it should apply its privacy protections. The Rule specifies how to use Information Profiles and Data Classes to decide whether to mark a file or email message for private consumption. For example, a Classification Rule might automatically (no user intervention required) add a particular Data Class value, such as Top Secret, to documents created by someone in the Audit Department. The associated Information Profile specifies a data source of the Audit Department, which IQProtector recognizes because the user logon ID’s Active Directory group is “Audit.” If the administrator specifies, a Classification Rule might cause a user, at file creation or file save time, to see a pop-up window in which he or she can give the document a particular Data Class. The administrator chooses the list of Data Classes from which the user selects and whether the user must assign a data classification before proceeding further. A Classification Rule might insert configurable content (such as “Confidential – For Finance Dept. Use Only”) to the header or footer area of selected documents.

 

Classification Rules can work in combination. For example, suppose all documents created in the Audit Department are automatically designated “Internal” by one rule, while another rule allows an auditor to raise the privacy level of a particular document to “Top Secret.”

To get you started, Secure Islands includes a number of basic, pre-configured Information Profiles, Data Classes and Classification Rules with IQProtector.

As we found in testing, designating these encryption criteria is the most important step in administering IQProtector. Doing it well (i.e., comprehensively but not in too much detail) requires a good deal of forethought and careful analysis. In some of our tests, we defined absolutely every possible privacy situation we could think of. As a result, we had myriads of IQProtector criteria to maintain and we quickly found the effort labor-intensive and even a bit confusing. We think your success with using IQProtector (or any privacy scheme, for that matter) will depend mostly on two considerations … your company’s whole-hearted, serious embracing of the new environment and your analysis of your documents and their flow through the organization.


Beyond spreadsheets, email and word processing

To evaluate IQProtector outside the mundane environment of Microsoft Office, we developed an automatic document processing system that, among other functions, inspected the contents of various files: PDF reports, DocX and XLSX Office documents, accounting system files, VSD Visio drawings and a range of internal custom application files. The result was a batch processing system that we wanted to use to fairly quickly look for patterns (or the lack of patterns that should exist but didn’t) across myriads of files.

We ran two sets of tests. One used unencrypted, unprotected files. The other put IQProtector in control of the secure, private data.






We used Visual Prolog, an AI programming language, to create software that looked through these files for anomalies, discrepancies and contradictions. Most but not all the files contained confidential data. Our Prolog software made use of the IQProtector Custom Interceptor .NET API and the Microsoft RMS API to both gain access to the unencrypted contents of each file and also change the privacy classification levels of selected files.

The IQProtector and RMS interfaces unlocked our confidential files and let us manipulate the files’ security settings, but we paid a high price for access to the private data. Run times more than doubled in the IQProtector environment.

Conclusion

IQProtector is an excellent guardian environment for keeping designated documents private. It’s easy to administer, once you master its concepts. IQProtector is highly configurable … you can tailor it to automatically secure one type of document while at the same time you specify that users must manually classify another type of document.

 

IQProtector does slow access to confidential files and is somewhat pricey. However, if you need to keep industrial spies from stealing your private data, we think IQProtector is worth a close look.

Scorecard

 

Secure Islands

IQProtector Suite 5.0

File types and security levels (20%)

10

Platforms (20%)

5

Administration (20%)

8

Ease of use (20%)

8

Reports (10%)

8

Installation and documentation (10%)

8

Total Score

8.0


Scores can range from 1 to 10, with 10 the highest.


Vendor data

IQProtector Suite 5.0

Starts at $65 per user
Secure Islands, Inc.
646-313-3798

www.secureislands.com

 




Copyright 2016 Network Testing Labs


  
Home

About Network Testing Labs

Contact Network Testing Labs