Have a
representative
contact me

Data protection is of the utmost importance, but companies often don't give it the attention it deserves. High profile data breaches like the recent Nationwide example have brought data protection to the boardroom.

Alex Kwiatkowski, lead analyst at Datamonitor.

Removable Storage Frequently Asked Questions

This page contains answers to the most commonly asked questions about Removable Storage

Removable Storage Encryption

Does GuardianEdge Removable Storage use a file-based or volume-based approach to protect data?
How does GuardianEdge Removable Storage encrypt and decrypt data?
What algorithms does GuardianEdge Removable Storage use to protect data?
What certifications does GuardianEdge Removable Storage possess?
What options do users have for deciding how they are going to encrypt data?
Do users notice a change in performance when using GuardianEdge Removable Storage?
How does GuardianEdge Removable Storage treat existing unencrypted files that are already on a device?
Can GuardianEdge Hard Disk and GuardianEdge Removable Storage run on the same endpoint?

Enterprise Manageability

Key Management

Data Portability

Supported Platforms/Devices

End User Experience

Reporting

Removable Storage Encryption

1) Does GuardianEdge Removable Storage use a file-based or volume-based approach to protect data?

GuardianEdge Removable Storage uses a file-based approach to encrypt data. Files are individually encrypted with their own randomly generated file encryption key. This is in contrast to a volume-based approach whereby all of the files on a device are encrypted as a single unit. Advantages of a file-based approach include the following:

Flexibility for users to use a device for personal and work. File-based encryption allows employees to have their personal data that is saved from their home computers unencrypted on the same device as the data that is saved from their work computer that is forced to be encrypted.
Enhanced security when devices are shared with one or more people – File-based encryption provides users the ability to set different passwords for different files, thereby providing others access only to the files that are intended for them. With volume-based encryption, on the other hand, there is only one password, and anyone that knows that password can access all of the files on a device.

2) Does GuardianEdge Removable Storage use a file-based or volume-based approach to protect data?

GuardianEdge Removable Storage intercepts files read from and written to storage devices. For file reads, GuardianEdge Removable Storage will allow unencrypted files to be opened in a manner identical to how the files would be opened if GuardianEdge Removable Storage was not installed on the computer (provided there is not a No Access policy in place). For encrypted files, GuardianEdge Removable Storage will first try to decrypt the file using a workgroup key (if there is one), and then will try passwords that the user previously entered. If neither of these methods works, only then will GuardianEdge Removable Storage prompt the user to enter a password or, when combined with GuardianEdge Advanced Authentication, to insert a smart card or token to decrypt the file.

When users write data to storage devices, GuardianEdge Removable Storage will intercept the write and, if a forced encryption policy is in place, will encrypt the file. Users will be prompted to enter a password and/or certificate(s) that will be used to protect the file encryption key, if they have not already set these.

3) What algorithms does GuardianEdge Removable Storage use to protect data?

GuardianEdge Removable Storage uses AES-128 and AES-256 algorithms to protect encrypted data.

4) What certifications does GuardianEdge Removable Storage possess?

GuardianEdge Removable Storage encryption algorithms are FIPS 140-2 certified.
GuardianEdge Removable Storage is Common Criteria EAL4 compliant, and is in evaluation for certification.

5) What options do users have for deciding how they are going to encrypt data?

Users can encrypt data using standard encryption or can create self-extracting encrypted archives.

Files encrypted with standard encryption can be accessed on computers that have GuardianEdge Removable Storage installed and on those that do not using an access utility. Users do not have to do anything to select this method of encryption; it occurs automatically when users save data to devices/media.

Self-extracting encrypted archives are intended for one-way distribution to recipients, such as attorneys, accountants, partners, and vendors that do not have GuardianEdge Removable Storage installed on their computers, although the files can also be accessed from computers that do have GuardianEdge Removable Storage installed. Self-extracting archives can be saved to storage devices, sent by email, or placed on a network share or FTP server.

6) Do users notice a change in performance when using GuardianEdge Removable Storage?

There is minimal performance impact from using GuardianEdge Removable Storage. Users may note a small change in performance when they save files to devices as part of their normal workflow, and a slight delay when saving either a large number of files (e.g. > 500) or very large files (e.g. > 1 GB).

7) How does GuardianEdge Removable Storage treat existing unencrypted files that are already on a device?

Administrators can decide how plaintext files already on a device are dealt with. Plaintext files can either be allowed to remain unencrypted or can be forced to be encrypted.

8) Can GuardianEdge Hard Disk and GuardianEdge Removable Storage run on the same endpoint?

Yes. GuardianEdge Hard Disk and GuardianEdge Removable Storage complement each other. GuardianEdge Hard Disk protects data on the hard drive, while GuardianEdge Removable Storage protects data on storage devices.

When users save data from a disk that GuardianEdge Hard Disk has encrypted to a storage device, GuardianEdge Hard Disk decrypts the data on the fly as it is being read from the hard drive into RAM. At this point, this data is indistinguishable from data that is being read from a disk that is not encrypted. The data then gets copied to the storage device, and GuardianEdge Removable Storage encrypts the data as it is being written to the storage device.

If a user copies or drags-and-drops an encrypted file from a storage device to the hard drive, GuardianEdge Removable Storage will first decrypt the file so that the computer can read it into RAM. Then, the computer will write the data to the hard drive, at which point, GuardianEdge Hard Disk will encrypt it.

Enterprise Manageability

1) Is GuardianEdge Removable Storage integrated with Active Directory?

GuardianEdge Removable Storage is a component of the GuardianEdge Data Protection Platform. The GuardianEdge Data Protection Platform has the most extensive Active Directory integration of data protection products on the market today. The points of integration into Active Directory include:

MMC interface - The GuardianEdge Management Console uses a native MMC interface, already familiar to administrators for managing email and systems and allowing them to be immediately effective with minimal training.
Microsoft GPO policy control - Policies can be deployed to all levels of the Active Directory hierarchy, including domains, sites, OUs, and groups. This Active Directory hierarchy is natively available through GuardianEdge Manager, and no LDAP synch is required to periodically update it.
Active Directory role based administration - The GuardianEdge Data Platform uses Active Directory’s powerful role-based capabilities. Administrators can be limited to specific functions, such as creating MSI files or viewing monitored data, within the GuardianEdge Management Console. Additionally, administrators can only be allowed to deploy GuardianEdge policies to a specific domain, site, OU, or group
Active Directory’s Resultant Set of Policies (RSoP) can be used to determine the winning GuardianEdge policy on an endpoint.
Structure and policy deployment - GuardianEdge Platform policies use Active Directory’s replication, forest / domain structures and policy deployment mechanisms.

2) How does GuardianEdge support Novell eDirectory?

GuardianEdge provides support for Novell eDirectory via automatic synchronization. The Novell eDirectory full hierarchy and computer objects are imported and can be managed from the same single management console with Active Directory endpoints and endpoints not part of any network domain. Policy deployment is via GuardianEdge’s native policy control mechanism or via MSI package deployment to the Novell endpoints.

In addition, machines can be moved to Active Directory management from eDirectory management without loss of protection or reporting.

3) How does GuardianEdge support PCs not connected to any network domain (eDirectory or Active Directory)?

Non-domain endpoints—such as computers that are connected via VPN from home users and also contractors’ machines that connect to the network—are supported from the GuardianEdge Management Console. Once software is deployed to these endpoints, they begin reporting into the console and are managed with GuardianEdge’s native policy control and reporting mechanisms.

In addition, these non-domain machines can be moved to Active Directory management without loss of protection or reporting.

4) How do administrators deploy GuardianEdge Removable Storage to endpoints?

Administrators deploy GuardianEdge Removable Storage to endpoints using their existing deployment tools and methodologies. GuardianEdge Removable Storage supports deployment using any standard software deployment tool that can distribute .msi packages. These include third party software deployment tools, such as SMS and Tivoli, and Microsoft GPOs.

5) When new releases or upgrades come out, how do administrators upgrade the endpoints?

Administrators upgrade the endpoints by pushing out an MSI package with the new version using their existing deployment methodologies and tools. If using a third party deployment tool, the administrator will need to inform the tool that the MSI package will be upgrading an installation in place, as opposed to creating a fresh install. If using GPOs, the administrator can right-click on the GPO and indicate that the MSI package upgrades a previously pushed out MSI package.

6) How are policies set and pushed out to endpoints?

For Active Directory, GuardianEdge Removable Storage policies are set in a manner very similar to setting other policies. Assuming administrators are deploying a new GPO, they start by right-clicking on the GPO container and selecting “New”. The administrator can then right-click on the new GPO and select “Edit”, after which users can select the GuardianEdge Removable Storage setting they want to modify. For example, the administrator could select the setting “Encrypt All Files.” After choosing the setting the administrator closes the GPO and then links the GPO to an Active Directory. As the final step, the administrator will need to ensure that this policy is higher in precedence than any other policies containing the same settings.

For Novell eDirectory and for non-domain computers, the operation is similar, but the policies are deployed using GuardianEdge’s native policy deployment mechanism.

7) Can GuardianEdge Removable Storage force data saved to removable storage devices to be encrypted?

Yes. All files that are saved to a storage device are forced to be encrypted if there is an administrator-defined policy in place to force encryption.

8) How are users authenticated in order to access encrypted data?

The server management infrastructure leverages both Active Directory and SQL Server from Microsoft, ensuring robust management and reporting capability that scale to virtually all enterprise deployment requirements. Data is stored in Microsoft SQL Server, taking advantage of this high capacity, highly scalable database. GuardianEdge can provide references to enterprise customers who protect tens of thousands of their endpoints with removable storage encryption.

9) Can GuardianEdge Removable Storage be used on multi-user computers, such as those used at kiosks, hospitals, and police stations?

Yes. Each user has his/her own GuardianEdge account that is created automatically and behind the scenes when the user logs on to Windows. The user can use this to encrypt data that he/she writes to storage devices, and the administrator can be assured that all data that users write is encrypted.

10) How scalable is GuardianEdge Removable Storage?

The server management infrastructure leverages both Active Directory and SQL Server from Microsoft, ensuring robust management and reporting capability that scale to virtually all enterprise deployment requirements. Data is stored in Microsoft SQL Server, thereby taking advantage of this high-capacity, highly scalable database environment. GuardianEdge can provide references to enterprise customers who protect tens of thousands of their endpoints with removable storage encryption.

11) Is GuardianEdge Hard Disk Encryption Integrated with Altiris?

Yes. GuardianEdge Altiris Connector Integrates GuardianEdge Hard Disk and Removable Storage Encryption controls with the Altiris Notification Server. This allows organizations to:

Manage Removable Storage Encryption and Hard Disk Encryption from a common management environment with asset, configuration, patch and update
Easily identify systems without protection
Remediate immediately from the Altiris Notification Server

Key Management

1) How are files encrypted?

Files are encrypted with “file encryption keys” generated by GuardianEdge FIPS 140-2 validated pseudo-random number generator. These “file encryption keys” are then encrypted with public keys derived from user and administrator credentials including passwords and / or certificates as controlled via policy by the administrator. Additionally, if the computer from which the data is being saved is part of an administrator-defined workgroup, then the file encryption key will be encrypted with a workgroup key for common workgroup access.

2) Is there a means to access encrypted files if a user forgets their password?

Yes, GuardianEdge Removable Storage provides a recovery method whereby administrators can access files for which users forgot their passwords.

3) How are encryption keys protected in order to ensure that encrypted data remains secure?

GuardianEdge Removable Storage protects each file encryption key with other encryption keys as defined by the administrator. These keys permit access to the encryption key, and may include: a workgroup key, a password, a recovery key, or, when combined with GuardianEdge Advanced Authentication, may also include one or more certificates.

4) Does GuardianEdge Removable Storage offer an easy way for users who are part of the same workgroup to protect and share data?

Yes. Administrators can enable a workgroup key. This allows seamless encryption and decryption of data for members of the same workgroup.

5) Is a PKI infrastructure required to use GuardianEdge Removable Storage?

No. Users can protect files with passwords. However, if users must be able to use certificates to encrypt data, then GuardianEdge Advanced Authentication and PKI are required.

Data Portability

1) Can data encrypted by GuardianEdge Removable Storage be accessed on computers that are not running the software?

Yes. GuardianEdge provides the Removable Storage Access utility. This utility can reside on storage devices and be used to decrypt and encrypt data from computers that do not have GuardianEdge Removable Storage installed. Administrators can set a policy to automatically copy this utility onto devices that users connect to computers that have GuardianEdge Removable Storage installed. The utility can also be configured as an option which can appear and be run when the device is inserted into a PC without Removable Storage Encryption.

2) When encrypted data is accessed on machines not running GuardianEdge Removable Storage can it be re-encrypted?

Yes. The GuardianEdge Removable Storage Access utility enables data to be encrypted from computers that do not have GuardianEdge Removable Storage installed.

3) Can GuardianEdge Removable Storage protect email attachments?

Yes. Users can create self-extracting archives that include a complete nested set of folders and files, which can also be sent via email. The recipient is then required to enter a password and/or other credentials to access the data.

4) Can GuardianEdge Removable Storage protect CDs/DVDs?

Yes. GuardianEdge Removable Storage encrypts data being saved to CDs / DVDs with a native CD / DVD burning capability to provide maximum protection when encrypting data for use on CD / DVD media.

Supported Platforms/Devices

1) What storage devices does GuardianEdge Removable Storage support?

GuardianEdge Removable Storage supports devices that connect through the USB, FireWire, and SecureDigital (SD) ports and that attach a file system. This includes devices such as USB flash drives, external hard drives, SD readers, Compact Flash (CF) readers, and Apple iPods.

2) What physical media does GuardianEdge Removable Storage support?

GuardianEdge Removable Storage supports CDs/DVDs, Secure Digital (SD) cards, Compact Flash (CF) cards, and floppy disks.

3) What operating systems does GuardianEdge Removable Storage support?

GuardianEdge Removable Storage supports the following operating systems:

Microsoft Windows XP Pro and Tabled Editions SP2 and SP3
Windows 2000 SP4
Windows Vista; Business, Enterprise and Ultimate
Windows Server 2003 SP1 and SP2

End User Experience

1) What methods are available for users to authenticate to encrypted data?

Users can authenticate in various way, depending upon how the data is protected:

If there is a workgroup key on the GuardianEdge Removable Storage computer—and it matches that of the file—then no user authentication is required.
If the data is protected with a password, then users will authenticate with their password.
When GuardianEdge Advanced Authentication is present, data may also be protected with certificates. If the data is protected with a certificate, then users will authenticate with a token or smart card that has a private key matching a certificate with which the data is protected.

2) Do users have to go through any sign-up or registration process before they can start using GuardianEdge Removable Storage?

No. Administrators can enable auto-registration, which allows users who log on to Windows to automatically have a GuardianEdge account through a process that is transparent to them.

3) Does encryption interfere with normal usage of the machine?

No. Users continue to work as they always have. The only thing that is different from a user workflow perspective is that GuardianEdge Removable Storage will prompt users for encryption and decryption only when required to obtain credentials to encrypt and decrypt the files. GuardianEdge has provided a number of mechanisms that minimize such interactions.

4) Does the user need to perform any additional steps to access encrypted data?

Although GuardianEdge has taken steps to minimize the prompts associated with providing credentials to access encrypted data, there will be instances where the user will receive prompts. In these cases, to access encrypted data the user will be required to enter a password or (when GuardianEdge Advanced Authentication is present and data is protected with certificates) insert a token/smart card. Other than this, there are no changes to the way users work when using encrypted data from devices.

5) How does a user share encrypted data with co-workers? How about with suppliers, partners, and other external parties?

GuardianEdge Removable Storage is very flexible in how it allows users to share encrypted data. Following are among the ways it allows users to share data:

Encrypted files can be provided to a co-worker on a USB flash drive
Encrypted files can be provided to a co-worker on a CD/DVD
A self-extracting encrypted archive can be sent by email to a co-worker
A self-extracting encrypted archive can be put on an FTP site or network share

These same methods are available for sharing data with external parties, such as suppliers and partners, except that external parties would be required to use a special utility that resides on devices/media for the standard GuardianEdge Removable Storage-encrypted archives. For self-extracting archives, no special software is required, and the user simply needs to enter a correct password and/or use that appropriate certificate.

6) Does the encryption and decryption cause degradation in performance?

7) Does GuardianEdge Removable Storage create any application compatibility issues?

GuardianEdge Removable Storage is a standard Windows application and does not cause problems with other applications.

Reporting

1) Does GuardianEdge Removable Storage enable administrators to validate that the proper policies are in place?

Yes. The following data is included in the data that GuardianEdge Removable Storage shows for each user:

Computer name
User name
Date and time of last status update
Encryption policy
Encryption method (password/certificate)
Workgroup key
Recovery
Automatic copying of Access utility to devices

2) Does GuardianEdge Removable Storage provide logging of endpoint events and activities?

Yes. There are a number of events that are logged, including the following:

Successful receipt of a policy
Successful encryption of a file, together with the file name
Successful decryption of a file, together with the file name
Unsuccessful decryption of a file, together with the file name
Delay instituted for consecutive unsuccessful authentication attempts in excess of the administrator-defined threshold
Expiration of the above mentioned delay

3) Does the reporting include details for users and computers?

Yes. Users and computers are included in the reporting, as detailed above.

Email Page

Print Page

top of page

learn more

nobis