Do Windows Encryption Tools Suit Enterprises and Government?
Stop and think about your daily work routine. You sit down at your desk, log in to your laptop, and read your emails. Perhaps, human resources sent you a new employee’s contact information. You open it and save it to your hard drive. Another email from an industry contact includes unpublished statistics one of your analysts requested. You forward these trade secrets to the analyst and place them a shareddrive where everyone in the project team can access them.
Standard procedure, right?
You focus on the information coming in—saving it, passing it on to the right people, and analyzing it. For data-driven workers, including thousands of attorneys, defense contractors, and governmental employees, how you use the available information and data defines how you work.
With all the attention on the data and its meaning, one question often slides under the radar. How protected is it?
When this question inevitably rears its head, someone—maybe you—points to your organization’s encryption policies.
Encryption, the time-honored art of encoding sensitive information to protect it from unauthorized eyes, is a requirement for data security.
Recognizing the need for file, folder, and drive encryption, Microsoft added two encryption utilities. Introduced as part of Windows 2000, the encrypting file system (EFS) encrypts individual files and folders. Vista brought us BitLocker, which encrypts volumes. Each version of Windows builds on the next, offering additional cryptographic algorithms, certificates, keys, and supported file systems.
Learn how to elevate the productivity of your enterprise through secure collaboration.
Download NOW our Free Whitepaper
Today, Windows 7’s 2020 retirement date hangs over many organizations like a sword of Damocles. With more than 200 million Windows 10 enterprise users and millions more expected in the coming years, the question is: Do Windows 10’s encryption tools fithow government organizations and enterprises work?
Encrypting File System (EFS)
EFS is the oldest encryption utility in Windows 10’s arsenal and is available on Windows 10 Professional, Enterprise, and Education editions as well as on Windows Server 2016 and Windows Server 2019. With new features, including cryptographic algorithms, added with each major release and some updates, EFS applies modern and secure cryptographic algorithms to files and folders.
- EFS includes military grade AES-256 Encryption. For more about why you need this, see “Communication Security: What Military Grade Encryption Means.”
- As a built-in utility, EFS offers the ultimate convenience for your IT shop. No need to install it. Just turn it on and pass out instructions.
- It encrypts both files and folders.
- It’s complicated. Encrypt and decrypt are not listed on the context menu. Encrypting a file or folder via EFS requires right-clicking on the item, going to properties, clicking “Advanced”,and then checking “Encrypt contents to secure data”.Making EFS accessible from the context menu requires editing the registry.
- Opening EFS files orfolders on another computer requires exporting the EFS certificate and key and installing them on that computer.
- EFS encrypted files are automatically decrypted when they’re shared via an application like Dropbox. Since EFS is transparent to both the user and their applications, file sharing apps like Dropbox automatically decrypt the file before uploading to the server.
- File sharing requires VPN tunneling.
- No mobile file access.
For rarely accessed data and documents, including medical records and legal documents, EFS is an excellent solution; provided, all certificates and keys are backed up. It also works for individuals who don’t need cloud storage or file sharing.
AxCrypt, the Popular Alternative to EFS
For small business owners and organizations on a tight budget, AxCrypt is an attractive alternative to EFS. Like EFS, AxCrypt boasts AES-256 encryption for files and folders.
AxCrypt also features:
- smartphone access for both iOS and Android,
- an invitation system that lets users share files and collaborate, and
- encrypted cloud storage via either Dropbox or Google Drive.
Unfortunately, AxCrypt follows a freemium model and has monetized their software with the adware module OpenCandy. Among other things, OpenCandy installs web browser extensions, plugins, and toolbars that monitor and report the user’s browser activity to third parties. Some antivirus and anti-malware suites label OpenCandy as malware.
Although AxCrypt will protect select files with encryption, it may also compromise your employees’ privacy.
Microsoft’s flagship disk volume encryption,BitLocker, was first included in their Microsoft Vista Ultimate and Enterprise editions. Originally, BitLocker helped verify the system integrity. They designed it to protect the operating system and later extended its protection to other logical drives.
BitLockerwas not included in Windows 7 Professionalbut is including in Windows 10 Professional, Enterprise, and Education editions. If you need BitLockerlike features on Windows 7 Pro, see VeraCrypt below.
- BitLockeroffers AES-256 encryption.
- It works on both individual hard drives and storage area networks and network attached storage.
- BitLockerhelps you implement an organization-wide cryptography policy by mounting unencrypted drives as read-only.
- Implementing BitLockermay require upgrading existing hardware and software.
- Administering networked drives is difficult. According to Microsoft, the preferred management method for BitLockerprotected network drives on Windows Server 2016 is the Windows PowerShell.
- Shared BitLockerdrives are decryptedon the server. All files are transmittedover the network unencrypted.
- Additional disadvantages include:
- No mobile drive access.
- No version control.
- No change notifications.
VeraCrypt, a non-Microsoft Bitlocker Alternative
Forked from TrueCrypt in 2013, VeraCrypt is an opensource alternative to BitLockerfor Windows, Windows Server, macOS, and Linux systems. Like BitLocker, it supports AES-256 and applies encryption to logical volumes. It also creates encrypted file containers.
Sharing VeraCrypt volumes with read/write access requires mounting and decryptingthem on the server. Accessing an encrypted container over a network is possible. However, in this instance, the encrypted file container is read-only.
Secure Collaborative File Sharing for Enterprises and Government Agencies
Although VeraCrypt offers some sharing capabilities, neither it nor EFS isdesigned for multiple users. BitLockerintegrates with other Microsoft products and providesmore robust collaboration options via shared drives. However, it is difficult to administer and lacks version control and other features needed for collaborative editing.
While AxCrypt has an almost cult-following and offers the collaborative features small to medium-sized organizations need, its adware module may introduce other unforeseen security risks.
For enterprises and government agencies, secure collaborative file sharing must be invisible. The system guided by your cryptography policies should choose what needs encryption, not your employees. Encryption and decryption should both happen in the background, unseen and seamless.
It must work on all your enterprise’s devices, including mobile phones. Sending an investigator to Thailand shouldn’t mean they lose access to critical documents.
Encryption is not limited to a single device or server. Protect your sensitive data on the server with end-to-end encryption, in transit, and at rest. Any device someone can pick up with a hand needs at rest encryption. At a minimum, encrypt all cell phones and tablets, and turn on BitLockeron laptops.
At Adeya, we have another item on our must-protect list. Communications, including voice calls, video calls, SMS, and messaging, represent a treasure trove of highly-sensitive data. With more governments developing offensive cyber attack capabilities than ever before, protecting these secrets alongside more traditional document-based intelligence is a crucial and often overlooked part of a sound data protection strategy. Give us a call at (+41) 22 566 14 80 and find out how our secure collaboration and communication platform can help your organization.