Vormetric's agent-based approach provides strong key management across all apps
The Vormetric Data Security Expert Security Server is not a direct competitor to the Thales and Venafi systems. Rather than managing keys used by other certificate authorities or encryption solutions, it manages its own encryption solution across multiple systems. It provides encryption servers to file systems or to IBM DB2 or IDS database backups.
The system involves two components, an agent that runs on each server to be managed, and the appliance. The appliance must be set up first, using a serial terminal for network configuration, then the serial terminal or an SSH session for the rest of the initial configuration. After setting up the network interfaces and generating a security certificate, the rest of the configuration can be done via browser.
When first logging in, you'll be prompted to change the password. By default the password must be at least eight characters and contain upper and lower case, numbers and punctuation, with no repeated letters. This isn't stated, you simply have to use trial and error after each error message until you satisfy all the requirements. When creating additional administrative users, the password requirements must be met when setting the initial password, which then must be changed at the first login. Password policy can be changed to eliminate the requirement for uppercase, numbers and punctuation, but the minimum length of eight can't be changed, nor can the prohibition of repeated characters.
After you configure a domain, you can begin setting up policies and hosts that will have agents deployed. The software on each managed system must be able to resolve the hostname of the Vormetric appliance to connect to the system – there's no provision for using an IP address. If the agent can't resolve the hostname of the appliance, the registration process fails, and the only way I found to get the agent to re-try registration was to reboot the system.
Once the agent is registered, you can set up policies that control how keys are deployed and how encryption is managed on the specified servers. The policy editor is very flexible, though not terribly user friendly. Creating policies is more like scripting than the drop-down menus of the other products. This approach is more flexible, but requires more study to understand how to create policies, as well as testing to ensure that the policy is doing what you think it is. Setting up policies is well documented, and most people will need to refer to the documentation regularly.
The next software release, 4.3.4, which should be available before this article goes to print, makes creating policies much easier, with the ability to browse to users, applications to be controlled and resources to be protected.
The Vormetric appliance encrypts data in place, intercepting system calls and ensuring that any request for data comes from an authorized user, and that both data and backups are safely encrypted. The hardware is FIPS compliant, and has failover capability to handle the demands of a large enterprise.
In addition to encryption, the Vormetic appliance and agents allow you to control access to specific data and applications controlling which users can see or access data and applications, and which rights they have to specific files. While some of this can be accomplished using the standard user rights systems in Windows or Linux, the Vormetric system establishes an audit trail, showing which users attempted to access protected data.
The appliance can also ensure that applications are only run by authorized users, so that a guest, for example would not be allowed to run the del command, or that users would not be allowed to use notepad to read configuration files. This technology isn't perfect, because the limitations are imposed on specific executables, and if you limited notepad but not other text editors, users could circumvent the prohibition. While you can prohibit everything not allowed, this is likely to cause problems because many applications may make use of calls to other applications.
The Vormetric appliance is more of a general security system than a key management system. It does provide encryption across multiple platforms, but isn't intended to manage keys used by other applications, or to manage certificates. What it does, it does well, and administrators might decide to replace the plethora of different encryption technologies with the single Vormetric one, and also gain the ability to restrict access to files and applications as well.
Return to main test.
Date publication:
Author: Keylogger.Org Team
The system involves two components, an agent that runs on each server to be managed, and the appliance. The appliance must be set up first, using a serial terminal for network configuration, then the serial terminal or an SSH session for the rest of the initial configuration. After setting up the network interfaces and generating a security certificate, the rest of the configuration can be done via browser.
When first logging in, you'll be prompted to change the password. By default the password must be at least eight characters and contain upper and lower case, numbers and punctuation, with no repeated letters. This isn't stated, you simply have to use trial and error after each error message until you satisfy all the requirements. When creating additional administrative users, the password requirements must be met when setting the initial password, which then must be changed at the first login. Password policy can be changed to eliminate the requirement for uppercase, numbers and punctuation, but the minimum length of eight can't be changed, nor can the prohibition of repeated characters.
After you configure a domain, you can begin setting up policies and hosts that will have agents deployed. The software on each managed system must be able to resolve the hostname of the Vormetric appliance to connect to the system – there's no provision for using an IP address. If the agent can't resolve the hostname of the appliance, the registration process fails, and the only way I found to get the agent to re-try registration was to reboot the system.
Once the agent is registered, you can set up policies that control how keys are deployed and how encryption is managed on the specified servers. The policy editor is very flexible, though not terribly user friendly. Creating policies is more like scripting than the drop-down menus of the other products. This approach is more flexible, but requires more study to understand how to create policies, as well as testing to ensure that the policy is doing what you think it is. Setting up policies is well documented, and most people will need to refer to the documentation regularly.
The next software release, 4.3.4, which should be available before this article goes to print, makes creating policies much easier, with the ability to browse to users, applications to be controlled and resources to be protected.
The Vormetric appliance encrypts data in place, intercepting system calls and ensuring that any request for data comes from an authorized user, and that both data and backups are safely encrypted. The hardware is FIPS compliant, and has failover capability to handle the demands of a large enterprise.
In addition to encryption, the Vormetic appliance and agents allow you to control access to specific data and applications controlling which users can see or access data and applications, and which rights they have to specific files. While some of this can be accomplished using the standard user rights systems in Windows or Linux, the Vormetric system establishes an audit trail, showing which users attempted to access protected data.
The appliance can also ensure that applications are only run by authorized users, so that a guest, for example would not be allowed to run the del command, or that users would not be allowed to use notepad to read configuration files. This technology isn't perfect, because the limitations are imposed on specific executables, and if you limited notepad but not other text editors, users could circumvent the prohibition. While you can prohibit everything not allowed, this is likely to cause problems because many applications may make use of calls to other applications.
The Vormetric appliance is more of a general security system than a key management system. It does provide encryption across multiple platforms, but isn't intended to manage keys used by other applications, or to manage certificates. What it does, it does well, and administrators might decide to replace the plethora of different encryption technologies with the single Vormetric one, and also gain the ability to restrict access to files and applications as well.
Return to main test.