Policy-Driven File Encryption Explorer is a technology that addresses security needs in file-based storage solutions and secure desktop needs. It enables protection of data-at-rest as well as data-in-flight, by providing policy-governed granular file based encryption.

Since the technology is file-based, it suits file-based storage solutions like Network Attached Storage (NAS) where the storage is accessed by the end client nodes using distributed filesystem or remote data access tools and where securing data at the client node by the owner of the data is a preferred approach.

The utility is policy-based which helps meet the security needs in Information Lifecycle Management (ILM) by facilitating granular management of data security. It allows end users and administrators to define policies over type, age, size, access and related attributes associated with the data and security requirement that needs to surround it.

Policy-Driven File Encryption Explorer allows you to identify files with specific content and secure them using different encryption algorithms. It supports user interactive mode as well as batch processing mode, which is vital for storage administrators securing large sets of files. The technology also features with report generation which can be used for security audits and compliance.

Policy-Driven File Encryption Explorer empowers the data owner to play a more active role in implementing the organizations security policies. Administrator/owner can generate policy based reports periodically or at will to check whether the data present is compliant to organization’s data security policies.

Highlights

• Ensures securing of data-at-rest as well as data-in-flight by leveraging OpenPGP for file protection, including file encryption, decryption, signing , verifying and optional file compression.
• Policy based. Allows administrators and owner of files to classify data and likewise enable data encryption polices. Provisions with interfaces to set generic polices which define which kind of file needs to be protected by which level of encryption, which kind of file needs to be signed, which kind of file needs to be compressed, and more.
• Enables user-defined constraints in each policy such as location, extension, hidden, read-only, size, age for the files and respective algorithms to be used for the encryption and digest -- thus meeting some of the ILM requirements. Allows various files attributes to be used for defining policies.
• Remote-location-aware. The tool indicates to the user to choose tighter security algorithm in such cases. The tool identifies files residing on mapped remote drives (generally exported by Network Attached Storage appliances) to facilitate higher level of encryption over remotely residing files, thus protecting data over insecure network.
• Provides facilitates to secure documents and files based on its actual content.
• Supports batch processing suitable for mass execution.
• Offers a reporting facility which can be used for security audits and compliance. Supports importing reports to Microsoft Excel.
• Integrated with auditing and logging facility to record all relevant file operation executed using the utility.
• User-friendly user interface. The user interface of the utility is explicitly designed as an explorer GUI which makes it consumable and highly user friendly. The UI has been designed with novice end users as well as storage administrators in mind. Securing files can be as easy as dragging and dropping them in the explorer.
• Based on open standards: Plugs-in open source OpenPGP library from Bouncy Castle Crypto APIs for exercising OpenPGP functionality. OpenPGP compliance ensures interoperability and facilitates securely sharing of data with trusted partners.
• Built on the Eclipse Rich Client Platform.

How does it work?

The technology is designed to work over OpenPGP standards. This helps interoperability across platforms and facilitates secure sharing of data with trusted partners -- which is a pragmatic requirement in the industry.

The current version of the technology plugs-in an opensource OpenPGP library from Bouncy Castle Crypto APIs to exercise the OpenPGP related modules.

OpenPGP is a widely used standard in the industry to meet privacy, integrity, and non-reputation goals. It supports digital signatures to ensure the ownership of the data as well as to help validate tamper attempts over the data. It further helps ensure that only owner controlled users can have access to the encrypted data making it independent of device level encryption facility. The utility derives all these OpenPGP benefits as it is built over it.

See a video demonstration on YouTube.

Acknowledgement: The authors sincerely acknowledge and thank Nataraj (Raj) Nagaratnam, IBM Distinguished Engineer, Chief Architect, Identity and SOA Security, for his valuable advice and core insights.

Also, thanks to Vikram Sanap for his assistance with Java technology.

Sandeep Ramesh Patil is an Advisory Software Engineer for the IBM India System and Technology Lab and is an IBM developerWorks Professional Author. He has worked for IBM for nine years, focusing on distributed technology including DCE, SARPC, and security products such as the IBM Network Authentication Services (IBM Kerberos). He was one of the prime architects for the above technology. Sandeep holds a BE degree in computer science and engineering from the University of Pune, India. You can contact him at sandeep.patil@in.ibm.com.

Sachin Punadikar is a Principal Software Engineer for the IBM India System and Technology Lab. He has worked for IBM for eight years. He has experience in file systems (DFS), transaction processing monitors (TXSeries Encina), and security products such as NAS. He is currently developing and performing product support for new features for the IBM NAS. Sachin holds a bachelor's degree in computer science and engineering from the Shivaji University, Kolhapur, India. You can contact him at psachin@in.ibm.com.

Vipin Rathor has been with IBM India System and Technology Lab for three years. He works for IBM Network Authentication Service Development and Support activities. His areas of interest include network security, particularly Kerberos and other authentication protocols. You can contact him at vrathor1@in.ibm.com.

Sandeep Singh works at the IBM India System and Technology Lab. Currently he is engaged in IBM Network authentication service development and L3 activities. Network security and UNIX internals are his areas of interest. He holds a Bachelor of Technology degree in information technology from Pune University, India.You can contact him at ssingh11@in.ibm.com.

Bhushan Pradip Jain is a Final Year Student of B.Tech., Computer Science, at the College of Engineering, Pune (COEP), doing his internship with IBM India. His areas of interest include algorithms, system programming and processor simulation. He has also worked for developing Intrusion Detection System and implementation of part of the opperating system for a multi-antenna telescope. You can contact him at bhushan1988@gmail.com.