Advantages and disadvantages of ambient encryption and transparent encryption

    It has been almost 10 years since the development of data security products, and it is still at the stage of competition for hegemony, and there is no enterprise with a monopoly position in the industry. Roughly speaking, data leakage prevention products are divided into two categories: document encryption products (also known as transparent encryption) and overall protection (or environmental encryption) products. The design concepts and functions of the two types of products are very different, and they are both constantly developing and learning from each other. It should be pointed out that most customers do not pay enough attention to the choice of data leakage prevention products, and treat them as the same as ordinary software products. In fact, the data leakage prevention project is closely related to the existing enterprise information system, and it is not a simple matter of encrypting some files or hard disks. Judging from the application situation in the past few years, if the data leakage prevention project is to be successfully implemented, in addition to choosing suitable products, it also requires the attention and cooperation of customers, which is no less difficult than the ERP project. In the case of little understanding, hasty product selection and implementation, the project failure rate is almost 100%. Such negative cases are numerous.

Based on the actual situation of use, the advantages and disadvantages of the two types of products when deployed in large and medium-sized enterprises are analyzed from the perspective of project risk for reference.

The project risks are divided into the following categories:

1. The risk of data being cracked after encryption

Document encryption is to control the application software. The generated document is written into the key when it is saved, but the ciphertext is stored on the computer with the encryption product client installed. When the file is opened, the encryption software will automatically decrypt the ciphertext before it can be opened normally. That is to say, the encrypted file still exists in plaintext in the memory. You can directly extract the plaintext by "reading the memory", bypassing the encryption. , the security level is low; the environmental encryption adopts the overall protection, and the files that go out illegally will be encrypted. If you want to crack, the only way is brute force cracking, which is quite difficult and has a high security level.

2. Changes in personnel usage habits

The smaller the change in usage habits, the less resistance there is to the project moving forward. No matter what kind of product, once it is launched, it will inevitably lead to restrictions on employees' previous behavior. For example, in the past, you could use qq to send out files, but now you can't send or send out ciphertext. At this point, document encryption products have little change in personnel usage habits, and employees can freely send non-encrypted files, which is better than overall protection products, but at the same time brings greater risks, it is possible that employees will Sensitive data is forged into non-encrypted files. But no matter what kind of product, employees must re-regulate their own behavior according to the set way, which requires the top-down promotion of the enterprise.

3. Probability of data damage

Encryption requires decryption, and there is bound to be a risk of failure of encryption and decryption. The result is data damage, which greatly affects the daily work of employees and makes the system unable to go online. In this regard, overall protection products are far superior to document encryption, because document encryption has direct and frequent data encryption and decryption processing, and the data damage rate is very high. The encryption of overall protection products is performed at the data transmission boundary. The data itself is not processed, and the damage rate is very small. From past project experience, damaged data has almost become synonymous with document encryption products and an insurmountable bottleneck (especially in R&D and manufacturing enterprises with complex terminal environments), while overall protection products do not have such a situation.

4. Application system upgrade risk

As mentioned earlier, document encryption is encrypted through control software, which will inevitably involve software version issues. For example, a certain document encryption software can now support WORD2015, and Microsoft will launch WORD2016 in the future. The developer must add WORD2016 as a controlled software to realize encryption, and users may have to increase a series of costs for this continuous upgrade; and there is no such risk in environmental encryption.

5. Management system change risk

The risk of management system change refers to certain changes in the management system and process of the enterprise after the data security system goes online. At this time, the data security system must be adjusted accordingly. If the adjustment work cannot be completed quickly and in an orderly manner, it will cause great interference to the normal management and production order of the enterprise. Document encryption products can only take "documents" as the main management dimension, and there is no direct correspondence between them and the management system. When the system changes, personnel who are familiar with the document encryption system and management process need to make adjustments. There are no standard steps and procedures for this adjustment, and there are great operational risks. The overall protection product is based on the design concept of "data risk management system" and is closely related to the management process of the enterprise. Any data privacy policy must correspond to an explicit or invisible management system. For example, the black and white list management and encryption control of outgoing emails completely match the outgoing management system of the enterprise. When the management system and process of the enterprise change, you only need to find the corresponding strategy and modify it, and then you can complete the corresponding adjustment work, which is simple and fast.

6. Product downline risk

Downline risk refers to the risk faced by an enterprise when driven by certain factors, when it needs to uninstall the data security system and restore it to the state before the system goes online.

For document encryption products, encrypted data is scattered on each terminal of the intranet in the form of a single encrypted file. It will be an extremely complicated and long process to cancel the interference caused by data encryption to the business system and restore the data. The offline cost that enterprises need to pay is no less than the online cost. This makes the enterprise's application information system completely "hijacked" by the encryption system, which becomes a potentially huge risk, which may make the enterprise pay a heavy price in the near future.

For overall protection products, all data will be transmitted and applied in clear text without any controlled strategy. Administrators can delete the encryption strategy at the "data exit" at any time to quickly eliminate the impact of the encryption system on the original information system. , the downline risk is extremely low.

Through the comparison of the above 6 points, it can basically be concluded that for large and medium-sized R&D and manufacturing enterprises, the concept of overall protection products is more applicable. In the final analysis, the overall protection products pay more attention to the matching and integration with the existing information systems and management systems, and the document encryption products pay more attention to the influence and change on the operator's usage habits. Therefore, the former requires enterprises to make certain investment and concessions. Ensure the smooth launch of the anti-leakage system, but once launched, the operation will be smoother, and the later management and maintenance will be easier; the latter is more in line with the current customer's general view on encryption products "does not leak data, does not affect work", but The potential risks are very large; the former is more like a system, the latter is more like a software, the former is more suitable for the overall management needs of large and medium-sized enterprises, and the latter is more suitable for rapid application of small-scale enterprises.

The above analysis is mainly based on the design concepts of the two types of products, but good concepts may not necessarily be realized. Therefore, it is very important to examine the strength and cases of manufacturers. Whether the specific cases are true or not, and what is the application environment, more on-site inspections are required. communicate with.