On protected devices for example Laptops or PCs, the client side of Endpoint Encryption, in simple terms, takes control of the user’s hard disk away from the operating system. Endpoint Encryption’s driver encrypts every piece of data written to the disk, and decrypts every piece of information read off the disk. If any application managed to break through the Endpoint Encryption barrier and read the disk directly, it would find only encrypted data, even in the Windows swap file and temporary file areas.
Even if a Data Recovery agency tries to retrieve information from a Endpoint Encryption-protected hard drive, without access to the Endpoint Encryption System via the passwords or recovery information there is no way of accessing this data – total security.
Endpoint Encryption installs a mini-operating system on the user’s hard drive, this is what the user sees when they turn on the PC. Endpoint Encryption looks and feels like Microsoft Windows, with mouse and keyboard support, moveable windows etc. This Endpoint Encryption OS is completely contained and does not need to access any other files or programs on the hard disk, and is responsible for allowing the user to authenticate with their password.
Once the user has entered the correct authentication information, the Endpoint Encryption operating system starts the crypt driver in memory, and boots the protected machine’s original operating system. From this point on the machine will look and behave as if Endpoint Encryption was not installed. The security is invisible to the user, and because the only readable data on the hard disk is the Endpoint Encryption operating system, and the encryption key for the hard drive is itself protected with the user’s authentication key, the only possible way to defeat Endpoint Encryption is to either guess the hard disk encryption key (a one in 2256 chance with the AES256 algorithm), or to guess the user’s password.
Every time an Endpoint Encryption protected device boots, and after a set period of time, Endpoint Encryption tries to contact its “Object Directory”. This is a central store of configuration information for both machines and users, and is managed by Endpoint Encryption Administrators. The Object Directory could be on the user’s local hard disk (if the user is working completely stand-alone), or could be in some remote location and accessed over TCP/IP via a secure Endpoint Encryption Server (in the case of a centrally managed enterprise).
The Endpoint Encryption protected machine queries the directory for any updates to its configuration, and if needed downloads and applies them. Typical updates could be a new user assigned to the machine by an administrator, a change in password policy, or an upgrade to the Endpoint Encryption operating system or a new file specified by the administrator. At the same time Endpoint Encryption uploads details like the latest audit information, any user password changes, and security breaches to the Object Directory. In this way, transparent synchronization of the enterprise becomes possible.
Reviewed – 02/02/2015