This topic contains 6 replies, has 1 voice, and was last updated by Devin 11 months, 4 weeks ago.
March 1, 2017 at 00:29 #5656
Just curious if anyone uses this in a domain environment. My ideal would be to be able to specify folders that should be always encrypted (such as C:\Users\ or \\server\share\) and make all users by default be able to open all files. Hopefully, I would therefore be able to encrypt all files on file shares and all domain users would be able to open them without any fuss, but when sending the file to anyone external to the company, they would have to encrypt to exe.
I suppose that would only be accomplished by not using a password and using a keyfile only instead and then installing that to all domain computers? Probably not possible, but I like this idea.March 1, 2017 at 00:59 #5657
I think the problem with your idea is that AxCrypt wouldn’t play nicely with Windows Active Directory.
Microsoft have developed their own sharing solution which means that files are normally locked as read-only if multiple people try to access them simultaneously in order that data isn’t lost and to prevent the file being damaged. Software like Microsoft Office tracks revisions and then updates the master document afterwards. Sometimes it’s done in real-time but this requires complex platform interoperability and doesn’t always work as expected.
AxCrypt would probably not integrate well with your AD because of this sensible feature Microsoft have designed.
My advice would be to use BitLocker in your scenario as this is fully transparent and part of Windows – it’ll protect your files if your computer is stolen.
<span style=”text-decoration: underline;”>If you want to protect files in transit (e.g. cloud sharing) then BitLocker won’t protect you and you need AxCrypt.</span>
BitLocker – protects files at rest
AxCrypt – protects files at rest* and in transit
*in an active directory I wouldn’t recommend using AxCrypt for protecting files at rest
*for home users who don’t have BitLocker then they can use AxCrypt for both functions (in transit and at rest).March 1, 2017 at 01:24 #5658
Ya, we already use bitlocker. I’m looking for something that requires minimal user interaction. I’m looking at using sophos safeguard encryption if I can’t find a better solution.March 1, 2017 at 01:46 #5659
I’m only a customer and AxCrypt’s support may be along to provide further information. You could always email them and see if they can accommodate your requirements.
What I will say is that if you’re using BitLocker then there’s no need for third-party solutions for data at rest, whether it be AxCrypt or Sophos.
Most third-party software leverages BitLocker in any event. You really don’t want to start “double encrypting” things because the potential for data loss increases.
I don’t understand what you hope to achieve by using two layers of encryption – it doesn’t make your data any more secure when at rest. If you want to share files outside your organisation then AxCrypt is ideal. Sophos is extravagantly expensive and if you’re never sharing files externally then it’s totally unnecessary.
Microsoft have many DLP solutions if that’s your concern. I’m interested to know what you believe the benefit to be by using two layers of encryption?March 1, 2017 at 18:08 #5663
Yes, this use case provides nothing extra for data at rest. The idea to is minimize the impact of encryption on my users. Right now, they are having to remember to encrypt a document when they email it to an outside address. File encryption before emailing should always happen and I don’t like the idea of unencrypted files (they could be very bad for our company if someone happened to scan and skim an unencrypted document).
My thinking is that if all files are encrypted by default, then the users will decrypt to exe when they need to send a file to external entity. This makes it so that users can’t accidentally forget to send the file encrypted. That’s what I’m really trying to solve currently. Data at rest is OK for us currently.March 1, 2017 at 18:31 #5666
For your scenario, I agree, separate ad-hoc encryption is required (e.g. external addresses).
The systems I administer use Microsoft DLP which uses our existing Office 365 cloud infrastructure. You can set up certain trigger words, sensitive information categories, external address activation, encrypt only if a specific sender, manual activation etc.
There’s a good video which explains Microsoft’s solution but it also explains the general principles of all vendors’ DLP solutions in case you’re not familiar.March 1, 2017 at 18:41 #5668
Yes, we leverage DLP rules on outbound email, but its still not quite perfect. We also have our web filtering proxy service do attachment scanning before an email is accepted and sent, so the user can know immediately if the attachment is flagged. We also use zix as another way to encrypt outgoing emails.
We don’t totally love zix portal since it requires recipients to create an account just to view the email and download the attachment, so this would potentially allow us to get rid of Zix.