In-Depth
Zip It Shut: New Enterprise-level Encryption Tools
PKWare's new cross-platform encryption products protect everything from e-mails to sensitive HIPAA information, proving Zip suitable for more than just PCs
IT managers craving a simple way to trade compressed and encrypted files usable on almost any platform, take note. PKWare Inc. recently announced a range of compression products that can trade “zipped” files with 256-bit AES (Advanced Encryption Standard)—an encryption algorithm—across a range of operating systems, including Windows, Unix, MVS and AS/400.
The Brown Deer, Wis.-based company also released the first compression tool with a graphical user interface (GUI) for Linux. Like most Linux software, previous compression programs were command-line based, meaning users had to dig through manuals to figure out all the features.
Files compressed with PKZip’s strong encryption, however, will only work between users that have PKZip software—in particular, software with PKWare’s Secure Desktop module. The free PKZip Reader will also decrypt the files. The module uses BSAFE encryption software, developed by Bedford, Mass.-based RSA Security Inc., to tap digital certificates or add passwords to zip files. In order to read PKZip files secured with certificates or passwords, however, the recipient must also own a copy of the Secure Desktop software, or download the free reader.
On Windows, the $69.95 PKZip Professional Edition 6.0 now integrates with Microsoft Outlook as well as Lotus Notes. Users can toggle buttons in either program to automatically compress and encrypt all file attachments. IT managers in Outlook or Notes shops can also release the software company-wide to make sure all e-mail attachments get compressed, reducing network congestion.
The new range of PKZip products fits into an untapped midrange in the encryption and compression market, which to date has involved either full-blown PKI (public key infrastructure) at the high end or nothing at all, notes Stamford, Conn.-based research firm Meta Group Inc. analyst David Thompson. “It is in some senses a stopgap. The addition that PKWare provides is this intermediate part of security, where it can default down to a password,” he says.
PKZip is not a secure e-mail provider. “They're not in the key business—they're providing another place for you to utilize keys and encryption,” says Thompson. But making encryption easier is something users desperately need today. “While the promise of the nirvana is that your e-mail and mine will be able to communicate securely using PKI and S/MIME,” that day is not here, he says. Instead of waiting for full-blown, cross-enterprise key infrastructures, many people have more mundane goals. “People are interested in doing things like getting files across networks in an efficient manner, and they want to secure it.” That’s where PKWare comes in, he notes.
Steve Crawford, Chief Marketing Officer of PKWare, also articulates the need many people have for simply securing their file attachments. “Security is still one of the top spending priorities for IT,” he says. Yet many companies still don’t have an automated way to send secure e-mails to each other. Though there has been a lot of buzz about digital certificates since 1998, PKI is not pervasive, which Crawford chalks up to it not being easy to use. “On the desktop, S/MIME was too complex. Issuing certificates to everyone you might ever want to send a file to is difficult. And there's no bridge between those with certificates, and those without.”
So why not have something simpler?
“For IT, data security and encryption are natural bedfellows,” says Crawford. Zipped files take up less network bandwidth, and encrypted files stay encrypted if they’re archived. Regular zip files also are not secure. Free programs anyone can download from the Internet—in case they forget their password, naturally—such as PKZip Crack will open almost any regular zip file saved with a password.
Meta’s Thompson says that having a product such as PKZip can be an efficient way to trade sensitive information between small numbers of companies, because users can just call each other to relay the passwords, for instance. “That can be feasible if this is 20 servers and one administrator who knows what they're doing [when it comes to security].”
Password-based security is not ideal because it doesn’t scale well. How do you communicate passwords to people and change them with enough frequency? Also, many people choose poor passwords. “If your password is ‘Lucky,’ a brute force dictionary attack will defeat it,” says Thompson. But for small-scale use, passwords are simply the easiest way to go, he says. “Passwords can be secure if they're longer than eight characters and alphanumeric.”
Sending encrypted files between companies is a mandate in many industries. “HIPAA and Gramm-Leach-Bliley apply equally to every [information] transfer—it doesn't matter if you're wrapping 5 or 500 files in a batch and shipping them off,” says Thompson. Regulations such as those stipulate that companies must protect and safeguard consumers’ sensitive financial and medical data, so the easier and more automatic, the better.
The Zip format isn’t just for PCs, notes Thompson. “I think it's a little more interesting on the server side—AS/400 and Linux,” because currently the only way to zip and encrypt files is with E-Business Server from Santa Clara, Calif.- based McAfee Associates Inc. “That's a very expensive product, and it doesn't do much for you—it's a command line interface.” On the other hand, because E-Business Server has APIs for interoperating with other programs, in the future it could be more useful than a standalone zip-and-encrypt tool. Pricing for server versions of PKWare vary according to the number of processors, although a single-user license for the professional version is available for the same cost as the Windows version.
Daniel Stewart, a marketing analyst for PSC Wireless Inc. (a wholly-owned subsidiary of Public Service Communications) in Reynolds, GA, uses PKZip to secure sensitive information, such as the reports he generates on company trends, or information he shuttles between the database and marketing groups, communicating with them about new rate plans. “The data I provide is sensitive information—we are a privately owned company by one family, so we don't share our data with anybody. We recently got a new advertising agency in Atlanta and we needed a secure way to send data, because we'd have sales figures [and] statistics that we wouldn't want anyone else knowing,” he says.
Originally, Stewart tried to use Acrobat, from Adobe Systems Inc., to secure documents, but the ad agency didn’t own the full version, and in the course of his research he found PKZip. “I stumbled across the fact that they have a Linux/Unix version. Up until that point there hadn't been a GUI-based Linux product,” for zipping files, he says.
Given PSC Wireless’s array of operating systems, Stewart envisioned a match. “I have a Linux box at home, and the general manager of the company loves Linux too.” As a wireless provider, the main switch is Unix-based, an industry norm, but “strangely enough our billing system is on AS/400,” says Stewart.
Stewart likes the fact that now he can encrypt any of his files with one product and unlock the files on any other machine. “I send files to my Linux box at home. PKWare offered a really good approach—a multi-platform way to share files, so I have no problems sharing Windows NT files here or Linux at home, or the advertising agency,” which is a Windows shop. He can also break large files into multiple zips to get them through the advertising agency’s 10 MB e-mail attachment size limit. The agency also didn’t balk at the price, he says.
The learning curve was nonexistent for the product, especially the Linux version, where the GUI interface just “makes everything accessible,” he says, as opposed to the normal command-line interface. Installation was also easy. “When I was installing PKZip at home, I needed some library files I didn't have so had to download those. It was surprisingly simple,” he says.
About the Author
Mathew Schwartz is a Contributing Editor for Enterprise Systems and is its Security Strategies column, as well as being a long-time contributor to the company's print publications. Mr. Schwartz is also a security and technology freelance writer.