PCS Managed Encryption

By: Scott Hawkey, Technical Manager

Quite some time ago, in an effort to enhance our service offerings, PCS Business Systems decided to add an encryption solution product to the existing managed services portfolio.

Unfortunately for me, being the Technical Manager, this meant that the responsibility of finding, testing, and implementing this solution was going to fall on my doorstep. Despite the challenge, I embraced the task.

With this in mind, I thought I’d put a little blog post together detailing my experience of on-premise and cloud-based products, along with the pros and cons of both.

In our day-to-day operations at PCS, we look after about 450 odd managed service customers. These range from one-man band type companies with a single server and workstation, right through to large enterprise-level organisations with hundreds of servers and thousands of workstations and everything in between. This diversity presents its own set of unique challenges and opportunities.

So, when it came to finding an encryption solution to fit our offerings I knew it was going to be a tricky one.

The market offers a plethora of encryption solutions. Most of them require the installation of the encryption management console on-premise on one of the customer’s servers…

Now, picture this – you need to remote into hundreds of servers every day to manage the encryption. It wouldn’t just be soul-destroying, but almost impossible to manage as well. Despite this, we decided to test the products to evaluate their performance and potential benefits for our customers.

Therefore, we established a test environment in our demo lab at PCS and began testing various products.

Just for clarity, I won’t criticize any vendors. I believe that’s only fair, as many of their products are excellent and designed for non-managed service use. So, there won’t be any naming or shaming at any point.

Once the lab was setup, we started to roll out our first test product which offered full disk encryption to our various test laptops. At this point it became apparent that this was going to be a nightmare.

In short, the first test didn’t go well for the following reasons:

  • Complicated management console installation
  • Client software deployment disruptive to the end user
  • Windows features updates meant the disk had to be unencrypted and re encrypted 4 times a year?

To be fair, once I’d got to this point I was out with this product. I’ve only listed 3 things I don’t like about it but I can assure you that there were going to be many more, either way this wasn’t the product for us.

 

So on to the next encryption solution.

The next one was a cloud-based encryption product which managed the native device encryption on Windows and Mac devices.

My first impressions were good, it was very easy to setup and the deployment was straight forward. I completed a sync with the test Active Directory I had created to pull the test user accounts into the cloud portal. I then created the deployment packages relevant to the operating system and we were ready to deploy.

Ah… This is where the stumbling blocks came in. The product was fine if you just wanted to ensure the native encryption (BitLocker and FileVault) were enabled, that’s pretty much all it did.

That being said not all Windows operating systems include BitLocker. For example, Windows 7 Professional doesn’t, which meant that we were unable to offer this solution to our customer base. This was because believe it or not lots of customers still run Windows 7.

Not only that, the product didn’t offer any back-end functionality. You couldn’t wipe the data from the device if it was lost or stolen. All it pretty much did was report on the encryption status and manage the BitLocker /FileVault keys, so again this wasn’t the one for us.

Although the two product tests we completed had not given us a solution, they had given us a whole list of things that we would require if we were going to offer this solution as “managed” to our customers.

The research began again, we did trial another two products, but we came up with almost identical issues as above.

We were almost at the point where we felt that there just wasn’t a product out there that would enable us to add this service to our portfolio.

Then out of the blue we found the encryption solution we were looking for. After months of research into this we found ourselves a product that did pretty much everything we needed and could be fully tailored to our offering and how we work as an MSP.

The product ticked a lot of the boxes for us.

  • Cloud based centralized management console
  • Simple to deploy and manage
  • Enabled use of sub accounts for our customers
  • Provided encryption for pretty much all Windows/Mac operating systems
  • Offered back end remote management tools
  • Mobile device management
  • External storage management

So, we set about running a trial in our lab, as mentioned above there is nothing to install onsite it’s all cloud based which makes for a very simple setup. Device agents are created automatically and can be deployed via group policy or similar and the navigation through the menus were clear and easy to use.

The product itself and the way it manages encryption was very similar to a previous product we had tested but this one offered lots more functionality.

We were able to manage the native encryption on Windows and Mac devices and also provide encryption to Windows devices that didn’t natively have BitLocker enabled. The back-end functionality was awesome, it provided us the ability to be able to:

  • Deactivate devices
  • Mark as lost or stolen which removed encryption keys effectively making the data on the device useless
  • Check encryption status of the device
  • Apply back end policies
  • Full device reporting

This coupled with the fact that we were also able to provide full encryption and remote management to removable storage and mobile devices (phones, tablets etc) meant that we had found our product.

After many months of testing in the lab and eventually rolling the product out to the live PCS network we were ready to take the product to market.

With GDPR (General Data Protection Regulation) on the horizon we couldn’t have timed it better, if you’re not aware of the new regulation that comes into effect on the 24th of May then you must have been on another planet for the last 18 months.

In short, GDPR is being brought in to protect personal identifiable information. I won’t go into the full details around it, you can read all about it on the ICO website if you want to find out more.

The protection of data is key under the GDPR and having devices which contain personal identifiable information on is mentioned a few times as an example.

Encryption is mentioned in article 32 of GDPR “Security of Processing”.

The initial response to our Managed encryption product has been great, we have rolled it out to laptops, desktops, mobile phones and tablet devices on mass and have had some really good feedback from our customers on it.

If you want to find out a little bit more about our encryption product please take a look here, alternatively get in touch and I’ll be happy to run through it with you.

MEET PCS

About Us
Contact Us
Partners
Meet the Team
Managed Services
Support Portal

Useful Links

Locations
Website Use Terms 
Terms & Conditions
Managed Services Brochure
Unsubscribe/Opt Out
Privacy Policy

PCS Business Systems Ltd
2 Northfield Point
Cunliffe Drive
Kettering
Northants
NN16 9QJ

ISO Footer Graphic

01536 532 900