Venafi Encryption Director was the easiest of the three products to deploy. There was no fiddling with server applications to apply standards-based connectors, or to install add-on encryption modules.
Because Venafi works in partnership with application and OS vendors, getting Encryption Director to work with any supported application is generally very straightforward.
Encryption Director also supports a variety of devices, such as IBM storage systems, where encryption keys for on-drive whole-drive encryption and for tape encryption are stored in the Venafi system and provided on demand to the storage subsystem.
The Venafi software is installed on a Windows 2003 server, and uses Microsoft SQL Server. Installation was straightforward, and fast. There are three versions: a monitoring version, an enrollment version, and a provisioning version.
Each subsequent version adds more functionality. The base version offers discovery, reporting and logging, escalation, policy-based management and self-service portal. The enrollment version adds network validation, certificate authority enrollment, and workflow. The provisioning edition adds automated key generation, platform life-cycle management, application configuration, distributed key generation, base application modules and onboard validation.
The discovery engine looks for applications on systems accessible to the scanner and reports on known applications that use certificates or keys. It won't find unsupported applications or find all routers that have SSL enabled, but given the often chaotic state of enterprise networks and the plethora of keys and certificates in use throughout the network, it works very well.
Once applications are discovered, the Systems Management for Encryption (SEM) engine allows the administrator to take over administration of the keys and certificates of those applications (assuming that the administrator has the appropriate permissions, of course). Existing certificates or keys can be imported into the system, or new ones can be generated and policies set as to how often they need to be renewed.
Venafi can automate the process of installing certificates on supported systems, which is a great benefit in itself. Suppose, for instance, that a decision has been made to move from 1,024-bit certificates to 4,096-bit certificates. Normally this would entail generating new certificates for each system, copying the file to the system and installing it through the application. This entire process is automated, resulting in a huge time savings to the admin. This same automation also applies to renewals of certificates, allowing the admin to regularly update certificates to lessen the possibility of compromised keys.
The policy engine works as one would expect, providing the ability to respond to changes in the system dynamically, notifying the administrator if policies are violated, issuing keys of the appropriate strength for a given application, and ensuring that keys are issued, renewed or revoked as needed.
Administrators can be given granular rights to administer a particular application, group, domain or the entire enterprise. Reporting and auditing functions work well, and are extremely useful, making security audits much easier in these days of PCI and lawsuits over data loss. Admins can be given three increasing levels of authentication, from strong passwords to hardware-based certificates.
Venafi offers a wide range of monitoring and auditing features, including testing of certificates to ensure proper functioning, tracking of expiration of certificates, auditing for appropriate encryption strength and notifying admins of breaches or errors. Workflow capabilities allow a sign-off process to be enabled within the software for items that should have approval from purchasing authorities, such as adding certificates from trusted authorities.
The Venafi server can be configured for automated encrypted backup of the critical data stores, and can be configured in a failover dual-server setup.
With relatively low pricing that runs $75 to $275 per managed system, Venafi Encryption Director is easy to get started with and very effective. It doesn't have the hardened FIPS certification that Thales offers, but is easier to install and use.
