Review: McAfee Endpoint Encryption Locks Down Endpoints
McAfee has established itself as a serious contender in the media encryption market since acquiring SafeBoot in 2008. Its latest offering in the space, Endpoint Encryption Suite 7.0, is the company’s most ambitious effort to date. The suite supports Active Directory integration and allows for the encryption of PCs and Macs, mobile devices and removable storage, all with a number of features that go above and beyond what’s provided by Windows’ BitLocker.
Administrators can facilitate policy management, client deployment and reporting through ePolicy Orchestrator, the software’s central management console. Navigating this console — with its customizable presets that cater to most common IT environments — is straightforward and easy.
Built-in failure prevention helps stop trouble before it begins. Endpoint Encryption employs McAfee’s EEGo technology (what it likes to call “pre-flight inspection”), which enables a client computer to check a drive multiple times prior to encryption. These checks include:
- Inspecting a drive’s health by polling its Self-Monitoring, Analysis and Reporting Technology (SMART) status (a nonvolatile test that helps ensure compromised drives are not encrypted)
- Making sure that communication can occur between a client machine and parent server
- Verifying that no other encryption services are running on the client machine (a common mistake that too often causes problems)
- Making certain the master boot record of a given drive can be written to prior to encryption
Why It Works for IT
Though pleased with the relative ease of use of the software’s management console, I was most impressed with the diligence shown by McAfee in mitigating the drawbacks common in some other encryption solutions. The system takes speed, human error and even hardware failure into account in an effort to reliably protect data as painlessly as possible.
McAfee goes to great lengths to expedite encryption deployment. For example, using the company’s proprietary Fast Initial Encryption technology, the client software encrypts only used sectors of a target drive. In addition, McAfee Endpoint Encryption supports retention of drive encryption even when the drive is re-imaged with a new operating system. This reduces the need for IT labor and intervention while hastening the OS refresh process.
System management relies on a graphical user interface, shortening the learning curve for administrators, but still allowing for granular control of systems and policies. While it is possible to further customize settings by editing the software’s XML files, few admins will find this necessary.
A generic agent just over 2 megabytes in size, in conjunction with ePolicy Orchestrator, allows for bandwidth throttling to streamline pushing the client to target machines. This ensures that client distribution has a minimal impact on the company network, thereby avoiding the slowdowns typical of most security product deployments.
McAfee Endpoint Encryption is fully compatible with Intel AMT technology, which allows for real-time password resets by way of a secure, pre-boot network stack when client computers are locked out.
The biggest challenge with McAfee Endpoint Encryption isn’t with the product itself, which is feature-rich and rock-solid, but quite possibly lies in selling the concept of paying for a third-party encryption solution — something Windows already does pretty well. Decision-makers need to keep this in mind when evaluating whether the added features available in this solution are worth the cost.