What is the difference between SEE and PGP?

Symantec Enterprise Division offers two encryption solutions\products to help you secure your sensitive data in many different scenarios.  Each of these two solutions have some of the same functionality and some overlap, however, the two operate and behave in significant ways so it's useful to know how the two encryption solutions differ, which this article will go over to help you choose the best solution for your encryption needs.

The two encryption solutions Symantec Enterprise Division offers are the PGP Encryption Solutions (SED\SEMS), and the Symantec Endpoint Encryption product line (SEE):

Solution 1: PGP Encryption Solutions

Symantec Encryption Management Server (SEMS - AKA PGP Universal Server) - This is the management server piece that will manage the encryption desktop clients on the PGP side.  It can also perform automatic email encryption when deployed in "Gateway Mode", which has many additional features for secure email delivery.
Features: Helpdesk Recovery Portal for Drive Encryption, Gateway Email Encryption, Web Email Protection Secure Email Delivery, PDF Email Secure Email Delivery, Client\Policy Management

Symantec Encryption Desktop (SED - AKA PGP Desktop)
Features: Drive Encryption, File Share Encryption (Secure NTFS Folders\Shares), Email Encryption (POP/IMAP/MAPI), Virtual Disk Encryption, File Encryption (PGPZip), Secure File Shredding

Solution 2: Symantec Endpoint Encryption (SEE)
SEE Management Server (SEEMS) - Manages the SEE Clients and policy for the deployed endpoints
SEE Client (Managed by SEEMS)

Features: Helpdesk Recovery Portal for Drive Encryption, Drive Encryption, Removable Media Encryption

Both of the above encryption solutions that Symantec Enterprise Division offers will allow client management, but the management functionality is different here. 

With the PGP product, the client is managed on a "per user" basis.  This means that when the client is installed, a user is enrolled (either by the end user themselves, or invisibly depending on which option is chosen) and once enrollment is completed, the drive encryption process will start.  The user exists on the server and the machine is associated with the user.  When a Drive Encryption recovery key is needed, the Encryption Administrator will locate the user, and display the recovery key for the machine in question.  The policy for the PGP clients is applicable to the user, and not the machine.

With Symantec Endpoint Encryption, the client is managed on a "per machine" basis.  This means that when the client is installed, the machine itself can automatically start encrypting without any user intervention--in fact, once the SEE Client is installed, upon reboot, even if the user does not login to the system, encryption will start.  Once the user logs in, the user is registered to the drive encryption piece and associated to the machine.  When a Drive Encryption recovery key is needed, the Encryption Administrator will search for the machine (rather than the user), and display the recovery key for the machine.  The SEE Client will always have a recovery key even if the SEE Client never connects to the server.  All policy applied to the machine itself, not the user.

PGP Encryption Solutions
Symantec Encryption Management Server (SEMS) - This is the management server piece that will manage the encryption desktop clients on the PGP side.
Symantec Encryption Desktop (SED) - This is the client component that is installed on each endpoint and can perform all the features mentioned above in the introduction and will go over in more detail later on in this article.

PGP can run as a "standalone" product and all the features available can be used as a standalone client and does not require configuring a server to use this product.  Although it is possible to manage the PGP client (SED) by the server, it is not necessary in order to obtain the installer and get started with encryption.  In this way, if you need to encrypt only a few machines and do not need to manage any of the components with a server, PGP is likely the best choice.  The standalone MSI file can be downloaded directly from the Broadcom Support Portal.

For the Drive Encryption component, if you install as a standalone client, the end user is in full control of their recovery key and will not be managed by the server.  If you do need a server to manage the recovery key, you will use Symantec Encryption Management Server to manage this client, which provides you with limitless configuration possibilities, so using the client in a managed setting is typically the preferred option for enterprises.  

All PGP Encryption products interop with any other encryption solution that uses OpenPGP.  With Symantec Encryption, we invented the standard, so as long as other solutions that use OpenPGP do so using standard methods, PGP can interop with many other encryption solutions just fine. 

Symantec Endpoint Encryption (SEE)
SEE Management Server (SEEMS)
SEE Client (Managed by SEEMS)

Symantec Endpoint Encryption requires the SEE Management Server as the SEE Client must be generated by the server itself.  The reason for this is SEE embeds encryption keys into the client and is a completely unique installer for each deployment.  Due to this unique client creation, SEE enjoys "Connectionless Recovery".  Connectionless Recovery allows a system to be encrypted and even if the client never contacts the server, a recovery key can be generated for he clients. This makes the SEE client a very attractive option when it comes to Drive Encryption, something few encryption solutions offer.

The table below displays the major feature differences at a glance between the two encryption solutions, and we will explain in more detail the different features for each solution:

Server Management

Both products support a server-client architecture. This enables server administrators to update policies, which the clients will receive when checking in with the server. PGP\SED fully supports standalone installations while SEE does not.

Encryption Desktop: Symantec Encryption Management Server (SEMS)

• OS: CentOS 7x64
• Supported Clients: Windows, Mac, Linux
• System Requirements

Endpoint Encryption: Symantec Endpoint Encryption (SEE)

• OS: Windows Server
• Supported Clients: Windows, Mac
• System Requirements

Disk Encryption

• Both products support the encryption of boot disks as well as additional internal or external disks.
  • This encryption can be started automatically or manually depending on how policies are configured.
    SEE will start encryption automatically without the need to enroll a user and has connectionless recovery.
    PGP will start encryption after the user enrolls to the Management server.
    
    
• When a boot disk is encrypted, it will brings the user to a pre-boot authentication screen when the computer is turned on after a shutdown or restart.
  • The images and text on this screen can be modified on both products
  • Both products have an "autologon" or "bypass" feature to allow seamless Windows 10 major updates without the need to run special scripts.
    
    
• After successfully authenticating, the operating system (OS) starts and the user is brought to the log in screen for the OS
  • Both products include Single Sign-On (SSO) functionality, which uses the credentials provided at the pre-boot screen to log the user into the OS

Encryption Desktop: Whole Disk Encryption

• Supports Additional Decryption Keys (ADKs) to be used to decrypt drives. This enables administrators to decrypt drives in the event users lose their password and whole disk recovery tokens
• Enrolls and manages individual users
• SED uses "user-based" policy.
• Recovery Keys are sent to the server upon user enrollment.
• Client Administrator Password is available per policy.

Endpoint Encryption: Disk Encryption

• Encryption begins automatically without user interaction by default (Even without the need to login to the system).
• "Connectionless Recovery" - No server connectivity needed in order to remotely recovery in case of a forgotten password
  Recovery keys are immediately available even w/out ever contacting the management server.
• Includes BitLocker Recovery support
• Includes FileVault Recovery support
• Windows 10 can be updated between major releases (such as 1709 and 1803) without the need to decrypt the drive or use special scripts.
• SEE Client Administrators with granular permission control
• SEE users "machine-based" policy.

External Device Encryption

Encryption Desktop: Disk Encryption

• Supports Additional Decryption Keys (ADKs) to be used to decrypt drives. This enables administrators to decrypt drives in the event users lose their password and whole disk recovery tokens
• Encrypts entire drives sector-by-sector rather than files specifically
• Supports boot drives, additional hard drives, external drives, and USB drives

Endpoint Encryption: Removable Media Encryption (RME)

• Controls access policy on removable media (no access, read-only access, and read and write access)
• Supports automatic encryption
• SEE RME encrypts files rather than entire drives
• Allows for exemption of specific file types of devices
• Files can be encrypted with a recovery certificate to enable decryption in the even the user is unable to decrypt the drive
• A Removable Media Access Utility for Windows or MacOS can be included on the removable media
  • This allows users not using SEE to access to encrypted files
• Supports USB drives as well as Bluray, CD, DVD discs

Policy Management

• Both clients can receive the initial policy from the client install. SED typically receives policy during enrollment, although "offline" policy can be manually configured. 
  SEE will always use a local policy w/out having to contact the server.  PGP can be configured to have offline policy.
• Both clients can receive policy updates by communicating with their respective server
• The policies are managed on the SEMS for SED\PGP and the SEEMS for SEE
• Both servers can connect with Active Directory (AD) to set policies based on AD groups

Encryption Desktop: Active Directory and Native Policy

• Standalone SED installation allow policies to be set locally
• SEE can be configured to use a "standalone" policy.  Contact support for more information on this.

Endpoint Encryption: Active Directory and Native Policy

• SEEMS has native policy management which is an alternative to Active Directory management.
• SEE Native policy management allows computers to have different policies applied by adding them to groups without using AD.
• SEE Native policy is simple to use while allowing highly granular control.

Server-Client Communication

Encryption Desktop: Built-in Website

• The communication between server and client occurs between the Symantec Encryption Management Server (SEMS) and the client directly
• This website is configured during the installation of the SEMS

Endpoint Encryption: IIS Web Server

• A prerequisite to the installation of the Endpoint Encryption Suite is configuring an Internet Information Services (IIS) website
• All communication between the server and client takes place on this website via secure TLS methods.

Database Configuration

Encryption Desktop: Built-in Database

• The SEMS has a built-in database which manages all necessary information

Endpoint Encryption: SQL Server Database

• A prerequisite to the installation of the Endpoint Encryption Suite is installing a supported SQL Server version

Help Desk Recovery

• In the event that a SEE user forgets their login credentials, they are able to use Help Desk Recovery at the preboot screen to log into their computer
• This feature works by storing information in the database that can be used to unlock encrypted hard drives
• SEE makes recovery keys available immediately w/out having to contact the management server. 
• SED requires an initial enrollment to complete to send a recovery key to the management server.

FileVault Management

• Both SEE and SED\PGP Allow for File Vault Management

Virtual Disks

• SED can create encrypted containers to store files/folders inside.
• SEE RME is used to encrypt individual files and folders.

Key Management

• SED supports private and public key management for use in email encryption for PGP or S/MIME encryption.
• These keys can be stored on the server, client, or on dedicated keyservers
• SEE does not offer Key management capabilities.

Email Encryption

• SED supports email encryption in standalone or server-managed mode
• An Outlook plug-in makes encrypting and signing emails simple
• Encrypted emails can be stored on the server for users without SED to access, while maintaining security
• SEE does not offer Email Encryption capabilities.

File and Folder Encryption

• SED\PGP is able to encrypt specific files or folders
• NTFS\CIFS\SMB shares are all supported and can be encrypted with File Share Encryption.
  These files/folders can be encrypted and decrypted by user keys or passphrases.
  HTTPS forms will not work with File Share Encryption. 
• SED\PGP offers Secure Shredding of files/folders.
• SED\PGP can create a "Self-Decrypting Archive" which allows users without SED to decrypt the files
• SEE RME can be used to create Self Decrypting Archives.

File Share Encryption

• File Share Encryption can be used to encrypt NTFS/CIFS shares.
• SEE does not offer File Share Encryption for NTFS/CIFS shares.

PGP Command Line

• PGP Command Line can be used to be able automate the encryption process.  Files and Folders are able to be automated via scripting to encrypt large quantities of file content.
• PGP Command Line can be used with Symantec Encryption Management Server so that all keys are stored on the server securely and no keys are stored on the local machine.

Keywords:

Difference between SEE and PGP
Difference between PGP and SEE
Difference between endpoint encryption and PGP

201122 - How Symantec Encryption Products stand out above the competition