Lumension Device Control

Overview:

Data leakage caused by the accidental or sometimes malicious use of removable devices and/or removable media has reached alarming levels. In fact, over 85% of privacy and security professionals reported at least one breach and almost 64% reported multiple breaches that required notification.*

Lumension Device Control
Online Flash Overview (Pop-up Window will open)

Organization-wide Device Management

To enhance productivity, organizations need to provide employees and partners access to data. With more employees working remotely, access is required from outside the network. But the potential impact of data loss, be it accidental or malicious, is a very real concern. And today, removable media / devices are the most common data leakage routes -- no file copy limits, no encryption, no audit trails and no central management.

The information contained in customer and corporate data, such as personally identifiable information (PII) and intellectual property (IP), is worth billions to some. And the costs for recovery of data and lost business are rapidly rising as well: the total average cost of a data breach incident is estimated to be $6.6 million or $202 per compromised record, with the cost of lost business averaging $4.6 million or $139 per record.**

Lumension Device Control provides:

• Enforcement of removable device usage and data encryption policies
• Central management of devices and data using a whitelist / “default deny” approach
• Enablement of productivity-enhancing tools while limiting the potential for data leakage and its impact

Key Features

• Whitelist / “Default Deny”
• Policy Enforced Encryption for Removable StorageData Copy Restriction
• File Type Filtering
• Temporary / Scheduled Access
• Context-Sensitive Permissions
• Centralized Management / Administrators’ Roles
• Role Based Access Control
• Tamper-proof Agent
• Flexible / Scalable Architecture

Key Benefits

• Protects Data from Loss / Theft
• Enables Secure Use of Productivity Tools, Like USB Stick
• Enhances Security Policy Enforcement
• Delivers Precise Control with Access Limits
• Available for both stand-alone and Microsoft System Center Configuration Manager (SCCM) platform implementations

How It Works

1. Discover: Identify all removable devices that are now or have ever been connected to your endpoints through the use of a “learning” mode that allows you to collect information without disrupting business.

2. Assess: Define rules at both default and machine-specific levels for groups and individual users with regards to device access by class, model and/or specific ID and uniquely identify and authorize specific media. These permissions can be linked to the user and user group information stored in Microsoft Active Directory or Novell eDirectory.

3. Implement: Enforce device and data usage policies by: file copy limitations (amount per day, time of day) and file type filtering. You can also enforce the encryption of data moved onto removable devices / media and apply permissions to specific and/or groups of endpoints, ports, devices and users (both on- and off-line), including scheduled / temporary access.

4. Monitor: Continuously monitor the effectiveness of device and data usage policies in real time and identify potential security threats by logging all device connections, recording all policy changes and administrator activities and tracking all file transfers by file name and content type. You can even keep a copy of every file that is transferred to or from a removable device using our patented bi-directional shadowing technology.

5. Report: Create both standard and customized reports on all device and data activity showing allowed and blocked events, which can be saved into a repository, shared via email, and/or imported into 3rd party applications. Detailed forensic reports and comprehensive auditing capabilities enable you to demonstrate compliance with internal security policies and external government and industry regulations such as SOX, NERC, HIPAA or PCI DSS.

*Deloitte & Touche and Ponemon Institute, Enterprise@Risk: 2007 Privacy & Data Protection Survey, December 2007
**Ponemon Institute, 2008 Annual Study: Cost of Data Breach Study, February 2009

Key Features:

 

User-Defined and Plug and Play Devices: Manage non-standard device types (such as iPAQ, OTEC, HTC or webcams) in the same manner as standard devices, by characterizing them and adding them to the system; also, detect Plug and Play devices "on the fly."	Improves Network Security Provides flexibility needed to handle unique needs and environments. Ensures user productivity is not disrupted by applying permissions for Plug and Play devices when detected.
Per-Device Permissions: Granular permissions to control access at device class (e.g., all USB flash drives), device group, device model and/or even specific ID levels; for instance, restrict access rights to a specific device of a company-approved model.	Delivers Granular Permissions Control Provides greater control at lower levels for effective access management.
Uniquely Identify and Authorize Specific Media: Authorize DVD/CD collections, grant access to users or user groups, and encrypt removable media with unique IDs.	Secures Data Limits DVD/CD access to your company’s standard discs, to avoid use of unauthorized content and/or encrypts removable media to prevent unauthorized viewing.
Whitelist / “Default Deny”: Assign permissions for authorized removable devices (such as USB sticks) and media (such as DVDs/CDs) to individual users or user groups; by default, those devices / media / people not explicitly authorized are denied access.	Secures Data from Data Leakage/Theft Eliminates unknown or unwanted devices in your network, reducing the risk of data leakage / data loss. Limits uploading of unknown or unwanted files (i.e., malware or other unauthorized files).
Data Copy Restriction: Restrict the daily amount of data copied to a removable devices (such as USB flash drives) and media (such as DVDs/CDs) on a per-user basis; can also limit usage to specific timeframes / days (e.g., only from 0900 to 1700 during weekdays).	Secures Data from Data Leakage/Theft Removes risk of large amounts of data leaving your network.
File Type : Control and encrypt file types that are moved to and from removable devices (such as USB sticks) and media (such as DVDs/CDs).	Blocks Malware Attacks and Protects Data Reduces risk of sensitive files leaving your network, and unwanted files (i.e., malware or other unauthorized files) entering your network. Enables the filtering of data that is copied to removable devices and the enforcement of encryption for deeper granularity and better control.
Read-Only Access: Define any file-system based device (e.g., a floppy drive, DVD/CD writer, PCMCIA hard drive, and so on) as read-only; other device permissions include: write, encrypt, and decrypt restrictions.	Secures Data from Data Leakage Limits potential leakage paths of sensitive data.
Temporary / Scheduled Access: Grant users temporary access to removable devices / media, which can be used to grant access “in the future” for a limited period; also, grant or deny permissions to use a device during a specific time period, which permits development of sophisticated security policies where certain devices can only be used at certain times (for example, from 9 A.M. to 5 P.M., Monday to Friday).	Enhances Security Policy Enforcement Switches access on without having to remember to switch it off again later. Provides another method to manage access to sensitive data.
Context-Sensitive Permissions: Apply different permissions when the endpoint is connected to the network, when it is not, and regardless of connection status. For example, disable WiFi cards when laptops are connected to the network, but enable them when the machine does not have a wired connection to the network.	Increases Endpoint Security Provides deeper, finer-grained control over access to endpoints, reducing possible problem areas in all anticipated environments.
Offline Updates: Update permissions of remote endpoints that cannot establish a network connection; new permissions are saved to a file that is imported and installed onto the client computer.	Enhances Security Policy Enforcement Permits permission updates no matter the status of the endpoint to ensure uniform security policy enforcement.
Policy Controlled Encryption for Removable Media and CD/DVD: Administrators may centrally encrypt removable devices (such as USB sticks) and media (such as DVDs/CDs) with 256 AES, as well as forcing users to encrypt devices / media, and limiting when these devices / media can be accessed.	Increases Security Compliance Ensures that data cannot be accessed if removable devices or media are lost or stolen. Reduces the risk of data leakage / data loss. Strongest levels of encryption (256 AES) to protect data from unauthorized access.
Decentralized Encryption: Administrators can enforce policies which require users to encrypt their devices locally, freeing the users to encrypt “on the fly” and not have to wait for admin availability.	Balances Productivity and Protection Reduces your workload while still ensuring that sensitive data is not inadvertently exposed.
Easy Exchange Encryption: Data on removable media is encrypted, and can be accessed with a password using the Secure Volume Browser which is added to the media during encryption. Allows encryption onto devices as large as 128GB in storage.	Secures Data Self-contained portable encryption of large removable devices which allows authorized users access to the data while obscuring it from others.
Enforce “Strong” Password Requirements: Use existing password length and complexity rules in compliance with MS standards.	Ensures Password Consistency Reduces administrative burden and end user confusion by maintaining consistency with organization-wide policies. Increases security of password protected data saved onto removable devices / media.
Password Lockout: Lock users out after five (5) failed attempts; administrators can recover access when passwords are forgotten or user leaves company.	Increases Data Protection Reduces risk of hackers breaking into lost or stolen removable devices (such as USB memory drives) and media (such as DVDs/CDs) using brute force methods (e.g., “dictionary attacks”).
Syslog Support: All event, audit and diagnostic logs are compliant with Syslog protocols.	Enables Integrated Event Management Allows for event correlation to other system logs for centralized forensics. Adds more options for administrator alerts and reporting to reduce the cost of compliance.
PGP Aware: For managed PGP environments, PGP instrumented devices are recognized by Device Control. Policies controlling PGP encrypted devices can be enforced by Device Control.	PGP Encryption Perfect complementary solution to an existing or planned PGP Universal managed environment.
Filename Tracking / Full File Shadowing: Patented bi-directional shadowing technology keeps a copy of all files (i.e., entire file contents) that are read from and/or written to removable devices (e.g., USB memory drives) and media (e.g., DVDs/CDs) on a per user (or user group) basis; can also track just file types & names; all events captured in logs and accessible by admin at any time for compliance auditing / forensics.	Delivers Audit Readiness Captures the flow of information into and out of your network. Enables you to quantify the risk and report for compliance purposes. Enables audits of filename and/or full file content for forensic purposes.
Centralized Management / Administrators’ Roles: Centrally define and manage user, user groups, computers and computer groups access to removable devices / media on the network; control precisely who can access the different components of the Management Console (for example, restrict the access to the shadowing information to only the organization’s auditors).	Delivers Precise Control with Access Limits One administrator can manage a large installation (over continents); optionally, have multiple administrators managing appropriate portions of installation. Limits access to appropriate, authorized personnel (e.g., allow auditors to audit but not change policies), and distributes workload among administrators as needed.
Role Based Access Control: Assign permissions to individual users or user groups based on their Windows Active Directory or Novell eDirectory identity, both of which are fully supported.	Reduces IT Workload and Improves Productivity Provides granular user permissions that remain with user login regardless of machine. Leverages existing directory information when enforcing policies. Reduces workload and improves productivity while enforcing security policy. Reduces setup / startup / ramp up time.
Tamper-proof Agent: Agents are installed on every endpoint on the network, and are protected against unauthorized removal – even by authorized (local) administrators. Only (enterprise) Administrators may deactivate this protection.	Secures Data from Data Leakage/Theft Protects endpoints from unintentional and/or malicious tampering; maintains security posture even in dire events.
Flexible / Scalable Architecture: Organization-wide control and enforcement using scalable client-server architecture with a central database that is optimized to reduce the database footprint. The system can be installed on a single machine for smaller organizations, and expanded to include multiple servers to support complex networks. Compatible with virtual servers, including VMware ESX and Windows 2008 Hyper-V. Endpoints can connect to one or more servers to facilitate load-balancing. A separate Management Console provides Administrative control from anywhere in the organization.	Adapts to Your Growing Business Supports entire range of organizations, from small, local startups to large, global corporations, from hundreds of endpoints to hundreds of thousand endpoints; fast growing organizations can scale installation as needs dictate. Decreases administrative costs by reducing the database footprint and increasing database query and maintenance speed. Supports server-side cost reduction in capital expenses and enables full utilization of existing infrastructure.

Requirements :

Supported Operating Systems:

	Agent	Admin	Server	Database
Windows 2000 Professional
Windows 2000 Server
Windows XP Professional
Windows Vista
Windows 7
Windows Server 2003
Windows Server 2008
Windows Server 2008 R2
Windows XP Embedded (XPe)
Windows Embedded Point of Service
Windows XP Tablet PC Edition
Windows 2008 Hyper-V
VMware Infrastructure 3

Hardware and Software Requirements:

Component
Database	Hardware	512 MB (4 GB recommended) memory Pentium® Dual-Core or AMD equivalent CPU 3 GB minimum hard disk drive 100 MBits/s NIC
	Software	One of the following: Microsoft SQL Server 2005 Microsoft SQL Server 2005 Express Edition Microsoft SQL Server 2008 Microsoft SQL Server 2008 Express Edition
Application Server	Hardware	512 MB (1 GB recommended) memory Pentium® Dual-Core or AMD equivalent CPU 3 GB minimum hard disk drive 100 MBits/s NIC
	Software	No additional software requirements
Management Console	Hardware	512 MB (1 GB recommended) memory Pentium® Dual-Core or AMD equivalent CPU 15 MB hard disk drive for installation, and 150 MB additional for application files 100 MBits/s NIC 1024 by 768 pixels for display
	Software	No additional software requirements
Client	Hardware	256 MB (1 GB recommended) memory Pentium® Dual-Core or AMD equivalent CPU 10 MB hard disk drive for installation, and several additional GB for full shadowing (if enabled) 100 MBits/s NIC
	Software	No additional software requirements

Multi-Language Support:

Supports 12 languages on client machines; this includes Traditional Chinese, Simplified Chinese, Dutch, English, French, German, Italian, Japanese, Portuguese, Russian, Spanish and Swedish.

Documentation:

Download the Lumension Device Control Datasheet (PDF).