|
The rapidly growing issue of data leakage due to the
accidental or sometimes malicious use of removable media
devices (such as USB sticks, CDs, DVD, etc.) has reached
alarming levels. In fact, over 85 percent of privacy and
security professionals reported at least one breach and
almost 64 percent reported multiple breaches that
required notification. ¹ Information such as customer
data, personally identifiable information (PII),
corporate data such as financials, and intellectual
property such as product specs are worth billions to
some. And the costs for recovery of data, customer
notification, loss of brand equity and ultimately lost
business are rapidly rising as well with the average
yearly cost up to $6.3 million².
Sanctuary Device Control from Lumension Security prevents
data loss and theft by enforcing removable device use
policies to control the flow of inbound and outbound data
from your endpoints. Ensuring the protection of data-at-rest
or data-in-motion, Sanctuary Device Control can:
- Identify all the devices that are currently connected or have ever been connected to network assets
- Protect against data theft and data loss
- Enforce the encryption of information transferred to removable media, including USB sticks, CDs, DVDs and more
- Control and manage any removable devices through any ports including USB, Firewire, WIFI, Bluetooth, etc.
- Deliver detailed forensics of device usage and data transfer
- Prevent malware introduction via removable media
1. Deloitte & Touche and Ponemon Institute, Enterprise@Risk: 2007 Privacy & Data Protection Survey, December 2007
2. Ponemon Institute, 2007 Cost of Data Breach Study, November 2007
Sanctuary Device Control Overview:
Sanctuary Device Control from Lumension Security
enforces enterprise-wide usage policies for removable
devices and data (such as read/write, encryption). Using
a whitelist / “default deny” approach, administrators
can centrally:
- Manage and control access of
any “plug and play” device by
class, model and/or specific ID;
- Uniquely identify and
authorize specific media;
- Implement file copy
limitations (amount per day,
time of day) and file type
filtering;
-
Enforce encryption policies
for data moved onto removable
devices / media;
- Apply permissions to
specific and/or groups of
endpoints, ports, devices and
users (both on- and off-line),
including scheduled / temporary
access;
- Create role-based Admin
accounts (e.g., for regional
sites);
- Save a copy of entire file
being moved using the patented
bi-directional shadowing
technology, or just log the file
name; and
- Create both standard and
customized reports on all system
activity which can be saved into
a repository, shared via email,
and/or imported into 3rd party
applications.
Sanctuary Device Control from Lumension Security
enables organizations to embrace productivity-enhancing
tools while limiting the potential for data leakage (and
the impacts thereof).
Device Control and USB Security for the Enterprise
USB memory drives, FireWire external hard-drives,
CD/DVD burner drives, PDAs / smartphones, scanners, MP3
players / iPods, and digital cameras are scattered
throughout offices around the world. While these devices
enable increased collaboration and productivity, they
also create risk of data being lost, misused or stolen.
Sanctuary Device Control from Lumension Security
provides organizations centralized “on-the-fly”
management of removable devices / media without impeding
productivity. Furthermore, automated agent installation
on endpoints minimizes administrative and end-user
training costs.
Proactive Approach to Data Protection
Sanctuary Device Control from Lumension Security
provides proactive data protection using a whitelisting
or “default deny” approach: endpoints (e.g., desktops,
laptops) can only accessed by explicitly authorized
devices, while all other devices are prohibited by
default. Not only does this provide the flexibility
required to promote new productivity tools while
enforcing policies which reduce risk, it eliminates the
need to keep up with the ever-changing landscape (new
devices, new people, new threats) that organizations
face daily. This reduces the security workload, allowing
organizations to focus on more strategic activities such
as developing more robust security policies.
Complete Control over Data Transfer and Port Access
Sanctuary Device Control from Lumension Security
enables administrators to quickly establish and
enforce data protection policies by rapidly
identifying all devices that are now or have ever
been connected to the network, and via which
endpoints and ports. Permissions can be assigned to
specific users and/or groups of users (both on- and
off-line), devices (including class, manufacturer or
even specific ID), ports and endpoints. These
permissions can be linked to the user and user group
information stored in Microsoft Active Directory or
Novell eDirectory. Data usage restrictions can
include file copy limitations (amount per day, time
of day), file type filtering and forced encryption.
Comprehensive USB Security and Auditing Capabilities
A comprehensive log of every event (e.g., attempts
to connect what device to which endpoint via what
port), whether allowed or not, is generated.
Optionally, Lumension Security’s bi-directional
shadowing technology can capture and retain a full
copy of all data written to and/or read from
removable devices (e.g., USB flash drives,
CDs/DVDs).
This detailed information is valuable in quantifying
risk to the organization. In additions it helps
demonstrate compliance with data protection
regulations and standards such as SOX, HIPAA or PCI
DSS. Finally, it is invaluable for forensic, or
after-the-fact event re-creation.
Features & Benefits:
|
Feature |
Function |
Benefit |
|
Whitelist |
Assign
permissions for authorized applications to
users or user groups, and by default those
not authorized are not allowed |
Eliminates
unknown or unwanted devices in your network,
reducing the risk of data leakage |
|
Policy Controlled Encryption for Removable Media and CD/DVD |
Administrators
may centrally encrypt removable media and
CD/DVDs or force users to encrypt media and
CD/DVDs and the time of use |
Ensures that
sensitive data is not inadvertently exposed
to those without authorized access |
|
Uniquely Identify and Authorize Specific Media |
Authorize
DVD/CD-ROM collections, grant access to
users or user groups and encrypt removable
media with unique ID's |
Limits
DVD/CD-ROM access to company standard discs,
to avoid use of unauthorized content and/or
encrypts removable media to prevent
unauthorized viewing |
|
Flexible Policy with Granular Control |
Permission
settings include read/write, scheduled
access, temporary access, online/offline,
I/O bus type, HDD/non-HDD devices and much
more |
Eliminates
risk of unauthorized devices connecting to
the network while providing the flexibility
users demand |
|
Plug and Play Devices |
Detect Plug
and Play Devices "on the fly" |
Ensures user
productivity is not disrupted by applying
permissions for plug and play devices when
detected |
|
Patented Bi-Directional Shadowing Option |
Shadowing
technology records data that is read from
and/or written to a removable device |
Captures the
flow of information into and out of your
network, reducing risk and containing data
leakage |
|
Data Copy Restriction |
Restrict the
daily amount of data copied from an endpoint
to a device on a per-user basis |
Removes risk
of large pieces of confidential information
leaving the network |
|
Role Based Access Control |
Assign
permissions to a user/user group based on
their Active Directory or eDirectory
identity |
Provides
granular user permissions that remain with
user login regardless of machine |
|
PGP Whole Disk Encryption |
Administrators
may optionally enforce standard FIPS-compliant
encryption technology with centralized
encryption key management and support for
large secondary hard drives provided by PGP
Whole Disk Encryption |
Ensures that
data on external devices can be protected
with FIPS-validated encryption |
|
File Type Filtering |
Control the
type of files that are moved to and from
removable devices |
Reduces risk
of unwanted files (or malware) from entering
and sensitive files from leaving the network |
|
Password Lockout |
Lockout users
after three failed password attempts |
Reduces risk
of hackers breaking into lost or stolen
devices |
|
Password Recovery |
Recover access
to devices when passwords are forgotten or
user leaves company |
Enables
recovery of encrypted data on devices |
|
Multi-Language Support |
Supports 12
languages on Sanctuary client machines |
Improves user
experience in international organizations |
|
64-bit Platform Support |
Utilize and
protect powerful 64-bit business
infrastructure with Sanctuary including
agent support for 64-bit Windows Server
2003, Windows XP and Windows Vista as well
as 64-bit support for SQL Server 2005 |
Delivers
device control capabilities for both 32 and
64-bit platforms |
Requirements:
Supported
Device Types:
-
Biometric
devices
-
COM/serial
ports
- DVD/CD
drives
- Floppy
disk drives
- Imaging
devices/Scanners
- LPT/parallel
ports
-
Modems/Secondary
network
access
devices
- Palm
handheld
devices
- Plug and
Play devices
- Printers
(USB/Bluetooth
)
- PS/2
ports
-
Removable
storage
devices
- RIM
BlackBerry
handhelds
- Smart
Card readers
- Tape
drives
- User
Defined
devices
- Windows
CE handheld
devices
- Wireless
network
interface
cards
|
Supported
Connectivity:
- USB
- FireWire
-
Bluetooth
- WiFi
- PCMCIA
- PS/2
- LPT
- IrDA
- IDE
- COM
- S-ATA
- SCSI
|
|
Platform |
Version |
Agent |
Console |
Server |
Database |
| Windows 2000 Professional |
(SP4+) |
32 |
32 |
- |
32 |
| Windows 2000 Server |
(SP4+) |
32 |
32 |
32 |
32 |
| Windows XP Professional |
(SP2+) |
32 and 64 |
32 |
- |
32 |
| Windows Server 2003 |
(SP1/SR2+) |
32 and 64 |
32 |
32 |
32 and 64 |
| Windows Vista |
|
32 and 64 |
- |
- |
- |
| Windows XP Embedded (XPe) |
(SP2+) |
32 |
n/a |
n/a |
n/a |
| Windows Embedded Point of
Service (WEPOS) |
(SP2+) |
32 |
n/a |
n/a |
n/a |
| Windows XP Tablet PC
Edition |
(SP2+) |
32 |
n/a |
n/a |
n/a |
| Citrix Access Gateway 4.2 |
|
Yes |
n/a |
n/a |
n/a |
| Citrix Access Gateway 4.5 |
|
Yes |
n/a |
n/a |
n/a |
| Citrix Presentation Server
4.0 for Windows Server 2003 (SP1/SR2+) |
|
32 |
n/a |
n/a |
n/a |
| Citrix Presentation Server
4.5 for Windows Server 2003 (SP1/SR2+) |
|
32 and 64 |
n/a |
n/a |
n/a |
| SQL 2005 Express Edition |
(SP2+) |
n/a |
n/a |
n/a |
32 |
| SQL Server 2000 |
(SP4+) |
n/a |
n/a |
n/a |
32 |
| SQL Server 2005 |
(SP2+) |
n/a |
n/a |
n/a |
32 and 64 |
Hardware Requirements:
| |
Disk space |
Memory |
Other |
| Agent |
8 MB free disk space for program files
15 MB for the installation
--> With Shadowing enabled, disk space
requirements could grow up to several GB
(depending on intervals between logging onto
network) |
256 MB
(512 MB recommended) |
|
Management
Console |
150 MB free disk space for program files
15 MB for the installation |
128 MB
(512 MB recommended) |
Display = 1024x768 |
|
Application Server |
4 MB free disk space for program files
15 MB for the installation |
128 MB
(512 MB recommended) |
MDAC v2.6 SP1 or later, if you are using
Windows 2000 Server |
|
Database |
1 MB free disk space for program files
40 MB for the installation
--> From 10 MB up to several GB for data
(depending on the number of users) |
512 MB
(2.0 GB recommended) |
- Microsoft SQL Server 2000 SP4
- Microsoft SQL 2005 SP1
- Microsoft SQL 2005 SP1 64-bit
- SQL Server 2005 Express Edition (requires Microsoft .NET Framework 2.0)MDAC V2.6 SP1, if using Windows 2000 Server
|
|
Lumension
Sanctuary Device Control