The Encryption Anywhere Data Protection Platform

Transcription

1 The Encryption Anywhere Data Protection Platform A Technical White Paper 5 December Brannan Street, Suite 400, San Francisco CA Fax

2 For more information, contact GuardianEdge Technologies Inc ( ) 475 Brannan Street, Suite 400, San Francisco CA Fax

3 Introduction The explosive growth of mobile computing devices has created a new set of challenges and opportunities for the enterprise. On one hand, mobile devices such as laptop computers, PDAs, smart phones and removable storage devices enable enterprise organizations to operate in real time by reducing the duration and latency of business processes and activities. 1 On the other hand, these devices represent a growing source of vulnerability because they are highly susceptible to theft and misuse. Without proper protection, the advantages these devices bring to the enterprise are offset by risks associated with loss or theft of sensitive information. Encryption is a powerful technology for securing data on mobile computing devices, but there are significant obstacles to implementing encryption services for mobile devices throughout the enterprise. It is extremely difficult to identify all the personal and corporate-issued devices that exist within the corporate IT environment, much less to manage the heterogeneous mixture of operating systems and access ports that exist on these devices. Traditional encryption software solutions do not possess the integrated and interoperable device/platform management capabilities that are necessary for managing vulnerability at the enterprise level. As a consequence, most IT security managers use encryption on a limited basis for a select number of devices. This White Paper explains how GuardianEdge Technologies is working to remove the obstacles to enterprise-wide encryption with the Encryption Anywhere data protection platform, a modular framework that unifies all encryption services under a unified architecture while harnessing existing native network services and management tools. 1 Monica Basso, Real-Time Enterprise: The Mobility Dimension. Gartner Research Page 1 of 15

4 Protecting Enterprise Data with Intelligent Technology GuardianEdge Technologies has developed the Encryption Anywhere platform with the vision of reducing the cost and complexity of enterprise data protection. As a framework, the Encryption Anywhere platform realizes this vision by delivering the following primary features: A modular architecture that enables organizations to add additional services to an integrated system as new devices are introduced into the corporate network A single point of control through which to manage encryption-related services such as policy management and key recovery for a distributed, heterogeneous network of target devices such as hard disks and removable storage devices Seamless integration with native network services such as Active Directory and standard management interfaces such as the Microsoft Management Console After defining the functional, architectural and interface components of the Encryption Anywhere platform, this paper will provide detailed descriptions of how these features enable organizations to reduce the cost and complexity of protecting data across the enterprise. Encryption Anywhere: Functional Components The Encryption Anywhere platform is based on a modular design that contains two main functional components. These components operate across the Encryption Anywhere platform and are integral to understanding the Encryption Anywhere architecture. Framework module This module defines shared installation settings and policies that apply to more than one Encryption Anywhere application. The Framework module is required for all Encryption Anywhere applications and enables functions that are common to multiple applications to be factored out and defined in one place, thus avoiding redundancies and potential inconsistencies between the applications. Application module The Encryption Anywhere platform supports multiple application modules which can be added to the Encryption Anywhere platform as the security requirements of the organization change over time. In general, each application module contains applicationspecific functionality. This document describes the Application Module for Encryption Anywhere Hard Disk, the first application delivered through the Encryption Anywhere platform. Page 2 of 15

5 Encryption Anywhere: Interface Components In general, the Encryption Anywhere platform contains two main user interfaces; the Management Console and the Client Console. The Management Console The Encryption Anywhere Management Console provides a centralized interface for controlling framework and application settings, enabling administrators to perform the following actions: Organize domains into functional groups of users and computers, and manage those groups from a central location Define Encryption Anywhere installation settings, which establish the behavior of computers and the rights of users in a targeted group Push out installation settings and software to create client modules, including the Client Console, on distributed computers Define and push out policies that override the installation settings Monitor compliance and status of the client computers and users The Client Console The Encryption Anywhere Client Console is installed through the Management Console onto target devices such as laptops and PDAs, providing a common user interface for client-based controls. The Client Console contains panels that reflect the installation settings and displays the policies chosen by policy administrators. The Client Console also provides the user interface for encrypting and decrypting data and reports important data about user accounts and disk encryption characteristics. In addition to the framework interface components, Encryption Anywhere Application Modules may also include their own application-specific interfaces. In the case of the Encryption Anywhere Hard Disk application module, there is a pre-windows Hard Disk authentication interface that prevents Windows from starting until an Encryption Anywhere user authenticates with a password or Smart Card. This interface can also lock out non-administrative users if required time-sensitive network connections (a check-in performed for security reasons) do not take place. Page 3 of 15

6 Encryption Anywhere: Architectural Overview Encryption Anywhere: Overall Architecture The Encryption Anywhere architecture encapsulates four elements of the IT infrastructure, as illustrated in Figure Figure 2: Overview of Encryption Anywhere 1. Encryption Anywhere Client: The client is where the encrypted data resides. Encryption Anywhere s Framework Module provides a common interface (the Client Console) on each client for common services ( account settings ) such as user authentication and password recovery. Meanwhile, the Application Module in each client contains encryption capabilities and application-specific components. In the case of Hard Disk, the Application Module supplies a pre-windows authentication component that prevents Windows from loading until an Encryption Anywhere user authenticates. 2. Active Directory: Active Directory is a central component of Windows and a proven method for enabling centralized management of distributed clients. To control Active Directory environments, Microsoft has supplied a modular interface called Microsoft Page 4 of 15

7 Management Console (MMC). The Framework and Application Modules exist in Active Directory as a set of snap-ins for MMC, through which Encryption Anywhere inherits capabilities such as deployment of MSI installation packages and Group Policy Objects (GPOs). 2 Figure 3: Microsoft Management Console with Encryption Anywhere In Encryption Anywhere, policy administrators are given instruction on how to place MSI files into the Initial Settings area of the Group Policy Object Editor and to use this interface to distribute the MSI files. However, MSI files give a customer the option of distributing the installation settings as they would any normal Microsoft installation file, using any distribution method they choose. 3. Active Directory Application Mode (ADAM) ADAM provides a hierarchy that functions very much like Active Directory, while being a separate data tree where Encryption Anywhere can store its own data without affecting the AD schema of an organization. ADAM comes with built-in support for backup, replication, and mobility. Encryption Anywhere uses ADAM as a robust management and recovery system for framework-level and application-specific encryption keys. 2 For organizations that do not use Active Directory, Encryption Anywhere can operate as a standalone directory server. In such instances, data is made accessible via LDAP and deployment can be supported by Tivoli, SMS, Zenworks, Marimba and similar technologies. Page 5 of 15

8 4. Help Desk When a user forgets his password, an organization s Help Desk can use ADAM to provide the secure and controlled access to the user s data encryption key. The technician can use either Encryption Anywhere s One Time Password program or the program s emergency data recovery program to regain access to encrypted data on the computer. Additionally, individual users can recover lost passwords without Help Desk assistance using Encryption Anywhere s built-in Authenti-Check self-service password recovery methodology. Encryption Anywhere: Client Architecture The Encryption Anywhere Client Framework delivers the following shared services through the Client Console interface: a. A user authentication interface: Users can authenticate themselves for all Encryption Anywhere applications using a single interface that supports authentication from passwords and PKI smart cards 3. b. Single Sign-On authentication interface: Encryption Anywhere supports Single Sign-On with the Windows login. When Single Sign-On is activated, a user only needs to login once to launch Windows and Encryption Anywhere s applications. c. Password recovery services: When users forget their passwords, the Client Framework provides a user interface and logic that will enable users to activate Encryption Anywhere s Authenti-Check self-service password recovery methodology, or to enter a One Time Password, generated remotely and provided by the Help Desk. d. Lost Smart Card one-time access services: When users lose their smart cards, they can contact the Help Desk for a One-Time Password that will allow them to access their encrypted data until a replacement smart card is provided. 3 Encryption Anywhere integrates directly into a company s existing PKI environment and supports tokens (smart cards and USB tokens) that utilize PKCS #11 access and X509 certificates. Encryption Anywhere does not change or alter the PKI card and key management system. Nor does it provide PKI key management, key recovery, certificate issuance or certificate revocation. Also, Axalto smart cards and Safenet USB tokens are supported by Encryption Anywhere. For additional support, contact your GuardianEdge Technologies representative. Page 6 of 15

9 e. User Management interface: Adding new Encryption Anywhere users is performed through a single user interface. Once users are added, they have access to all installed Encryption Anywhere applications. f. Authenti-Check setup interface: Encryption Anywhere includes a single user interface for creating Authenti-Check question-and-answer pairs for each user. These question-and-answer pairs are used to recover and reset passwords without intervention by the help desk. The client element of Encryption Anywhere (Figure 3)is the most significant component of the overall architecture and is where the actual encryption of data takes place Figure 3: Overview of the Encryption Anywhere Client Page 7 of 15

10 1. Client Application Module Encryption Anywhere Hard disk provides the easiest and most comprehensive method for protecting data stored on a computer hard disk. This application module encrypts the entire hard drive, including the Windows operating system, swap files, hibernation files, paging files, executables and all data stored on the hard drive. Before users can access their hard drives, they must authenticate to the Encryption Anywhere Hard Disk application; once authenticated, users gain access to the Windows operating system and all applications and data. The Hard Disk encryption engine operates dynamically so that encrypted sectors are decrypted only when accessing and loading data from those sectors into memory. Furthermore, all data is always written to the hard disk in an encrypted state. 2. Common components The Encryption Anywhere Common Component subsystem provides a range of services that are used by the encryption application and the framework subsystem, all of which are invisible to a user. For example, when the Framework subsystem wants to authenticate a user, it will display (or intercept the Windows login when Single Sign-On is active) a user interface where the user will enter a user name, domain and password. The Framework will pass the user name, domain and password to the Common Component Authentication module. The Common Component Authentication module will determine if this is a valid user and notify the Framework subsystem of the results. 3. Client database The Encryption Anywhere Client Database is the repository for user policies, computer policies and encryption application data. The Client Database is comprised of two parts: the Windows registry and the Encryption Anywhere file system (EAFS). The Windows registry is where Active Directory stores the data and policies that are pushed to the client, and this registry data is considered part of the Client Database. The Windows registry data is automatically updated by Active Directory while the computer is connected to the network at an interval set by domain administrators. EAFS, on the other hand, is specific to the Encryption Anywhere Hard Disk application module. The Client Database Encryption keys are encrypted and stored securely in the Client Database, and these encrypted keys are also automatically transmitted to the Active Directory Application Mode (ADAM). If the Client Database is Page 8 of 15

11 damaged or lost, encrypted data can be recovered using the keys stored in ADAM. Now that the structure and function of Encryption Anywhere have been explained, this paper shall describe how Encryption Anywhere technology can simplify the use and management of data encryption at the enterprise level. Page 9 of 15

12 Optimizing Encryption Services for the Enterprise Deployment In a managed enterprise environment, software must be installed rapidly and in great quantities with minimal interruption of normal user activity. Some traditional encryption technologies support this capability, but they require separate installation procedures for each application. It is unlikely that an organization could run installation procedures for all client types (hard disks, files and folders, PDAs, smart phones, removable storage devices, etc.) in rapid succession without putting a drain on administrator resources and user productivity. Encryption Anywhere solves this problem through seamless integration with Active Directory. Using the Management Console, a policy administrator defines Framework installation settings, and then pushes them out together with the Framework client software in the form of a Microsoft Installation (MSI) package. When this Framework MSI runs on a client, it installs the Framework client software and stores the Framework installation settings in the registry. The Framework client software includes the Client Console populated with non-application-specific panels, and a number of modules without UIs that perform shared functions. The same process must then take place for each application. Again in Encryption Anywhere 1.0, the only application is Hard Disk. Using the Management Console, a policy administrator defines Hard Disk installation settings, and then pushes them out together with the Hard Disk client software in the form of an MSI package. When this Hard Disk MSI runs on a client, it installs the Hard Disk client software and stores the Hard Disk installation settings in the registry. The Hard Disk client software includes additional Client Console panels, the pre-windows authentication module, and a lowlevel disk driver that performs encryption and decryption in the background. By using MSIs for installation settings, Encryption Anywhere creates an extra guarantee of reliability by giving users a standard way to load settings and begin using Encryption Anywhere even if they are not able to access Active Directory for some reason. Policy Management Policy administrators may, from time to time, define and push out policies that reflect changes in the Encryption Anywhere environment, such as the addition of client administrators. These policies are in the form of Active Directory Group Policy Objects (GPOs). A user or computer may or may not have a GPO. If no GPO has been issued, the baseline or default policy originally installed in the form of an MSI package continues to apply; if a GPO exists, the GPO provides the active policy. Note: Even when Page 10 of 15

13 GPOs are pushed out, the installation settings are never overwritten; they remain on the client computers with their original values and can be restored. An advantage of GPOs is that various policy administrators can create them at different levels of an organization and Active Directory takes care of resolving any overlaps according to well-defined rules of precedence. Administrators can check the results of this process by using Microsoft tools like the Resultant Set of Policy (RSoP). Key Management Whenever encryption technology is used in an organization, it is important to have a robust key management system. Traditional encryption technologies are not integrated to the point where they can consistently share common keys among multiple applications, and do not scale well in enterprise environments. The Encryption Anywhere framework uses ADAM as a means of delivering a shared key management system for all Encryption Anywhere applications. When Encryption Anywhere is installed on a client, the common components onboard the client automatically upload encryption keys for each user to the ADAM server, which encrypts 4 and stores all keys. This method simplifies key management for administrators and streamlines the authentication procedure for each user. ADAM can be thought of Active Directory light and it contains a well defined schema reflecting the Encryption Anywhere key management and recovery and user status data. The Client Console and the Management Console use the Lightweight Directory Access Protocol (LDAP) when accessing the ADAM database. Policy administrators use the Management Console s Client Monitor snap-in, which displays the status data stored in ADAM, to track client compliance. Password and Data Recovery Password recovery is often a time-consuming procedure for Help Desk technicians, and GuardianEdge customers report that one-third to one-half of their users forget or lose their passwords at least once a year. At the enterprise level, where there may be thousands of users distributed across various geographic locations, organizations need an automated, systematic method for managing password recovery systems. 4 These encryption keys are protected using the organization s master 233-bit Elliptical Curve Cryptography public key (a 233 bit ECC public private key is equivalent to 2048 bit RSA PPK) before leaving the client. This master is generated when Encryption Anywhere Management Console snap-in is created. Page 11 of 15

14 Encryption Anywhere allows individual users can recover lost passwords without Help Desk assistance using Encryption Anywhere s built-in Authenti-Check self-service password recovery methodology. If the loss is more serious, authorized Help Desk technicians can use the ADAM server to provide the secure and controlled access to that user s data encryption key. The technician can use Encryption Anywhere s One-Time Password program to regain access to encrypted data on the computer. Using ADAM to store backup keys enables Encryption Anywhere to guarantee that encrypted data can always be recovered. What s more, Encryption Anywhere includes a toolbox of utilities technicians can use, in combination with the encryption keys stored in ADAM, to gain access to damaged drives and decrypt data. even in cases when the drive is damaged. Auditing Auditing is a major requirement for enterprise operations, thanks to Sarbanes-Oxley and other corporate governance regulations. Encryption Anywhere integrates the storage of its audit data into the Windows system event log. The existing tools in Active Directory can access, view and retrieve the Windows system event log data. The Encryption Anywhere integration leverages what already exists and eliminates the need to learn another process or install another tool. An organization can use the Active Directory audit tool to retrieve Encryption Anywhere audit trail information. Page 12 of 15

15 Conclusion Encryption Anywhere takes full advantage of Microsoft s existing Management Console and Active Directory to deliver easy to deploy and manage encryption solutions that precisely match the needs of an enterprise. Providing seamless integration with an enterprise s existing network framework, Encryption Anywhere brings under control the total cost of scaling and enforcing encryption policies. By snapping directly into the Microsoft Management Console, Encryption Anywhere will provide a standardized platform for the administration of enterprise encryption policies, leveraging Microsoft Windows existing technology, rather than requiring the installation of a new server or having to learn another custom interface. By integrating management and administrative functions for all Encryption Anywhere Applications into a single, commonly shared framework, Encryption Anywhere simplifies the distribution and administration of data encryption. When the first instance of any Encryption Anywhere application is installed such as Encryption Anywhere Hard Disk the common components for all other Encryption Anywhere Applications are in place and available for immediate activation. For more information on the new Encryption Anywhere platform, contact your GuardianEdge Sales Manager or visit us on the Web at Copyright GuardianEdge Technologies Inc. All rights reserved. GuardianEdge Technologies Inc. 475 Brannan Street, Suite 400, San Francisco CA Information in this document is subject to change without notice. No part of this document may be reproduced or transmitted in any form of by any means, electronic or mechanical, for any purpose, without the express written permission of GuardianEdge Technologies. GuardianEdge and Encryption Anywhere are trademarks of GuardianEdge Technologies Inc. Active Directory is a trademark of Microsoft Corporation. All product names mentioned in this white paper may be trademarks or registered trademarks of their respective companies and are hereby acknowledged. Printed in the United States of America. Revised on 12/05/2005 Page 13 of 15