The Encryption Anywhere Data Protection Platform



Similar documents
etoken TMS (Token Management System) Frequently Asked Questions

Symantec Endpoint Encryption Full Disk

Symantec Endpoint Encryption Full Disk

Oracle Enterprise Single Sign-on Technical Guide An Oracle White Paper June 2009

Administering Group Policy with Group Policy Management Console

MCSE Core exams (Networking) One Client OS Exam. Core Exams (6 Exams Required)

Symantec Endpoint Encryption Full Disk

Symantec Endpoint Encryption Full Disk

Lesson Plans Microsoft s Managing and Maintaining a Microsoft Windows Server 2003 Environment

Symantec Endpoint Encryption Full Disk

Open Directory. Apple s standards-based directory and network authentication services architecture. Features

Whitepaper Enhancing BitLocker Deployment and Management with SimplySecure. Addressing the Concerns of the IT Professional Rob Weber February 2015

Table Of Contents. - Microsoft Windows - WINDOWS XP - IMPLEMENTING & SUPPORTING MICROSOFT WINDOWS XP PROFESSIONAL...10

Citrix Password Manager 4.1

DriveLock and Windows 7

Managing and Maintaining a Windows Server 2003 Network Environment

Chapter. Managing Group Policy MICROSOFT EXAM OBJECTIVES COVERED IN THIS CHAPTER:

Planning and Maintaining a Microsoft Windows Server Network Infrastructure

Service Overview CloudCare Online Backup

White paper December IBM Tivoli Access Manager for Enterprise Single Sign-On: An overview

המרכז ללימודי חוץ המכללה האקדמית ספיר. ד.נ חוף אשקלון טל' פקס בשיתוף עם מכללת הנגב ע"ש ספיר

Advanced Authentication

Copyright 2012 Trend Micro Incorporated. All rights reserved.

Deploying EFS: Part 1

PGP Universal Server 2.5 SmartLine DeviceLock 6.2

DriveLock and Windows 8

FileCloud Security FAQ

Symantec Endpoint Encryption Removable Storage

Installation Guide. . All right reserved. For more information about Specops Deploy and other Specops products, visit

THE COMPLETE VIEWER FOR MS PROJECT. Deployment White Paper

Managing Your Microsoft Windows Server Fleet with AWS Directory Service. May 2015

Global Headquarters: 5 Speen Street Framingham, MA USA P F

Security Architecture Whitepaper

Critical Issues with Lotus Notes and Domino 8.5 Password Authentication, Security and Management

Chapter 1 Scenario 1: Acme Corporation

ANNE ARUNDEL COMMUNITY COLLEGE ARNOLD, MARYLAND COURSE OUTLINE CATALOG DESCRIPTION

DIGIPASS KEY series and smart card series for Juniper SSL VPN Authentication

DriveLock Quick Start Guide

How To Use Attix5 Pro For A Fraction Of The Cost Of A Backup

Directory Integration with Okta. An Architectural Overview. Okta Inc. 301 Brannan Street San Francisco, CA

Managing and Maintaining a Microsoft Windows Server 2003 Environment

Installation and Configuration Guide

NE-2273B Managing and Maintaining a Microsoft Windows Server 2003 Environment

Simplifying Security with Datakey Axis Single Sign-On. White Paper

Installation Guide. SafeNet Authentication Service

Step-by-Step Guide to Setup Instant Messaging (IM) Workspace Datasheet

Oracle Identity Management Concepts and Architecture. An Oracle White Paper December 2003

Ensuring the security of your mobile business intelligence

Symantec Endpoint Encryption Full Disk

Card Management System Integration Made Easy: Tools for Enrollment and Management of Certificates. September 2006

Setting Up SSL on IIS6 for MEGA Advisor

Lesson Plans LabSim for Microsoft s Implementing a Server 2003 Active Directory Infrastructure

VMware Mirage Web Manager Guide

WHITE PAPER: ENTERPRISE SOLUTIONS. Quick Recovery of Microsoft Active Directory Using Symantec Backup Exec 11d Agent for Active Directory

Administration Guide ActivClient for Windows 6.2

R4: Configuring Windows Server 2008 Active Directory

BitLocker/Active Directory Encryption Procedure Department: Information Security Office Version: 1.0 Last Revised: 09/26/2011

Kaspersky Lab s Full Disk Encryption Technology

Delegated Administration Quick Start

Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services

Network device management solution

Enhancing Organizational Security Through the Use of Virtual Smart Cards

Managing Windows Environments with Group Policy

Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services

Single Sign-On. Security and comfort can be friend. Arnd Langguth. September, 2006

Course 6425B: Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services

MCSA Security + Certification Program

ZENworks 11 Support Pack 4 Full Disk Encryption Agent Reference. May 2016

Server-based Password Synchronization: Managing Multiple Passwords

Choosing an SSO Solution Ten Smart Questions

The Benefits of an Industry Standard Platform for Enterprise Sign-On

Malwarebytes Enterprise Edition Best Practices Guide Version March 2014

ITKwebcollege.ADMIN-Basics Fundamentals of Microsoft Windows Server

Veritas Enterprise Vault for Microsoft Exchange Server

Citrix MetaFrame Password Manager 2.5

1 Introduction to Microsoft Enterprise Desktop Virtualization (MED-V) Terminology Key Capabilities... 4

Attix5 Pro Overview. V7.x. An overview of the Attix5 Pro product suite.

BlackBerry Enterprise Server for Microsoft Exchange Version: 5.0 Service Pack: 2. Feature and Technical Overview

YubiKey PIV Deployment Guide

Two-Factor Authentication

safend a w a v e s y s t e m s c o m p a n y

FUSION Installation Guide

ProtectV. Securing Sensitive Data in Virtual and Cloud Environments. Executive Summary

AD Self-Service Suite for Active Directory

Online Transaction Processing in SQL Server 2008

Planning and Implementing Windows Server 2008

MS 50255B: Managing Windows Environments with Group Policy (4 Days)

etoken Single Sign-On 3.0

Passlogix Sign-On Platform

Omniquad Exchange Archiving

Course Active Directory Services with Windows Server

Navigating Endpoint Encryption Technologies

Enterprise Key Management: A Strategic Approach ENTERPRISE KEY MANAGEMENT A SRATEGIC APPROACH. White Paper February

How Endpoint Encryption Works

EMC Physical Security Enabled by RSA SecurID Two-Factor Authentication with Verint Nextiva Review and Control Center Clients

Installing, Configuring, and Managing a Microsoft Active Directory

Overview. Timeline Cloud Features and Technology

Transcription:

The Encryption Anywhere Data Protection Platform A Technical White Paper 5 December 2005 475 Brannan Street, Suite 400, San Francisco CA 94107-5421 800-440-0419 415-683-2200 Fax 415-683-2349

For more information, contact GuardianEdge Technologies Inc. 800-440-0419 (415-683-2200) 475 Brannan Street, Suite 400, San Francisco CA 94107-5421 800-440-0419 415-683-2200 Fax 415-683-2349

Introduction The explosive growth of mobile computing devices has created a new set of challenges and opportunities for the enterprise. On one hand, mobile devices such as laptop computers, PDAs, smart phones and removable storage devices enable enterprise organizations to operate in real time by reducing the duration and latency of business processes and activities. 1 On the other hand, these devices represent a growing source of vulnerability because they are highly susceptible to theft and misuse. Without proper protection, the advantages these devices bring to the enterprise are offset by risks associated with loss or theft of sensitive information. Encryption is a powerful technology for securing data on mobile computing devices, but there are significant obstacles to implementing encryption services for mobile devices throughout the enterprise. It is extremely difficult to identify all the personal and corporate-issued devices that exist within the corporate IT environment, much less to manage the heterogeneous mixture of operating systems and access ports that exist on these devices. Traditional encryption software solutions do not possess the integrated and interoperable device/platform management capabilities that are necessary for managing vulnerability at the enterprise level. As a consequence, most IT security managers use encryption on a limited basis for a select number of devices. This White Paper explains how GuardianEdge Technologies is working to remove the obstacles to enterprise-wide encryption with the Encryption Anywhere data protection platform, a modular framework that unifies all encryption services under a unified architecture while harnessing existing native network services and management tools. 1 Monica Basso, Real-Time Enterprise: The Mobility Dimension. Gartner Research Page 1 of 15

Protecting Enterprise Data with Intelligent Technology GuardianEdge Technologies has developed the Encryption Anywhere platform with the vision of reducing the cost and complexity of enterprise data protection. As a framework, the Encryption Anywhere platform realizes this vision by delivering the following primary features: A modular architecture that enables organizations to add additional services to an integrated system as new devices are introduced into the corporate network A single point of control through which to manage encryption-related services such as policy management and key recovery for a distributed, heterogeneous network of target devices such as hard disks and removable storage devices Seamless integration with native network services such as Active Directory and standard management interfaces such as the Microsoft Management Console After defining the functional, architectural and interface components of the Encryption Anywhere platform, this paper will provide detailed descriptions of how these features enable organizations to reduce the cost and complexity of protecting data across the enterprise. Encryption Anywhere: Functional Components The Encryption Anywhere platform is based on a modular design that contains two main functional components. These components operate across the Encryption Anywhere platform and are integral to understanding the Encryption Anywhere architecture. Framework module This module defines shared installation settings and policies that apply to more than one Encryption Anywhere application. The Framework module is required for all Encryption Anywhere applications and enables functions that are common to multiple applications to be factored out and defined in one place, thus avoiding redundancies and potential inconsistencies between the applications. Application module The Encryption Anywhere platform supports multiple application modules which can be added to the Encryption Anywhere platform as the security requirements of the organization change over time. In general, each application module contains applicationspecific functionality. This document describes the Application Module for Encryption Anywhere Hard Disk, the first application delivered through the Encryption Anywhere platform. Page 2 of 15

Encryption Anywhere: Interface Components In general, the Encryption Anywhere platform contains two main user interfaces; the Management Console and the Client Console. The Management Console The Encryption Anywhere Management Console provides a centralized interface for controlling framework and application settings, enabling administrators to perform the following actions: Organize domains into functional groups of users and computers, and manage those groups from a central location Define Encryption Anywhere installation settings, which establish the behavior of computers and the rights of users in a targeted group Push out installation settings and software to create client modules, including the Client Console, on distributed computers Define and push out policies that override the installation settings Monitor compliance and status of the client computers and users The Client Console The Encryption Anywhere Client Console is installed through the Management Console onto target devices such as laptops and PDAs, providing a common user interface for client-based controls. The Client Console contains panels that reflect the installation settings and displays the policies chosen by policy administrators. The Client Console also provides the user interface for encrypting and decrypting data and reports important data about user accounts and disk encryption characteristics. In addition to the framework interface components, Encryption Anywhere Application Modules may also include their own application-specific interfaces. In the case of the Encryption Anywhere Hard Disk application module, there is a pre-windows Hard Disk authentication interface that prevents Windows from starting until an Encryption Anywhere user authenticates with a password or Smart Card. This interface can also lock out non-administrative users if required time-sensitive network connections (a check-in performed for security reasons) do not take place. Page 3 of 15

Encryption Anywhere: Architectural Overview Encryption Anywhere: Overall Architecture The Encryption Anywhere architecture encapsulates four elements of the IT infrastructure, as illustrated in Figure 2. 4 2 Figure 2: Overview of Encryption Anywhere 1. Encryption Anywhere Client: The client is where the encrypted data resides. Encryption Anywhere s Framework Module provides a common interface (the Client Console) on each client for common services ( account settings ) such as user authentication and password recovery. Meanwhile, the Application Module in each client contains encryption capabilities and application-specific components. In the case of Hard Disk, the Application Module supplies a pre-windows authentication component that prevents Windows from loading until an Encryption Anywhere user authenticates. 2. Active Directory: Active Directory is a central component of Windows and a proven method for enabling centralized management of distributed clients. To control Active Directory environments, Microsoft has supplied a modular interface called Microsoft Page 4 of 15

Management Console (MMC). The Framework and Application Modules exist in Active Directory as a set of snap-ins for MMC, through which Encryption Anywhere inherits capabilities such as deployment of MSI installation packages and Group Policy Objects (GPOs). 2 Figure 3: Microsoft Management Console with Encryption Anywhere In Encryption Anywhere, policy administrators are given instruction on how to place MSI files into the Initial Settings area of the Group Policy Object Editor and to use this interface to distribute the MSI files. However, MSI files give a customer the option of distributing the installation settings as they would any normal Microsoft installation file, using any distribution method they choose. 3. Active Directory Application Mode (ADAM) ADAM provides a hierarchy that functions very much like Active Directory, while being a separate data tree where Encryption Anywhere can store its own data without affecting the AD schema of an organization. ADAM comes with built-in support for backup, replication, and mobility. Encryption Anywhere uses ADAM as a robust management and recovery system for framework-level and application-specific encryption keys. 2 For organizations that do not use Active Directory, Encryption Anywhere can operate as a standalone directory server. In such instances, data is made accessible via LDAP and deployment can be supported by Tivoli, SMS, Zenworks, Marimba and similar technologies. Page 5 of 15

4. Help Desk When a user forgets his password, an organization s Help Desk can use ADAM to provide the secure and controlled access to the user s data encryption key. The technician can use either Encryption Anywhere s One Time Password program or the program s emergency data recovery program to regain access to encrypted data on the computer. Additionally, individual users can recover lost passwords without Help Desk assistance using Encryption Anywhere s built-in Authenti-Check self-service password recovery methodology. Encryption Anywhere: Client Architecture The Encryption Anywhere Client Framework delivers the following shared services through the Client Console interface: a. A user authentication interface: Users can authenticate themselves for all Encryption Anywhere applications using a single interface that supports authentication from passwords and PKI smart cards 3. b. Single Sign-On authentication interface: Encryption Anywhere supports Single Sign-On with the Windows login. When Single Sign-On is activated, a user only needs to login once to launch Windows and Encryption Anywhere s applications. c. Password recovery services: When users forget their passwords, the Client Framework provides a user interface and logic that will enable users to activate Encryption Anywhere s Authenti-Check self-service password recovery methodology, or to enter a One Time Password, generated remotely and provided by the Help Desk. d. Lost Smart Card one-time access services: When users lose their smart cards, they can contact the Help Desk for a One-Time Password that will allow them to access their encrypted data until a replacement smart card is provided. 3 Encryption Anywhere integrates directly into a company s existing PKI environment and supports tokens (smart cards and USB tokens) that utilize PKCS #11 access and X509 certificates. Encryption Anywhere does not change or alter the PKI card and key management system. Nor does it provide PKI key management, key recovery, certificate issuance or certificate revocation. Also, Axalto smart cards and Safenet USB tokens are supported by Encryption Anywhere. For additional support, contact your GuardianEdge Technologies representative. Page 6 of 15

e. User Management interface: Adding new Encryption Anywhere users is performed through a single user interface. Once users are added, they have access to all installed Encryption Anywhere applications. f. Authenti-Check setup interface: Encryption Anywhere includes a single user interface for creating Authenti-Check question-and-answer pairs for each user. These question-and-answer pairs are used to recover and reset passwords without intervention by the help desk. The client element of Encryption Anywhere (Figure 3)is the most significant component of the overall architecture and is where the actual encryption of data takes place. 1 2 3 Figure 3: Overview of the Encryption Anywhere Client Page 7 of 15

1. Client Application Module Encryption Anywhere Hard disk provides the easiest and most comprehensive method for protecting data stored on a computer hard disk. This application module encrypts the entire hard drive, including the Windows operating system, swap files, hibernation files, paging files, executables and all data stored on the hard drive. Before users can access their hard drives, they must authenticate to the Encryption Anywhere Hard Disk application; once authenticated, users gain access to the Windows operating system and all applications and data. The Hard Disk encryption engine operates dynamically so that encrypted sectors are decrypted only when accessing and loading data from those sectors into memory. Furthermore, all data is always written to the hard disk in an encrypted state. 2. Common components The Encryption Anywhere Common Component subsystem provides a range of services that are used by the encryption application and the framework subsystem, all of which are invisible to a user. For example, when the Framework subsystem wants to authenticate a user, it will display (or intercept the Windows login when Single Sign-On is active) a user interface where the user will enter a user name, domain and password. The Framework will pass the user name, domain and password to the Common Component Authentication module. The Common Component Authentication module will determine if this is a valid user and notify the Framework subsystem of the results. 3. Client database The Encryption Anywhere Client Database is the repository for user policies, computer policies and encryption application data. The Client Database is comprised of two parts: the Windows registry and the Encryption Anywhere file system (EAFS). The Windows registry is where Active Directory stores the data and policies that are pushed to the client, and this registry data is considered part of the Client Database. The Windows registry data is automatically updated by Active Directory while the computer is connected to the network at an interval set by domain administrators. EAFS, on the other hand, is specific to the Encryption Anywhere Hard Disk application module. The Client Database Encryption keys are encrypted and stored securely in the Client Database, and these encrypted keys are also automatically transmitted to the Active Directory Application Mode (ADAM). If the Client Database is Page 8 of 15

damaged or lost, encrypted data can be recovered using the keys stored in ADAM. Now that the structure and function of Encryption Anywhere have been explained, this paper shall describe how Encryption Anywhere technology can simplify the use and management of data encryption at the enterprise level. Page 9 of 15

Optimizing Encryption Services for the Enterprise Deployment In a managed enterprise environment, software must be installed rapidly and in great quantities with minimal interruption of normal user activity. Some traditional encryption technologies support this capability, but they require separate installation procedures for each application. It is unlikely that an organization could run installation procedures for all client types (hard disks, files and folders, PDAs, smart phones, removable storage devices, etc.) in rapid succession without putting a drain on administrator resources and user productivity. Encryption Anywhere solves this problem through seamless integration with Active Directory. Using the Management Console, a policy administrator defines Framework installation settings, and then pushes them out together with the Framework client software in the form of a Microsoft Installation (MSI) package. When this Framework MSI runs on a client, it installs the Framework client software and stores the Framework installation settings in the registry. The Framework client software includes the Client Console populated with non-application-specific panels, and a number of modules without UIs that perform shared functions. The same process must then take place for each application. Again in Encryption Anywhere 1.0, the only application is Hard Disk. Using the Management Console, a policy administrator defines Hard Disk installation settings, and then pushes them out together with the Hard Disk client software in the form of an MSI package. When this Hard Disk MSI runs on a client, it installs the Hard Disk client software and stores the Hard Disk installation settings in the registry. The Hard Disk client software includes additional Client Console panels, the pre-windows authentication module, and a lowlevel disk driver that performs encryption and decryption in the background. By using MSIs for installation settings, Encryption Anywhere creates an extra guarantee of reliability by giving users a standard way to load settings and begin using Encryption Anywhere even if they are not able to access Active Directory for some reason. Policy Management Policy administrators may, from time to time, define and push out policies that reflect changes in the Encryption Anywhere environment, such as the addition of client administrators. These policies are in the form of Active Directory Group Policy Objects (GPOs). A user or computer may or may not have a GPO. If no GPO has been issued, the baseline or default policy originally installed in the form of an MSI package continues to apply; if a GPO exists, the GPO provides the active policy. Note: Even when Page 10 of 15

GPOs are pushed out, the installation settings are never overwritten; they remain on the client computers with their original values and can be restored. An advantage of GPOs is that various policy administrators can create them at different levels of an organization and Active Directory takes care of resolving any overlaps according to well-defined rules of precedence. Administrators can check the results of this process by using Microsoft tools like the Resultant Set of Policy (RSoP). Key Management Whenever encryption technology is used in an organization, it is important to have a robust key management system. Traditional encryption technologies are not integrated to the point where they can consistently share common keys among multiple applications, and do not scale well in enterprise environments. The Encryption Anywhere framework uses ADAM as a means of delivering a shared key management system for all Encryption Anywhere applications. When Encryption Anywhere is installed on a client, the common components onboard the client automatically upload encryption keys for each user to the ADAM server, which encrypts 4 and stores all keys. This method simplifies key management for administrators and streamlines the authentication procedure for each user. ADAM can be thought of Active Directory light and it contains a well defined schema reflecting the Encryption Anywhere key management and recovery and user status data. The Client Console and the Management Console use the Lightweight Directory Access Protocol (LDAP) when accessing the ADAM database. Policy administrators use the Management Console s Client Monitor snap-in, which displays the status data stored in ADAM, to track client compliance. Password and Data Recovery Password recovery is often a time-consuming procedure for Help Desk technicians, and GuardianEdge customers report that one-third to one-half of their users forget or lose their passwords at least once a year. At the enterprise level, where there may be thousands of users distributed across various geographic locations, organizations need an automated, systematic method for managing password recovery systems. 4 These encryption keys are protected using the organization s master 233-bit Elliptical Curve Cryptography public key (a 233 bit ECC public private key is equivalent to 2048 bit RSA PPK) before leaving the client. This master is generated when Encryption Anywhere Management Console snap-in is created. Page 11 of 15

Encryption Anywhere allows individual users can recover lost passwords without Help Desk assistance using Encryption Anywhere s built-in Authenti-Check self-service password recovery methodology. If the loss is more serious, authorized Help Desk technicians can use the ADAM server to provide the secure and controlled access to that user s data encryption key. The technician can use Encryption Anywhere s One-Time Password program to regain access to encrypted data on the computer. Using ADAM to store backup keys enables Encryption Anywhere to guarantee that encrypted data can always be recovered. What s more, Encryption Anywhere includes a toolbox of utilities technicians can use, in combination with the encryption keys stored in ADAM, to gain access to damaged drives and decrypt data. even in cases when the drive is damaged. Auditing Auditing is a major requirement for enterprise operations, thanks to Sarbanes-Oxley and other corporate governance regulations. Encryption Anywhere integrates the storage of its audit data into the Windows system event log. The existing tools in Active Directory can access, view and retrieve the Windows system event log data. The Encryption Anywhere integration leverages what already exists and eliminates the need to learn another process or install another tool. An organization can use the Active Directory audit tool to retrieve Encryption Anywhere audit trail information. Page 12 of 15

Conclusion Encryption Anywhere takes full advantage of Microsoft s existing Management Console and Active Directory to deliver easy to deploy and manage encryption solutions that precisely match the needs of an enterprise. Providing seamless integration with an enterprise s existing network framework, Encryption Anywhere brings under control the total cost of scaling and enforcing encryption policies. By snapping directly into the Microsoft Management Console, Encryption Anywhere will provide a standardized platform for the administration of enterprise encryption policies, leveraging Microsoft Windows existing technology, rather than requiring the installation of a new server or having to learn another custom interface. By integrating management and administrative functions for all Encryption Anywhere Applications into a single, commonly shared framework, Encryption Anywhere simplifies the distribution and administration of data encryption. When the first instance of any Encryption Anywhere application is installed such as Encryption Anywhere Hard Disk the common components for all other Encryption Anywhere Applications are in place and available for immediate activation. For more information on the new Encryption Anywhere platform, contact your GuardianEdge Sales Manager or visit us on the Web at http:/// Copyright 2005. GuardianEdge Technologies Inc. All rights reserved. GuardianEdge Technologies Inc. 475 Brannan Street, Suite 400, San Francisco CA 94107-5421 415-683-2200. Information in this document is subject to change without notice. No part of this document may be reproduced or transmitted in any form of by any means, electronic or mechanical, for any purpose, without the express written permission of GuardianEdge Technologies. GuardianEdge and Encryption Anywhere are trademarks of GuardianEdge Technologies Inc. Active Directory is a trademark of Microsoft Corporation. All product names mentioned in this white paper may be trademarks or registered trademarks of their respective companies and are hereby acknowledged. Printed in the United States of America. Revised on 12/05/2005 Page 13 of 15

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information