CREDANT Mobile Guardian - Enterprise Edition

CREDANT Mobile Guardian - Enterprise Edition September 2007 CREDANT Technologies Security Solutions White Paper CREDANT Technologies 15303 Dallas Parkway, Suite 1420 Addison, Texas 75001 www.credant.com

Table of Contents THE MOBILE DATA SECURITY CHALLENGE...3 CREDANT MOBILE GUARDIAN ARCHITECTURE: INTEGRATED SOLUTION FOR EASY DEPLOYMENT...3 CREDANT Mobile Guardian Enterprise Server... 5 CREDANT Mobile Guardian Policy Proxy...5 CREDANT Mobile Guardian Local Gatekeeper... 6 CREDANT Mobile Guardian Shield... 7 CMG Shield for Notebooks, Tablet PCs or Desktops, and External Media...8 CMG Shield for PDAs, Smartphones and External Media...8 Optional Over-The-Air (OTA) Sync Control for PDAs, Smart Phones... 10 Negligible Network Impact of CMG Installation... 10 CMG FUNCTIONALITY...10 ENTERPRISE LDAP DIRECTORY INTEGRATION...10 ENTERPRISE DATABASE INTEGRATION...11 BROWSER-BASED CENTRALIZED ADMINISTRATION...11 Separation of Administrative Duties... 12 Audit Logs and Reporting... 13 Mobile Device Inventory Management... 14 SECURITY POLICY DISTRIBUTION...15 Over-The-Air Policy Updates for Pocket PC, Smartphone... 16 User Authentication... 16 Multi-Factor Authentication Support... 17 Self-Service PIN/Password Reset and Remote Device Recovery... 18 POLICY-BASED INTELLIGENT ENCRYPTION...19 Five Layers of Defense... 19 Windows Desktops, Notebooks and Tablet PCs... 20 FIPS Validation... 21 ENCRYPTED DATA RECOVERY...21 Automatic Key Escrow for Immediate Recovery... 21 USER AUTHORIZATION AND CONTROL FOR PDAS AND SMARTPHONES...22 User Status and Device Access Controls...22 User and Device Mutual Authentication... 22 On-Device Application Controls... 23 Communication Port Controls... 23 Always On, Instant Access... 23 Bluetooth Proximity Access... 23 CISCO NAC SUPPORT FOR WINDOWS-BASED DEVICES...23 ADDITIONAL USABILITY FEATURES OF CREDANT MOBILE GUARDIAN, EDITION 5.3 *...24 CREDANT MOBILE GUARDIAN SOFTWARE UPDATES...25 SUMMARY...26 CONTACT US...26 2

THE MOBILE DATA SECURITY CHALLENGE In an enterprise-wide mobile computing environment, the use of disparate mobile devices cell phones, personal digital assistants (PDAs), notebook computers, tablet PCs, smart phones (converged PDA/cell phone devices) and various types of removable media make it extremely difficult to control user behavior. You can no longer be sure who has access to your data or where it resides. Most enterprises find it impossible to even know how many devices are used by their employees; let alone what data resides on those devices. Employees often purchase their own device and synchronize email and other corporate data to their computers at work and at home, placing sensitive data outside the reach of IT and security. Furthermore, driven by productivity and enhanced customer relationship benefits, the use of diverse types of mobile devices will continue to grow rapidly, making it increasingly more difficult for organizations to detect, protect, manage and support them. The large and growing memory capacity of mobile devices combined with the plummeting price of memory cards make it more likely that users will store even more critical information on their devices or on their device s removable media making it imperative that this information be encrypted for privacy. Gartner 1 predicted that by year-end 2007, 80 percent of Fortune 1000 enterprises will encrypt most critical "data at rest," including data at rest (stored) in mobile devices. Information previously secured within the physical confines of corporate networks is now unsecured, untethered, and mobile. CREDANT Mobile Guardian (CMG) Enterprise Edition helps organizations regain control of their sensitive data, regardless of where it resides. This mobile data security solution provides centrally managed, policy based security for a broad range of mobile devices. The CMG solution was developed using industry standards to provide the security, flexibility, compatibility and scalability needed to meet a wide variety of mobile enterprise data security requirements. CREDANT Mobile Guardian is the only enterprise scale security solution to protect all mobile data with enforced security that follows the data across all endpoints. CREDANT MOBILE GUARDIAN ARCHITECTURE: INTEGRATED SOLUTION FOR EASY DEPLOYMENT The CREDANT Mobile Guardian (CMG) Enterprise Edition integrated components interoperate seamlessly, allowing for easy deployment (Figure 1). Through a single management interface, administrators can control and secure a broad range of mobile device platforms external media; Microsoft Windows-based desktop, tablet and notebook PCs; Windows Mobile devices; Palm-, RIM-, and Symbian-based smart phones and PDAs and any sensitive data that resides on them. 1 Gartner, Recommendations for Infrastructure Protection, 2006, G00137697, Ray Wagner, Peter Firstbrook, Neil MacDonald, Vic Wheatman, John Girard, Avivah Litan, Rich Mogull, Amrit T. Williams, Lawrence Orans, John Pescatore, Mark Nicollett, Jay Heiser, Paul Proctor, Greg Young, p.5, February 10, 2006 3

Figure 1. CREDANT Mobile Guardian Architecture CMG Enterprise Server integrates with enterprise directories to provide a central, web-based interface for security policy definition and management, real-time mobile device inventory, and continuous reporting of mobile device security status for policy compliance. CMG Policy Proxy resides on corporate network or DMZ to provide secure distribution of policies and policy updates from the CMG Enterprise Server to the CMG Shield. It also collects device inventory and reports it back to the CMG server for auditing and reporting. CMG Shield resides on mobile devices and external media to enforce mobile security policies even if the device is disconnected from the network. It enforces strong authentication, Policy-based Intelligent Encryption, and device and end-user controls. CMG Local Gatekeeper resides on desktops and notebooks to automatically detect, protect and control mobile devices that synchronize locally to the PC. It provides secure, distributed communications between CMG Shield and CMG Enterprise Server for transparent delivery and management of policy and software updates. (Optional) CMG Over-the-Air (OTA) Sync Control enhances Microsoft Exchange ActiveSync to enforce Shielding before allowing handhelds to synchronize email, contacts and other corporate data wirelessly with Exchange. CMG Enterprise Edition is configurable to address a wide range of mobile data security needs, and its flexible deployment options fit unique enterprise environments without disrupting networks or detracting from the user experience. 4

CREDANT MOBILE GUARDIAN ENTERPRISE SERVER The CREDANT Mobile Guardian Enterprise Server is a modularized, web-based application that provides a variety of benefits including: A single, secure administration interface to manage security across disparate mobile devices Default security policies that can be easily adjusted to align mobile data security to the type of user, device and location. Automated and transparent archiving of encryption keys to enable Day Zero data recovery Read-only integration with enterprise LDAP directories to enable global, group, or individual user level security policies Inventory management and reporting Self-service and administrator assisted device recovery in case of authentication failure Enterprise database integration for a scalable and reliable solution Flexibility for Different Enterprise Environments CREDANT Technologies believes that security solutions should be flexible enough to fit a variety of enterprise environments, thus minimizing the impact on IT and end users. Through the CMG interface, security administrators can monitor the real time state of mobile device discovery and policy compliance. Default global policies, based on security best practices, help enterprises begin securing their mobile data quickly. A common policy editor across all mobile devices significantly reduces the learning curve to ensure lower implementation costs. Five Administrator roles provide separation of administrative duties, further protecting the enterprise with a solution that s flexible enough to fit existing IT and security procedures. Mobile device inventory management, policy management, auditing, and reporting are all supported through an ODBC compliant database to help manage regulatory compliance. The CMG Enterprise Server consists of multiple components that can be installed on a single server or distributed across multiple servers, depending on the size of your environment and your deployment needs: Enterprise Server, Web Interface, Device Server, Directory Connector, Gatekeeper Connector, Wireless Deployment Server and the optional Over-the-Air Sync Control. These components should be installed in a physically secured environment, behind a firewall within the corporate network. The CMG server must have network connectivity to the LDAP directory server, database, the CMG Policy Proxy and Local Gatekeepers, and any PCs with CMG Shield for Windows installed; however, continuous network connectivity is only required with the database. The CMG Enterprise Server components can reside on one or more dedicated servers running: Microsoft Windows 2000 Server SP4 Microsoft Windows 2000 Advanced Server SP4 Microsoft Windows 2003 Server SP1 or SP2 (including R2) CREDANT MOBILE GUARDIAN POLICY PROXY CREDANT Mobile Guardian s Policy Proxy is a software agent that resides on systems in the corporate network or DMZ to provide a variety of benefits including: Automatic, secure distribution of mobile users security policies Trusted, scalable, reliable paths for communication between CMG components Enables Web based installation and activation of the CMG Shield Grouping options for scalability and redundancy Communicates device status and inventory to the CMG Server 5

The CMG Policy Proxy distributes policy updates to Windows notebooks, desktops, and handheld devices that do not synchronize to a PC. The Policy Proxy helps organizations manage security policies for Windows, Pocket PC, Smartphone, BlackBerry, and Symbian devices. Deploying Policy Proxies in groups allows devices to get policy from any Policy Proxy in the group for reliable policy updates even in case of network outages or hardware failure. The CMG Policy Proxy also collects device inventory and reports this back to the CMG Enterprise Server for auditing and reporting. The CMG Policy Proxy software runs on: Microsoft Windows 2000 Professional SP4 Microsoft Windows XP Professional SP1 or SP2 Microsoft Windows XP Tablet PC Edition SP2 Microsoft Windows 2000 Server SP4 Microsoft Windows 2000 Advanced Server SP4 Microsoft Windows 2003 Server SP1 or SP2 (including R2) CREDANT MOBILE GUARDIAN LOCAL GATEKEEPER CREDANT Mobile Guardian Local Gatekeeper is a software agent that resides on desktops and notebook computers to provide a variety of benefits including: Automatic discovery and reporting of handheld mobile devices Enforcement of supported and unsupported mobile device lists Policy based installation of the CMG Shield software on diverse mobile devices Automatic, secure distribution of handheld mobile users security policies and encryption keys Control over which PCs a mobile device can synchronize to Trusted, scalable, reliable paths for communication between CMG components The Local Gatekeeper is the key to gaining control of your mobile device population and reducing the leakage of sensitive corporate data without your knowledge. The Local Gatekeeper can automatically detect synchronization software and identify the type of PDA or Smartphone being used. When deployed in report only mode, it can silently gather extensive mobile device inventory information without the end user s knowledge. Once collected, this inventory is passed to the CMG Enterprise Server for auditing and reporting. The Local Gatekeeper eliminates the need for IT to manually provision mobile devices by automating the distribution of CMG Shield and a mobile user's security policies and encryption keys. The Local Gatekeeper also enforces mutual authentication between the mobile device and the companion PC, reducing the risk of unauthorized access to business information. This mutual authentication can ensure that the mobile device only synchronizes to protected, corporate systems a critical feature for organizations trying to keep their sensitive data on devices they can secure and control. The Local Gatekeeper works with a variety of 3 rd party synchronization applications, including Sony Ericsson PC Suite, Palm HotSync, Microsoft ActiveSync, and other compatible products. The Local Gatekeeper installation can be automated via scripts, batch files or industry standard software distribution tools such as SMS and Tivoli. It runs on any desktop, notebook or tablet PC running: Microsoft Windows 2000 SP4 Microsoft Windows XP Professional SP1 or SP2 Microsoft Windows XP Tablet PC Edition SP2 6

The CMG Local Gatekeeper can be configured to operate in one of three modes to accommodate security, phased deployment, internal billing, or chargeback requirements for PDAs and smart phones. Report Only mode The CMG Local Gatekeeper does not prevent a user from synchronizing, but reports the presence of synchronization software on the companion PC, the synchronization software version, and the models and the operating systems of all devices that synchronize with the companion PC. In this mode the user is completely unaware of any action by CMG, while organizations gather the information they need to understand how many devices are carrying their sensitive corporate data outside the organization. Report and Disable mode The CMG Local Gatekeeper blocks the use of synchronization software on the companion PC and does not allow any device to synchronize. This mode also reports information detailed in the Report Only mode when a user attempts to synchronize. Auto Install mode - CMG Local Gatekeeper automatically prompts the user to Shield any unsecured mobile device that attempts to synchronize with the companion PC. If the user refuses, the device is not allowed to sync to that PC. If the user accepts, the Gatekeeper installs the CMG Shield software on the device and allows the user to synchronize. After the initial installation of CMG Shield, all subsequent policy updates are automatically pushed to the device by CMG Local Gatekeeper. The Auto Install mode also reports information detailed in the Report Only mode each time a user synchronizes a device to the PC. The CMG Local Gatekeeper can also be configured to communicate with the CMG Shield, with the exception of BlackBerry devices that are managed by the CMG Policy Proxy, in either a one-to-many or many-to-many arrangement. The one-to-many configuration ensures that each occurrence of CMG Local Gatekeeper can only communicate with specific occurrences of CMG Shield. This supports situations where a single mobile user with one or more mobile devices can synchronize with only one specific CMG enabled companion PC. The many-to-many configuration ensures that any occurrence of CMG Shield can communicate with any occurrence of CMG Local Gatekeeper as defined by the administrator. This configuration supports implementations such as distribution facilities and hospitals where multiple mobile users need to synchronize with multiple, geographically dispersed workstations. CREDANT MOBILE GUARDIAN SHIELD CREDANT Mobile Guardian Shield is the on-device component that enforces security policies whether a mobile device is connected to the network or not, to protect the device and its external media, even if they are lost or stolen. The Shield supports a variety of platforms and helps organizations extend their trusted environment to ensure protection of sensitive mobile data. CMG Shield is tightly integrated with the mobile device operating system to provide consistently enforced access control, encryption and authorization. CMG Shields communicate with CMG Enterprise Server via either CMG Local Gatekeeper or CMG Policy Proxy, depending on how CMG Shield is configured during installation. For organizations that support a combination of over-the-air and local PC synchronization, CMG Local Gatekeepers and the CMG Policy Proxy can be combined to enable simple CMG Shield deployment and policy updates for both types of synchronization. 7

CMG Shield for Notebooks, Tablet PCs or Desktops, and External Media CREDANT Mobile Guardian Shield for Windows-based devices provides a variety of benefits including: Policy-based Intelligent Encryption protects critical data anywhere on the disk or on removable media to help your organization ensure compliance with government legislation On-device mobile security policy enforcement (works in both connected or disconnected mode) Integration with Cisco NAC protects against enterprise threats on two different fronts: the mobile platform and the network. GINA replacement option that can be enabled or disabled for superior flexibility, interoperability with the Windows login, and transparency for the user FIPS 140-2 validated encryption algorithms Restrict the use of external storage devices or allow an authenticated user to securely place files onto the external device for storage or transfer of the data Automatically and transparently encrypt any data as it is written to external media; allow the user to transfer encrypted external media data to a computer not protected by CMG, and still be able to securely read and write encrypted data to the external media Flexible and secure recovery of encrypted data Self service PIN/password reset to reduce the helpdesk burden Seamless, standards-based integration with multi-factor authentication technologies like RSA, biometrics, and smartcards Administrator assisted recovery to restore access to the device in case of forgotten authentication credentials, even when disconnected from the corporate network Automatic fail-safe actions if the device is lost or stolen CMG Shield has been tested with a wide range of notebooks and tablets from many manufacturers, including HP, Dell, IBM, Toshiba and others. CMG Shield for Windows is compatible with systems running: Microsoft Windows 2000 SP4 Microsoft Windows XP Professional SP1 or SP2 Microsoft Windows XP Tablet PC Edition SP2 CMG Shield for PDAs, Smartphones and External Media CREDANT Mobile Guardian Shield for PDAs and Smartphones, and their external media, provides a variety of benefits including: Policy-based Intelligent Encryption protects critical data anywhere on the disk or on removable media to help your organization ensure compliance with government legislation On-device mobile security policy enforcement (works in both connected or disconnected mode) Enforced mandatory access control, including support for biometric two-factor authentication 8

Restrict the use of external storage devices or allow an authenticated user to securely place files onto the external device for storage or transfer of the data Automatically and transparently encrypt any data as it is written to external media; allow the user to transfer encrypted external media data to a computer not protected by CMG, and still be able to securely read and write encrypted data to the external media. FIPS 140-2 validated encryption algorithms for Palm, PPC and Smartphone Self service PIN/password reset to reduce the helpdesk burden Administrator assisted recovery to restore access in case of forgotten authentication credentials, even when disconnected Automatic fail-safe actions if the device is lost or stolen Automatic, transparent mutual authentication between the mobile device and the companion PC to control leakage of your data from your corporate network Device application remains always on and user remains always authenticated if a trusted Bluetooth device (Headset, GPS unit, even the car itself) within range. Policy options to restrict application access and use (allows for white list and black list control) Centrally managed control of infrared port, Bluetooth, camera and microphone function and network connectivity Allows organizations to take full advantage of Microsoft Security Features Pack (MSFP) and Exchange ActiveSync for Windows Mobile 5 devices CMG Shield for PDAs, Smartphones and External Media offers a variety of options to secure access to these mobile devices, including PIN, Password, and Question/Answer authentication. Administrators can set policy around how many attempts users are allowed before they fail over from one authentication method to the next. Flexible policies offer a balance between security and user comfort via a variety of options that enforce length and type of characters required in the credentials as well as control over history and aging of credentials. The self service PIN/Password/Question and Answer reset lets you define multiple types of authentication so users can reset their own forgotten authentication credentials without having to call the helpdesk. If the user fails all authentication options, they can call the helpdesk for secure, remote recovery. Fail safe actions like incremental cool down, deletion of encrypted data or hard reset can be set in case all four authentication options are failed. A wide range of synchronization mechanisms are supported, including USB, serial, infrared (IR) and network, as well as 3 rd party network-based synchronization and management solutions. CMG Shield has been tested with a wide range of mobile devices from many manufacturers. CMG Shield for PDAs, Pocket PCs and Smartphones is compatible with: Palm OS 5.x Windows Mobile 2003 Pocket PC and Smartphone Windows Mobile 5.0 Pocket PC and Smartphone Windows Mobile 6.0 Pocket PC and Smartphone RIM Java OS 4.0 BlackBerry devices Symbian OS 7.x devices (Nokia Series 80) CMG External Media Shield (USB sticks, ipods/mp3 players, memory cards, compact flash drives) is compatible with portable storage devices accessing data from: Microsoft Windows 2000 Professional Microsoft Windows XP (32-bit) Professional, Home, Media Center and Tablet PC 9

OPTIONAL OVER-THE-AIR (OTA) SYNC CONTROL FOR PDAS, SMART PHONES CREDANT Mobile Guardian s Over-The-Air (OTA) Sync Control feature for Microsoft Exchange Server enables organizations to detect any Windows Mobile, Palm and Symbian device that attempts connection via Exchange Active Sync (EAS) and blocks the connection if the device does not have CMG Shield installed. Once CMG detects the installed Shield on the device, the device is allowed to synchronize e- mail, contacts, etc. Synchronization can also be restricted by user or device type. This optional addition to the CMG standard architecture also integrates with the Microsoft Security Feature Pack (MSFP) so that organizations can take full advantage of push e-mail to all Windows Mobile 5 devices protected by MSFP. NEGLIGIBLE NETWORK IMPACT OF CMG INSTALLATION Communication between the CMG system components has negligible impact on network traffic and bandwidth. For example, each policy package communication from the CMG Enterprise Server to the CMG Local Gatekeeper and Policy Proxy is typically less than 10KB in size much less than opening an average browser page on the Internet. From an initial installation perspective, the CMG Local Gatekeeper install and the CMG Shield for Windows install are each approximately 7MB, so impact is minimal, even if installed via logon scripts over the network. The CMG Shield for PDAs and Smartphones is generally downloaded and deployed locally by the companion PC s CMG Local Gatekeeper so there is virtually no impact to the network when it is installed. CMG FUNCTIONALITY CREDANT Mobile Guardian Enterprise Edition was designed as a standards based management system with an integrated web interface to ensure portability and reliability. The CMG Enterprise Server s core functions are security policy management, key management, inventory management, access control management, directory management, audit and reporting. These functions are implemented with industry standards including XML, SOAP, SSL, LDAP, JDBC, SQL and Java. All CMG Enterprise Server components can reside on a single dedicated hardware server, though most production deployments require a minimum of two servers. As organizations grow, the core functions can be distributed across multiple hardware servers, resulting in a highly scalable, flexible and well balanced solution that addresses a wide range of configuration requirements and preferences. ENTERPRISE DIRECTORY INTEGRATION CREDANT Mobile Guardian integrates quickly and easily with enterprise LDAP v3 compliant directories. A variety of directories are supported, including Microsoft Active Directory, Sun ONE Directory Server, and Novell edirectory. The CMG Enterprise Server can use LDAP or LDAPS v3 to communicate with the directory via a read only user account. Users, groups and the relationships between them are imported and stored in the enterprise database so security policies can be applied at the global, group, or individual user level (Figure 2). LDAP username and password information is used by CMG for administrator authentication, first time mobile user authentication and device activation, but CMG never stores the user s authentication credentials. 10

Figure 2. CREDANT Directory Browser (Group View) The CMG Enterprise Server requires read only access to the directory so there s no risk to your directory schema. Directory synchronization can be scheduled and automated, thus ensuring that security policies are built on the most current organizational structure without any manual action by the CMG administrator. When companies make changes to their directory structure or personnel, CMG automatically captures the modifications and makes the appropriate changes to ensure that security policies are always consistent with user and group roles. The CMG Server leverages LDAP integration to allow organizations to use already established organizational structures to manage mobile data security policies to speed mobile data security implementation and reduce ongoing maintenance. ENTERPRISE DATABASE INTEGRATION CMG uses an ODBC compliant relational database management system as its repository for mobile security infrastructure and attribute information. The database can be backed up and queried using industry standard tools and techniques for reliability and recoverability. The CMG database can reside in an existing database or database instance, or customers can choose a CMG installation package that includes Microsoft SQL Server 2005 Express Edition. Supported databases include: Microsoft SQL Server 2000 Microsoft SQL Server 2005 Microsoft SQL Server 2005 Express Edition BROWSER-BASED CENTRALIZED ADMINISTRATION Using Internet Explorer 6.0 and above, CMG s browser based administrator interface lets administrators securely manage their mobile data security from any system with a web browser and network access to the CMG Enterprise Server. Administrators log in to the SSL secured CMG Enterprise Server Web UI with their standard LDAP directory username and password. In a Windows networking environment, this is the Windows domain login. 11

SEPARATION OF ADMINISTRATIVE DUTIES CREDANT understands that organizations have different requirements for differing administrative duties. To support these varied needs, CMG provides five flexible administrator roles that can be assigned in any combination to any valid user. Users assigned one or more administrative roles, or types, log in to the CMG web interface with their standard LDAP credentials so they don t have to remember another username and password or create and maintain a separate set of CMG-specific usernames and passwords. The CMG server authenticates administrators against the organizations existing LDAP server or domain controller when they access the management interface to ensure secure access at all times, even when the user is outside the corporate network. CREDANT suggests having only one overseeing administrator, which is a user who has been assigned all five administrative roles (Figure 3). Multiple CMG administrators can be logged in concurrently with the exception of an overseeing administrator, of which only one can be logged in at a time. CMG Administrator roles and responsibilities are as follows: Security Administrators can search for and view users and groups and change and publish mobile data security policies. Users assigned this role can also access the remote device recovery system to help shielded users regain access to their mobile devices in case they fail their PIN, password, and Question/Answer authentication. System Administrators can search for and view users, groups, Gatekeepers and mobile devices. Users assigned this role can also synchronize the CMG Enterprise Server with the LDAP directory, work with Server tools, approve Gatekeeper messages, and view device support status. Help Desk Administrators can search for and view users, groups, Gatekeepers and mobile devices. Users assigned this role can also access the remote device recovery system to help shielded users regain access to their mobile devices in case they fail their PIN, password, and Question/Answer authentication. Account Administrators can view and search for users and groups and manage CMG administrator roles. Log Administrators can only work with CMG audit logs. 12

Figure 3. CREDANT Mobile Guardian Administrative Roles AUDIT LOGS AND REPORTING CMG s powerful security assessment tool allows properly authorized administrators to search logs based on a variety of criteria, including priority, date, time, user ID and machine name. Administrators access the CMG Enterprise Server via a web browser to see their LDAP and mobile security infrastructures combined into a single view. In addition, they can view information and create reports on mobile device inventory and CMG policies and infrastructure. This enterprise-wide view of mobile device security helps simplify device security management and compliance. CMG provides robust audit logs that track administrator activity and system events. CMG audit logs are stored in the CMG Enterprise Server database so administrators can view the information from the CMG interface or create custom reports using a variety of reporting tools already in use by the organization. To ensure traceability and accountability, the time, date and user responsible for the following actions are available in the Administrative Actions logs (Figure 4): Logging in to and logging out of the CMG interface Adding, changing, or deleting administrators Retrieving system logs Directory synchronization activity Changing and publishing mobile data security policies System logs include: All calls to run a service, such as contact with a Gatekeeper Inventory updates Database synchronization. 13

Figure 4. Administrator Action Logs MOBILE DEVICE INVENTORY MANAGEMENT The CMG Enterprise Server, the CMG Policy Proxy and CMG Local Gatekeepers work together to track and maintain mobile device inventories so that organizations can see how many and what types of devices are connecting to their networks. Installed on a PC, the CMG Local Gatekeeper is aware of synchronization software and CMG Shield installations. It gathers a wide range of information about the Shielded Windows PCs, and the Shielded PDAs and smart phones associated with each PC. Inventory is updated every time the PDA or smart phone synchronizes with the companion PC or when a user logs into a Windows account protected by CMG Shield for Windows. CMG Local Gatekeeper then securely sends the inventory information to the CMG Enterprise Server for further reporting. Inventory information from any CMG protected Blackberry, Pocket PC, smart phone, and Windows Notebooks, Tablets, or Desktops that use the CMG Policy Proxy for policy updates is also securely sent to the CMG Enterprise Server. Device inventory includes detail about installed CMG components as well as device hardware, firmware, software, and protected users. As shown in Figure 5, inventory detail provides a wide range of useful information on your mobile device population like the host name, IP address, last poll time, mobile user ID, device type, Operating System (OS), and OS version. Specific device inventory information including available memory, total memory, and battery life (if applicable) is also collected. 14

Figure 5. Mobile Device Inventory Details (Windows System) SECURITY POLICY DISTRIBUTION CMG supports many types of security policies to protect your mobile data, including CMG Local Gatekeeper monitoring and installation that help you gain control over your mobile device environment. CMG s mobile security policies define the on-device access control, encryption and authorization rules as well as the CMG Local Gatekeeper monitoring policies. CMG administrators specify the security policies via the administrative interface of the CMG Enterprise Server. Structural changes or security policy updates can easily be made by simply having an authorized security administrator select the group, role or individual from the CMG Enterprise Server console, change the policies and publish them. No special user or administrative activity is required to ensure that policy updates are enforced on devices protected by the CMG Shield. The policies are then encrypted and stored, awaiting the next polling request. Upon the next polling interval, the encrypted policy updates are retrieved by the CMG Local Gatekeeper or CMG Policy Proxy, where they are stored in encrypted bundle until the next mobile device synchronization request. The next time the user authenticates and synchronizes the mobile device, the CMG Shield checks the Gatekeeper or Policy Proxy for policy updates. If updates exist, the CMG Shield retrieves, decrypts, verifies data integrity and applies the new policies to the mobile device. CMG uses SSL (HTTPS) to secure communications between the CMG Enterprise Server and the CMG Local Gatekeeper and Policy Proxy. The CMG Enterprise Server and these two components work together to automatically and securely deliver encryption keys and mobile security policies to the CMG Shield running on the mobile device. The encryption keys and mobile security policies are always encrypted by the CMG Enterprise Server for a specific CMG Shield and are transmitted in an encrypted format. The CMG Local Gatekeeper and CMG Policy Proxy never have access to the encryption keys and so are unable to decrypt the security policy files. Only a properly authenticated CMG Shield has access to this information. 15

OVER-THE-AIR POLICY UPDATES FOR POCKET PC, SMARTPHONE CREDANT s over the air (OTA) option allows organizations to protect their mobile devices even if they never or rarely cradle sync to a PC. Once the CMG Shield is installed on a device, policy updates can be sent OTA, a process that begins just as it does for passing policies via cradle sync, with the CMG administrator modifying mobile device security policy and publishing those changes on the CMG Server. Figure 6 shows a typical OTA configuration, although there are other configuration options available to ensure a solution that fits virtually any enterprise environment. During regularly scheduled polling intervals the CMG Policy Proxy checks for policy updates that apply to devices it manages and pulls them down, as encrypted bundles, from the CMG Server. The CMG Shield automatically polls CMG Policy Proxy for policy updates at configurable intervals. If policy updates are available, the CMG Shield automatically retrieves policy updates and applies them to the device to ensure that security policy is always up to date and properly enforced. Policy Updates CredActivate Communications External Firewall Internet DMZ Intranet CredActivate Client Mobile Mobile Device Device Remote Gatekeeper Windows 2000 2000 or or 2003 2003 Server Server XServer Internal Firewall Active Active Directory Server Server Server Communications CMG CMG Enterprise Server Server Figure 6. Typical CMG Enterprise Edition OTA Configuration USER AUTHENTICATION The CREDANT Mobile Guardian Shield for Windows supports the native Microsoft GINA and also provides an optional GINA replacement. In either scenario the CREDANT Mobile Guardian Shield integrates with the existing Windows login mechanism. It allows the user to have a single password for logging into Windows and for unlocking access to encrypted information protected by CMG Shield. Challenge/response parameters are established to reduce user logins and provide administrator assisted device recovery, even when the PC is disconnected from the network, ensuring that traveling employees can always gain access to their PC. For more details on the CMG Shield Access Control Policies for Windows devices, including the CMG GINA replacement option, refer to the CMG Enterprise Edition for Windows Devices whitepaper. When installed across disparate mobile devices, such as PDAs and smart phones, CREDANT Mobile Guardian enables organizations to enforce multiple levels of mandatory access control including PIN, password, and question/answer authentication. Rules governing the number of minutes a device can be idle before automatic lock down and challenge/response parameters are also established to reduce user 16

logins and provide secure, remote administrator-assisted device recovery. CMG also enforces a range of automated, fail-safe actions to protect PDA data, regardless of whether the device is connected to or disconnected from the corporate network. For phone enabled devices, CMG Shield allows users to make and receive phone calls without having to authenticate beforehand. PIN and Password - CMG supports flexible PIN and password security parameters that address factors like whether these credentials are required, when they are required and the number of authentication attempts allowed. CMG s policies also include settings that control the number of characters required, case sensitivity, and mixed character usage (alpha, numeric, and special) and use of sequential numbers. In addition, CMG lets administrators control timing and history rules such as the amount of time a pin/password is valid, the number of previous values the user will not be allowed to reuse, and the number of days that a user is not allowed to reuse a previous value. Questions and Answer Authentication - End users who are new to security may frequently forget PINs and passwords, resulting in large numbers of unproductive credential reset calls to help desk. CMG s self service reset policies allow an authenticated mobile user to reset their own PIN or password based on a question they are automatically prompted to answer if they enter their PIN and password incorrectly. The questions can be created by an administrator as part of the policy settings or by the mobile user. The questions and answers are then encrypted and stored locally on the mobile device. CMG administrators can control policy settings such as the number of characters required in the answer, the number of allowed question/answer attempts, and whether to force a mandatory question/answer reset upon the next login. Auto-lock Timers - CMG s auto-lock timer policies determine the number of minutes a device can be idle or powered off before CMG Shield automatically locks down the device. In order for the mobile user to begin work without re-authenticating, the user must deactivate and re-activate the device using the power button within a specified time period. CMG can also be configured to re-authenticate after every power off. These policies allow an organization to balance security with ease of use by not forcing a user to re-authenticate every time they use the device. Secure, Remote Access Recovery - CMG s secure remote access recovery policy allows authorized CMG administrators manually authenticate and restore access to a device that has been locked because the user failed the PIN, password, and Question/Answer authentication options. This also allows recovery of encrypted data in the event an employee leaves the company or is unsuccessful in gaining access. CMG s access policies provide a challenge and response mechanism to recover access to mobile devices. Fail-Safe Actions - CMG also enforces a range of automated, fail-safe actions to protect PDA and external media data, regardless of whether the device is connected to or disconnected from the corporate network. CMG s access recovery policies define the number of unsuccessful access attempts allowed before it automatically invokes fail-safe actions. Fail-safe actions can include locking out the user for a specified cool down period, deleting encrypted data from the device or performing a hard reset to remove all data and applications. MULTI-FACTOR AUTHENTICATION SUPPORT Unlike competitive host encryption products that force pre-boot authentication and require special integration with an SDK to support multi-factor authentication, CREDANT Mobile Guardian works within the authentication framework provided by Microsoft Windows and the PKCS #11 Cryptographic Token Interface Standard. CREDANT Mobile Guardian uses a patent-pending authentication method to integrate with the strong authentication mechanisms supported by these standards. This approach provides immediate interoperability with any strong authentication system that works within the Microsoft Windows or PKCS #11 standards (Biometric, Smartcard, RSA, or whatever else is invented) and requires 17

the end user to sign in only once. After the user successfully authenticates using the strong authentication mechanism of choice, they have immediate access to all encrypted data on the disk. There is no requirement to sign-in again to the CMG Shield. Because the CMG Shield works with Windows, customers and 3 rd parties do not have to develop new versions of their products with special SDKs (like other host encryption products). Integration with the CMG Shield is immediate. CREDANT customers have leveraged this technology to provide out-of-the-box integration with RSA SecurID for Windows, IBM Biometric authentication, and Axalto smartcards. In all cases, the customer is able to utilize their existing authentication framework and simply add the CMG Shield into the mix to provide total data protection through encryption. The end user will not notice any changes in the authentication process. SELF-SERVICE PIN/PASSWORD RESET AND REMOTE DEVICE RECOVERY CREDANT customers have reported significant savings in time and money thanks to the self-service PIN/Password reset and remote administrator assisted recovery options. A tedious process that negatively impacts productivity, resetting of devices in-house can now be accomplished by the end-user in seconds with CMG s self-service PIN/Password reset a set of pre-established, security questions and answers no call to the help desk required (Figure 7). If authentication is successful, the user is asked to reset the PIN and/or password without requiring Help Desk involvement. Figure 7. Self-Service PIN/Password Recovery for Smart Phone If the end user fails CMG s Question and Answer authentication (Figure 8), a simple phone call to the help desk and quick validation by the administrator, and the user receive a new access code to unlock the device. Once the device is unlocked, the user is prompted to reset their password/pin via questions and answers so they can continue to access their device securely. This remote, administrator assisted challenge and recovery mechanism is much easier and more cost-effective than requiring the device to be manually unlocked, reset and redeployed at the office. Remote helpdesk recovery is also available for removable media. 18

Figure 8. Remote Helpdesk Device Recovery POLICY-BASED INTELLIGENT ENCRYPTION Unlike older encryption point products, CREDANT s patent-pending Policy-based Intelligent Encryption, with a multi-layered defense approach, provides critical business controls that ensure data is always within compliance. Data files are encrypted and decrypted transparently so there s no change in how users work. CREDANT s on-the-fly process decrypts files as they are accessed so data always remains encrypted on the drive and is only decrypted in memory, when in use. FOUR LAYERS OF DEFENSE CREDANT s defense-in-depth, or four layers of defense, Intelligent Encryption strategy extends compliance controls to mobile endpoints by ensuring that data-at-rest is protected at all times. CREDANT s unique layered approach not only provides a comprehensive data protection solution, but it also fits nicely into a phased security implementation. This can be especially helpful for enterprises that prefer to roll out security slowly or for those who have different security policy requirements by user role or department. 1. The first layer of defense applies to the volume level, enabling organizations to set policies that force the encryption of any data generated by the end user and written to any volume on the drive while eliminating the need to encrypt the operating system. Sensitive data is encrypted no matter where it resides on the local hard drive. 2. The second layer of defense, File type encryption (Common & User level), automatically encrypts previously created and new files of a specified type (or multiple types) regardless of where they are stored on the hard drive. This layer is primarily configured to ensure that all application independent files such as.ini,.temp,.txt,.html, etc. are encrypted. When implemented via Common encryption policies, any authorized user can access these files once they are logged into the system. When implemented via User encryption policies, only the data owner can access these files. 19

3. The third layer of defense applies to application data, enabling organizations to set policies that force the encryption of any data written by heavily-used business applications to protect against user error or malicious renaming of a file type that would leave data exposed. This patent pending technology applies to any application that handles sensitive data without requiring any modification to the application code base. Administrators simply define a list of application executables in security policy and the CMG Shield automatically monitors for any files created by these applications and saved to disk. Independent of the application, the CMG Shield automatically encrypts the data as it is written to disk. 4. The fourth layer of defense applies to the user level, enabling organizations to set policies that force the encryption of data for individual users who share a notebook computer or workstation. The administrator can also specify common encrypted locations that are accessible to all authorized users on the machine. This allows administrators to enforce the protection of shared, sensitive data and ensures that the data can be accessed by multiple authorized users on the same machine while user specific data remains protected. Local administrators never have access to encrypted data so IT can manage systems without exposing sensitive data. Because mobile device operating systems differ across varying device platforms, there are some functional differences in how CREDANT Policy-based Intelligent Encryption technology operates, as described below. Windows Desktops, Notebooks and Tablet PCs CREDANT Intelligent Encryption technology for Windows-based devices fills the security gaps left by file-folder based encryption products and avoids the management, data recovery, security and productivity issues associated with full, or hard disk encryption methods. The CMG Shield for Windows provides a single security policy that defines any/all of the five levels of encryption, both user and shared information, and allows all the data files to be encrypted automatically, wherever the data files are saved on the disk, and whatever their name. Shared data can be encrypted and shared between multiple users on a machine, or encrypted for an individual user. The CMG Shield utilizes two separate encryption keys to accomplish this flexibility: a common encryption key and user encryption key. Temporary and Windows Paging, or Swap, files are also automatically encrypted. The Windows password hash is stored securely in an encrypted location, dramatically improving the security of the Windows password mechanism and ensuring that the encrypted information stored on the PC cannot be compromised. Windows Mobile Pocket PCs These devices come with built in Calendar, Contacts, Inbox/Mail, and Tasks, also known as Personal Information Management (PIM) applications. CMG can be configured to encrypt any or all PIM databases, third party application databases, email attachments, media files, and information stored in My Documents. CMG Shield for Pocket PC also allows the administrator to create a secured folder on the device or on removable media. When the mobile user turns on the device and authenticates to CMG Shield, none of the data is decrypted. When the user requests a specific database or file, the CMG Shield decrypts that information on-the-fly so information remains encrypted at all times, except when actually in use by an authorized user. 20

Windows Mobile Smart Phones CMG can be configured to encrypt any or all PIM databases as well as third party application databases and email attachments. When the mobile user turns on the device and authenticates to CMG Shield, none of the data is decrypted. The CMG Shield decrypts that information on the fly so information remains encrypted at all times, except when actually in use by an authorized user. Palm OS Devices For Palm devices, where all files are stored in databases, CMG supports administrator definable policies that encrypt and decrypt each database independently as access is requested. The CMG administrator specifies which databases will be encrypted. When the mobile user turns on the device and authenticates to CMG Shield, none of the databases are decrypted. When the user requests a specific database (e.g. hits his Notes or Calendar icon), CMG Shield decrypts that specific database on the fly - incrementally on a record by record basis as needed so data is only decrypted while in use by an authorized user. Symbian Smartphones CMG can be configured to encrypt the calendar, contacts and tasks databases for these devices. When the mobile user turns on the device and authenticates to CMG Shield, none of the data is decrypted. When the user requests a specific database or file, the CMG Shield decrypts that information on the fly so information remains encrypted at all times, except when actually in use by an authorized user. RIM OS Devices CMG can be configured to encrypt any or all PIM databases for RIM Blackberry devices. Encryption for these databases only occurs the user fails to enter the correct authentication credentials. External Media When the administrator enables CMG External Media Shield for a user, the system places the EMS client on to every piece of removable media inserted into a CMG-protected computer or handheld device. An installer is also copied to the media, allowing the user to work with encrypted external media data from another computer not protected by CMG, and still be able to securely read and write encrypted data to the external media. FIPS VALIDATION CMG supports a variety of industry standard encryption algorithms including AES 128, AES 256, 3DES, Blowfish and Lite so organizations can balance security and performance. CREDANT has achieved FIPS 140-2 Level 1 validation for the CREDANT Cryptographic Kernel (CCK). The same CCK is used across all CREDANT supported platforms by the CMG Shield. The CREDANT implementation of the AES, 3DES, SHA-1, HMAC-SHA-1, and RNG algorithms are all FIPS approved. The certificate is available online at http://csrc.nist.gov/cryptval/140-1/1401val2004.htm#452. ENCRYPTED DATA RECOVERY One of the challenges with any type of data security solution is how to recover data if the encryption keys are lost. The simple answer is that if the keys are lost, then the data is lost too. It is therefore imperative that every precaution is taken to securely archive and protect the keys. AUTOMATIC KEY ESCROW FOR IMMEDIATE RECOVERY Unlike competitive products, CREDANT s key escrow process is completely automated and transparent. All encryption keys are generated and securely archived by the CMG Enterprise Server before being passed down to the device, thereby ensuring that they can never be lost. Other solutions generate the 21