Lumension Device Control ™

Say Goodbye to Data Leakage!

Device Control allows you to regain control of the peripheral storage devices that your user community attempts to connect to your network assets. Through granular policy-based controls, Device Control reduces risk of data theft, data leakage and malware introduction via unauthorised removable media and assures compliance with the landslide of regulations governing privacy and accountability.

The proliferation of data loss due to the inappropriate or sometimes criminal use of removable media devices has reached alarming levels. According to recent security reports, 75 percent of Fortune 1000 companies fell victim to data leakage in 2006, with an average cost of recovery that exceeded $5,000,000.

Device Control eliminates data loss from removable devices through the policy-based enforcement of device use to control the flow of inbound and outbound data from your endpoints.

Positive Approach to USB Security

Hardware such as USB memory sticks, FireWire external hard-drives, scanners, music players, digital cameras, PDAs, and CD/DVD burner drives are scattered throughout offices around the world. Their proliferation amplifies the threats posed by outsiders or users who plug in devices that could compromise system policies on storage management.

By employing a whitelist approach, Sanctuary enables only authorised devices to connect to a network, laptop or PC - facilitating security and systems management, while providing the necessary flexibility to the organisation.

Simple, Fast, Flexible Administration and Management

Device Control enables administrators to quickly establish and enforce device control policies by rapidly identifying devices and then assigning permissions at a high level or all the way down to specific application per users, user groups or even a particular computer. Policies are also enforced by time constraints, encryption, volume of data, data transfer and much more criteria. Device Control links device policies to user and user group information stored in Microsoft Active Directory or Novell eDirectory and has also been ported to Windows Embedded platforms in addition to traditional Server and Desktop Windows OS, dramatically simplifying the management of endpoint security application resources.

Device Control controls the use of a vast range of devices that are key sources of breaches on network management, monitor and audits device usage according to their type and not on how they are connected. If needed, Device Control can be set to completely block USB ports or any other port (Bluetooth, FireWire, IrDA, WiFi, etc.), provide usb security and data protection, or prevent access to any device category independently from the way users are attempting to connect them. Granular policies also allow for access rights (R/W) down to unique device model or identifiable unit per user or user group.

USB Security Built to Scale

With a three-tier architecture and load-balancing capability, Device Control is designed to provide USB security to organizations ranging in size from 50 to 100,000 endpoints. Through integration with Active Directory or eDirectory, Sanctuary integrates with your existing technical infrastructure and logical organization. Device Control has also been ported to Windows Embedded platforms to protect the growing number of exposed embedded devices.

Comprehensive Security and Auditing Capabilities for USB Devices

Patented Bi-directional Shadowing technology tracks information as it is read from or written to floppy, CD/DVD and removable devices, and provides a comprehensive audit log of every event whether allowed or attempted - including those by unauthorized code and all writes to removable media and specific ports. Optionally, a full copy of the data written to or from a device can be captured and retained as well.

Not only is an audit log invaluable in measuring and enforcing policy compliance, it also bundles the information you need as proof of compliance with a number of governmental regulations such as the Sarbanes-Oxley Act of 2002 (SOX), the Gramm-Leach-Bliley Act (GLBA) or the Health Insurance Portability and Accountability Act (HIPAA).

To accommodate organisations' different endpoint policy, auditing and enforcement requirements, Lumension Device Control is available in a modular way:

Lumension Device Control - Audit Only

Focusing on audit and reporting requirements to comply with regulatory requirements or internal policies, Sanctuary Device Control - Audit Only provides extensive auditing & reporting features:

Logging of user actions - Keeps track of access denied (read/write), new device entered, by whom, when, on what host, etc.
Patented Bi-Directional Shadowing of all copied data - Tracks all data read from and/or copied to removable devices. First level provides file name, type, size, by whom, when, etc. while second level captures and retains a full copy of all data written to / from removable devices for audit needs by administrators.
Reporting to third party systems - Allows the export of CSV files to any compliant third party reporting system for further processing (e.g. statistics on device usage, denied access, etc.). A flexible and intuitive query builder generates the export files to be re-imported to MS Excel, Crystal Reports, Intellitactics and others.
Use of Sanctuary Device Scanner in order to create an inventory of all devices that have ever been plugged into the hosts connected to the corporate network.

Lumension Device Control - Base

Lumension Device Control - Base includes the audit and reporting features of Sanctuary Device Control - Audit Only and adds on top of these all enforcement features of our award-winning policy enforcement product, including access attributes; device management; enforcement by class, sub class, device level, etc.; administrative roles, etc.

*Note that this module does not include removable media encryption features.

Lumension Device Control - Enterprise

For organisations that need the entire set of the above mentioned modules, Lumension Device Control Enterprise provides within a unique bundle the full feature set enabling auditing, reporting, enforcement and encryption features of our product.

Lumension Device Control - Encryption Add-On

This is an add-on module to Lumension Device Control - Base (which is therefore a prerequisite to this add-on). Management of unique and encrypted devices offers the possibility to encrypt memory keys (AES-256) and thereby to uniquely identify them. The media authoriser module provides the capability to authorise a specific removable device to a particular user. The module specifically allows the encryption and protection of data stored on removable media.

Feature	Benefit
Per-Device Permissions Granular permissions to control access at device class (e.g., all USB flash drives), device group, device model and/or even unique ID levels; for instance, restrict access rights to a specific device of a company-approved model.	Delivers Granular Permissions Control Provides greater control at lower levels for effective access management.
Device Whitelist / "Default Deny" Assign permissions for authorized removable devices (such as USB sticks) and media (such as DVDs / CDs) to individual users or user groups; by default, those devices / media / users not explicitly authorized are denied access.	Allows Only Authorized Devices onto Your Network Eliminates unknown or unwanted devices in your network, reducing the risk of data leakage / data loss. Limits uploading of unknown or unwanted files (i.e., malware or other unauthorized files). Eliminates need to keep up with every new device being brought into your environment; new devices are denied access until you have vetted them and permitted access.
Flexible Policy with Granular Control Permission settings include read/write, forced encryption, scheduled / temporary access, online / offline, port accessibility, HDD / non-HDD devices and much more; can be set for individual and/or groups of users, machines, ports and devices.	Provides Comprehensive Policy-Driven Protection Eliminates risk of unauthorized devices connecting to the network while providing the flexibility users need. Allows business needs to drive security implementation, not technology limitations. Permits blanket policies to be fine-tuned via exception management.
Read-Only Access Define any device (e.g., a floppy drive, DVD / CD writer, USB external hard drive, and so on) as read-only; other device permissions include: write, and encrypt / decrypt restrictions.	Prevents Data Leakage Limits potential leakage paths of sensitive data.
Temporary / Scheduled Access Grant users temporary access to removable devices / media, which can be used to grant access "in the future" for a limited period. Also, limit device usage during a specific time period; allows for development of sophisticated security policies where certain devices can only be used at certain times (e.g., from 9 A.M. to 5 P.M., Monday to Friday).	Enhances Security Policy Enforcement Switches access on without having to remember to switch it off again later. Limit unauthorized device usage during off-hours. Provides another method to manage access to sensitive data.
Offline Enforcement Permissions / Restrictions remain effective even when endpoint is offline; these can be the same as when online or different (see Context-Sensitive Permissions).	Protects Beyond Your Network Maintains security posture even when endpoint is not connected to network (e.g., laptops on travel), including all device usage and encryption rules. Provides enforcement flexibility required to support business productivity without sacrificing security.
Uniquely Identify and Authorize Specific Media Authorize and manage DVD / CD collections, by granting access to specific users or user groups and encrypting removable media with unique IDs.	Secures Data from Loss / Theft Limits DVD / CD access to your organization’s standard discs, to avoid use of unauthorized content, and/or encrypts removable media to prevent unauthorized viewing.
Context-Sensitive Permissions Apply different permissions / restrictions depending on network connectivity status. For example, disable WiFi cards when laptops are connected to the network, but enable them when the machine does not have a wired connection to the network.	Increases Endpoint Security Provides deeper, finer-grained control over access to endpoints, reducing possible problem areas in all anticipated environments.
Offline Updates Update permissions of remote endpoints that cannot establish a network connection; new permissions are saved to a file that is imported and installed onto the client computer.	Maintains Security & Access Outside Your Network Permits permission updates no matter the status of the endpoint to ensure uniform security policy enforcement.
Device Management Detect and manage all devices – including Plug-and-Play and non-standard / user-defined devices – "on the fly" within the system.	Improves Network Security Provides flexibility needed to handle unique needs and environments. Ensures user productivity is not disrupted by applying permissions for Plug-and-Play devices when detected.
File Type Filtering Restrict and manage the types of files that are moved to and from removable devices (such as USB sticks) and media (such as DVDs / CDs); combine with forced encryptionfor added protection.	Blocks Malware Attacks and Protects Data Reduces risk of sensitive files leaving your network, and unwanted files (i.e., malware or other unauthorized files) entering your network. Filters data being copied to removable devices and enforces encryption for deeper granularity and better control.
Data Copy Restriction Restrict the daily amount of data copied to removable devices (such as USB flash drives) and media (such as DVDs / CDs) on a per-user basis; can also limit usage to specific timeframes / days (e.g., only from 0900 to 1700 during weekdays).	Limits Data at Risk Removes risk of large amounts of data leaving your network at any given time.

256-bit AES Encryption

Feature	Benefit
Policy Controlled Encryption for Removable Storage Use central security policy to force 256-bit AES encryption of all removable devices (e.g., USB sticks) and media (e.g., DVDs / CDs) across all endpoints on network; options include: centralized (by admin only) vs. decentralized (by end-user), and non-portable (network accessible only) vs. portable (accessible outside network).	Increases Security Compliance Ensures that data cannot be accessed if removable devices or media are lost or stolen. Reduces the risk of data leakage / data loss. Strongest levels of ciphering (256-bit AES encryption) to protect data from unauthorized access.
Decentralized vs. Centralized Encryption Require users to encrypt removable devices / media locally, freeing the users to encrypt "on the fly" and not have to wait for admin availability. Alternatively, it can be restricted to a centralized, admin-only process (e.g., limit users to authorized encrypted devices only).	Balances Productivity and Protection Ensures that sensitive data is not inadvertently exposed while providing flexibility in encryption approaches.
Portable vs. Non-Portable Encryption Enforce policies which enable users to access encrypted devices outside the organizational network, or limit it to network-attached endpoints only.	Secures Data Inside & Outside Your Network Self-contained portable encryption of large removable devices which allows authorized users access to the data while obscuring it from others.
PGP® PKI Support Allow use of existing PGP keys to encrypt / access devices and media in managed PGP environments. Enforce policies controlling PGP encrypted devices using Device Control.	Extends Encryption Compatibility Perfect complementary solution to an existing or planned PGP Universal managed environment.
Enforce "Strong" Password Requirements Use existing password length and complexity rules in compliance with Microsoft® standards.	Ensures Password Consistency Reduces administrative burden and end user confusion by maintaining consistency with organization-wide policies. Increases security of password protected data saved onto removable devices / media.
Password Lockout / Recovery Lock users out after five (5) failed attempts; administrators can recover access when passwords are forgotten or user leaves the organization.	Increases Data Protection Reduces risk of hackers breaking into lost or stolen removable devices (such as USB memory drives) and media (such as DVDs / CDs) using brute force methods (e.g., "dictionary attacks").

Administration

Feature	Benefit
Filename Tracking / Full File Shadowing Patented bi-directional shadowing technology keeps a copy of all files (i.e., entire file contents) that are read from and/or written to removable devices (e.g., USB memory drives) and media (e.g., DVDs / CDs) on a per user (or user group) basis; can also track just file types & names; all events captured in logs and accessible by admin at any time for compliance auditing / forensics.	Delivers Audit Readiness Captures the flow of information into and out of your network. Enables you to quantify the risk and report for compliance purposes. Enables audits of filename and/or full file content for forensic purposes.
Integrated Reporting Fully flexible, customizable reporting can be saved into a repository, shared via email, and/or imported into 3rd party applications.	Provides Organization-wide Visibility Log and create standard and customized reports on all device and data activity showing … all (allowed/blocked) events; all policy changes and administrator activities; and all file transfers by file name and content type.
Syslog Support All event, audit and diagnostic logs are compliant with Syslog protocols.	Enables Integrated Event Management Allows for event correlation to other system logs for centralized forensics. Adds more options for administrator alerts and reporting to reduce the cost of compliance.
Centralized Management / Administrators’ Roles Centrally define and manage user, user groups, computers and computer groups access to removable devices / media on the network. Use role-based access control (RBAC) to customize and control access to different components of the Management Console (for example, restrict access to shadowing information to auditors only).	Delivers Precise Control with Access Limits Allows one administrator to manage a large installation (over continents); optionally, have multiple administrators managing appropriate portions of installation. Limits access to appropriate, authorized personnel (e.g., allow auditors to audit but not change policies). Delegates and distributes workload among administrators as needed / appropriate.

Infrastructure

Feature	Benefit
Tamper-proof Agent Install agents on every endpoint on the network, which are protected against unauthorized removal – even by authorized (local) administrators. Only (enterprise) Administrators may deactivate this protection.	Secures Endpoint at All Times Protects endpoints from unintentional and/or malicious tampering. Maintains security posture even in dire events.
Directory Synchronization Assign permissions to individual users or user groups based on their Microsoft® Active Directoryor Novell® eDirectoryidentity, both of which are fully supported.	Reduces IT Workload and Improves Productivity Provides granular user permissions that remain with user login regardless of machine. Leverages existing directory information when enforcing policies. Reduces workload and improves productivity while enforcing security policy. Reduces set-up / start-up / ramp-up time.
Flexible / Scalable Architecture Organization-wide control and enforcement using scalable client-server architecture with a central database that is optimized to reduce its footprint. The system can be installed on a single machine for smaller organizations, and expanded to include multiple servers to support complex networks. Compatible with virtual servers, including VMware® Infrastructure 3 and Windows® 2008 Hyper-V. Endpoints can connect to one or more servers to facilitate load-balancing. One or more separate Management Console(s) provide administrative control from anywhere in the organization.	Adapts to Your Growing Business Supports entire range of organizations, from small, local start-ups to large, global corporations, from hundreds of thousands to hundreds of thousand endpoints; fast growing organizations can scale installation as needs dictate. Decreases administrative costs by reducing the database footprint and increasing database query and maintenance speed. Supports server-side cost reduction in capital expenses and enables full utilization of existing infrastructure.
Windows Infrastructure Support Install on all currently supported Microsoft 32- and 64-bit platforms, with support for any Windows-recognized ports / devices and multiple end-user languages; for details - view the Requirements tab.	Operates Across Your Diverse Network Provides security policy enforcement for heterogeneous Windows environments and across geographic regions.

Source:

Deloitte & Touche and Ponemon Institute, Enterprise@Risk: 2007 Privacy & Data Protection Survey, December 2007
Ponemon Institute, 2009 Annual Study: Cost of a Data Breach, February 2010

Supported Operating Systems

	Client	Admin	Server	Database
Windows® 2000 Professional	YES
Windows 2000 Server	YES
Windows XP Professional	YES	YES		YES
Windows Vista	YES	YES
Windows 7	YES	YES
Windows Server 2003	YES	YES	YES	YES
Windows Server 2008	YES	YES	YES	YES
Windows Server 2008 R2	YES	YES	YES	YES
Windows XP Embedded (XPe)	YES
Windows Embedded Point of Service	YES
Windows XP Tablet PC Edition	YES
Windows 2008 Hyper-V		YES	YES	YES
VMware® Infrastructure 3		YES	YES	YES

Hardware and Software Requirements

Component
Database	Hardware	512 MB (4 GB recommended) memory Pentium® Dual-Core or AMD equivalent CPU 3 GB minimum hard disk drive 100 MBits/s NIC
Database	Software	One of the following: Microsoft® SQL Server 2005 Microsoft SQL Server 2005 Express Edition Microsoft SQL Server 2008 Microsoft SQL Server 2008 Express Edition
Application Server	Hardware	512 MB (1 GB recommended) memory Pentium® Dual-Core or AMD equivalent CPU 3 GB minimum hard disk drive 100 MBits/s NIC
Application Server	Software	Install Microsoft Certificate Authority for encryption
Management Console	Hardware	512 MB (1 GB recommended) memory Pentium® Dual-Core or AMD equivalent CPU 15 MB hard disk drive for installation, and 150 MB additional for application files 100 MBits/s NIC 1024 by 768 pixels for display
Management Console	Software	No additional software requirements
Client	Hardware	256 MB (1 GB recommended) memory Pentium® Dual-Core or AMD equivalent CPU 10 MB hard disk drive for installation, and several additional GB for full shadowing (if enabled) 100 MBits/s NIC
Client	Software	No additional software requirements

Supported Device Types:	Supported Connectivity:
Biometric devices COM/serial ports DVD/CD drives Floppy disk drives Imaging devices/Scanners LPT/parallel ports Modems/Secondary network access devices Palm handheld devices Plug and Play devices Printers (USB/Bluetooth ) PS/2 ports Removable storage devices RIM BlackBerry handhelds Smart Card readers Tape drives User Defined devices Windows CE handheld devices Wireless network interface cards	USB FireWire Bluetooth WiFi PCMCIA PS/2 LPT IrDA IDE COM S-ATA SCSI