Lumension® Device Control (formerly sanctuary)

Enforce Security Policies for Port Protection, Removable Device Usage, and Data Encryption with Lumension® Device Control

Device Control Business Issues and Challenges

The problem of data leakage due to the accidental or sometimes malicious use of removable devices and/or removable media has reached alarming levels. In fact, over 85% of privacy and security professionals reported at least one breach and almost 64% reported multiple breaches that required notification.¹

Download the Datasheet

To enhance productivity, organizations need to allow employees and partners access to data; and more employees are working remotely, thus requiring access from outside the network. But the potential impact of data loss is a very real concern, be it accidental or malicious. And today, removable devices (such as USB flash drives) and media (such as DVDs/CDs) are the most common data leakage routes – no file copy limits, no encryption, no audit trails and no central management.

The information contained in customer data, corporate data and intellectual property is worth billions to some. And the costs for recovery of data and lost business are rapidly rising as well, with the average per incident cost now estimated to be $6.75 million.²

Lumension® Device Control:

Centrally manages security policies regarding use of removable devices (e.g., USB flash drives) and media (e.g., DVDs/CDs) using a whitelist / "default deny" approach
Enforces encryption policies when copying data to removable devices / media
Prevents malware intrusion via removable devices / media, adding a layer of protection to your network
Provides the visibility, forensics and reporting needed to demonstrate compliance with applicable laws

Overview
Features & Benefits
Requirements
Lumension Solution Packs
Information and Pricing

Overview

Lumension® Device Control, the stand-alone implementation of Lumension® Data Protection solution, enforces organization-wide usage policies for removable devices, removable media, and data (such as read/write, encryption). Using a whitelist / “default deny” approach, administrators can centrally manage your devices and data. Lumension® Device Control enables organizations to embrace productivity-enhancing tools while limiting the potential for data leakage and its impact.

How It Works

1.Discover - Identify all removable devices that are now or have ever been connected to your endpoints through the use of a “learning” mode that allows you to collect information without disrupting business.
2.Assess - Define rules at both default and machine-specific levels for groups and individual users with regards to device access by class, model and/or specific ID, and uniquely identify and authorize specific media. These permissions can be linked to the user and user group information stored in Microsoft Active Directory or Novell eDirectory.
3.Implement - Enforce device and data usage policies by: file copy limitations (amount per day, time of day) and file type filtering. You can also enforce the encryption of data moved onto removable devices / media and apply permissions to specific and/or groups of endpoints, ports, devices and users (both on- and off-line), including scheduled / temporary access.
4.Monitor - Continuously monitor the effectiveness of device and data usage policies in real time and identify potential security threats by logging all device connections, recording all policy changes and administrator activities, and tracking all file transfers by file name and content type. You can even keep a copy of every file that is transferred to or from a removable device using our patented bi-directional shadowing technology.
5.Report - Create both standard and customized reports on all device and data activity showing allowed and blocked events, which can be saved into a repository, shared via email, and/or imported into 3rd party applications. Detailed forensic reports and comprehensive auditing capabilities enable you to demonstrate compliance with government statutes (such as SOX, GLBA, HIPAA, HITECH, and others),industry regulations (such as NERC, PCI DSS and others)and especially your internal security policies.

Where It Works

Lumension® Device Control supports any ports and devices recognized by Windows, including all Plug-and-Play and user-defined devices.

Physical Interfaces	Wireless Interfaces	Device Types
USB FireWire PCMCIA ATA / IDE SCSI LPT / Parallel COM / Serial PS/2	WiFi Bluetooth IrDA Wireless NICs	Removable Storage Devices External Hard Drives DVD / CD Drives Floppy Drives Tape Drives Printers Modems / Secondary Network Access Devices PDAs and other handhelds Imaging Devices (Scanners) Biometric Devices Windows Portable Devices Smart Card Readers PS/2 Keyboards User-Defined Devices

Features & Benefits

Device / Port Access Control

Feature	Benefit
Per-Device Permissions Granular permissions to control access at device class (e.g., all USB flash drives), device group, device model and/or even unique ID levels; for instance, restrict access rights to a specific device of a company-approved model.	Delivers Granular Permissions Control Provides greater control at lower levels for effective access management.
Device Whitelist / "Default Deny" Assign permissions for authorized removable devices (such as USB sticks) and media (such as DVDs / CDs) to individual users or user groups; by default, those devices / media / users not explicitly authorized are denied access.	Allows Only Authorized Devices onto Your Network Eliminates unknown or unwanted devices in your network, reducing the risk of data leakage / data loss. Limits uploading of unknown or unwanted files (i.e., malware or other unauthorized files). Eliminates need to keep up with every new device being brought into your environment; new devices are denied access until you have vetted them and permitted access.
Flexible Policy with Granular Control Permission settings include read/write, forced encryption, scheduled / temporary access, online / offline, port accessibility, HDD / non-HDD devices and much more; can be set for individual and/or groups of users, machines, ports and devices.	Provides Comprehensive Policy-Driven Protection Eliminates risk of unauthorized devices connecting to the network while providing the flexibility users need. Allows business needs to drive security implementation, not technology limitations. Permits blanket policies to be fine-tuned via exception management.
Read-Only Access Define any device (e.g., a floppy drive, DVD / CD writer, USB external hard drive, and so on) as read-only; other device permissions include: write, and encrypt / decrypt restrictions.	Prevents Data Leakage Limits potential leakage paths of sensitive data.
Temporary / Scheduled Access Grant users temporary access to removable devices / media, which can be used to grant access "in the future" for a limited period. Also, limit device usage during a specific time period; allows for development of sophisticated security policies where certain devices can only be used at certain times (e.g., from 9 A.M. to 5 P.M., Monday to Friday).	Enhances Security Policy Enforcement Switches access on without having to remember to switch it off again later. Limit unauthorized device usage during off-hours. Provides another method to manage access to sensitive data.
Offline Enforcement Permissions / Restrictions remain effective even when endpoint is offline; these can be the same as when online or different (see Context-Sensitive Permissions).	Protects Beyond Your Network Maintains security posture even when endpoint is not connected to network (e.g., laptops on travel), including all device usage and encryption rules. Provides enforcement flexibility required to support business productivity without sacrificing security.
Uniquely Identify and Authorize Specific Media Authorize and manage DVD / CD collections, by granting access to specific users or user groups and encrypting removable media with unique IDs.	Secures Data from Loss / Theft Limits DVD / CD access to your organization’s standard discs, to avoid use of unauthorized content, and/or encrypts removable media to prevent unauthorized viewing.
Context-Sensitive Permissions Apply different permissions / restrictions depending on network connectivity status. For example, disable WiFi cards when laptops are connected to the network, but enable them when the machine does not have a wired connection to the network.	Increases Endpoint Security Provides deeper, finer-grained control over access to endpoints, reducing possible problem areas in all anticipated environments.
Offline Updates Update permissions of remote endpoints that cannot establish a network connection; new permissions are saved to a file that is imported and installed onto the client computer.	Maintains Security & Access Outside Your Network Permits permission updates no matter the status of the endpoint to ensure uniform security policy enforcement.
Device Management Detect and manage all devices – including Plug-and-Play and non-standard / user-defined devices – "on the fly" within the system.	Improves Network Security Provides flexibility needed to handle unique needs and environments. Ensures user productivity is not disrupted by applying permissions for Plug-and-Play devices when detected.
File Type Filtering Restrict and manage the types of files that are moved to and from removable devices (such as USB sticks) and media (such as DVDs / CDs); combine with forced encryption for added protection.	Blocks Malware Attacks and Protects Data Reduces risk of sensitive files leaving your network, and unwanted files (i.e., malware or other unauthorized files) entering your network. Filters data being copied to removable devices and enforces encryption for deeper granularity and better control.
Data Copy Restriction Restrict the daily amount of data copied to removable devices (such as USB flash drives) and media (such as DVDs / CDs) on a per-user basis; can also limit usage to specific timeframes / days (e.g., only from 0900 to 1700 during weekdays).	Limits Data at Risk Removes risk of large amounts of data leaving your network at any given time.

256-bit AES Encryption

Feature	Benefit
Policy Controlled Encryption for Removable Storage Use central security policy to force 256-bit AES encryption of all removable devices (e.g., USB sticks) and media (e.g., DVDs / CDs) across all endpoints on network; options include: centralized (by admin only) vs. decentralized (by end-user), and non-portable (network accessible only) vs. portable (accessible outside network).	Increases Security Compliance Ensures that data cannot be accessed if removable devices or media are lost or stolen. Reduces the risk of data leakage / data loss. Strongest levels of ciphering (256-bit AES encryption) to protect data from unauthorized access.
Decentralized vs. Centralized Encryption Require users to encrypt removable devices / media locally, freeing the users to encrypt "on the fly" and not have to wait for admin availability. Alternatively, it can be restricted to a centralized, admin-only process (e.g., limit users to authorized encrypted devices only).	Balances Productivity and Protection Ensures that sensitive data is not inadvertently exposed while providing flexibility in encryption approaches.
Portable vs. Non-Portable Encryption Enforce policies which enable users to access encrypted devices outside the organizational network, or limit it to network-attached endpoints only.	Secures Data Inside & Outside Your Network Self-contained portable encryption of large removable devices which allows authorized users access to the data while obscuring it from others.
PGP® PKI Support Allow use of existing PGP keys to encrypt / access devices and media in managed PGP environments. Enforce policies controlling PGP encrypted devices using Device Control.	Extends Encryption Compatibility Perfect complementary solution to an existing or planned PGP Universal managed environment.
Enforce "Strong" Password Requirements Use existing password length and complexity rules in compliance with Microsoft® standards.	Ensures Password Consistency Reduces administrative burden and end user confusion by maintaining consistency with organization-wide policies. Increases security of password protected data saved onto removable devices / media.
Password Lockout / Recovery Lock users out after five (5) failed attempts; administrators can recover access when passwords are forgotten or user leaves the organization.	Increases Data Protection Reduces risk of hackers breaking into lost or stolen removable devices (such as USB memory drives) and media (such as DVDs / CDs) using brute force methods (e.g., "dictionary attacks").

Administration

Feature	Benefit
Filename Tracking / Full File Shadowing Patented bi-directional shadowing technology keeps a copy of all files (i.e., entire file contents) that are read from and/or written to removable devices (e.g., USB memory drives) and media (e.g., DVDs / CDs) on a per user (or user group) basis; can also track just file types & names; all events captured in logs and accessible by admin at any time for compliance auditing / forensics.	Delivers Audit Readiness Captures the flow of information into and out of your network. Enables you to quantify the risk and report for compliance purposes. Enables audits of filename and/or full file content for forensic purposes.
Integrated Reporting Fully flexible, customizable reporting can be saved into a repository, shared via email, and/or imported into 3rd party applications.	Provides Organization-wide Visibility Log and create standard and customized reports on all device and data activity showing … all (allowed/blocked) events; all policy changes and administrator activities; and all file transfers by file name and content type.
Syslog Support All event, audit and diagnostic logs are compliant with Syslog protocols.	Enables Integrated Event Management Allows for event correlation to other system logs for centralized forensics. Adds more options for administrator alerts and reporting to reduce the cost of compliance.
Centralized Management / Administrators’ Roles Centrally define and manage user, user groups, computers and computer groups access to removable devices / media on the network. Use role-based access control (RBAC) to customize and control access to different components of the Management Console (for example, restrict access to shadowing information to auditors only).	Delivers Precise Control with Access Limits Allows one administrator to manage a large installation (over continents); optionally, have multiple administrators managing appropriate portions of installation. Limits access to appropriate, authorized personnel (e.g., allow auditors to audit but not change policies). Delegates and distributes workload among administrators as needed / appropriate.

Infrastructure

Feature	Benefit
Tamper-proof Agent Install agents on every endpoint on the network, which are protected against unauthorized removal – even by authorized (local) administrators. Only (enterprise) Administrators may deactivate this protection.	Secures Endpoint at All Times Protects endpoints from unintentional and/or malicious tampering. Maintains security posture even in dire events.
Directory Synchronization Assign permissions to individual users or user groups based on their Microsoft® Active Directory or Novell® eDirectory identity, both of which are fully supported.	Reduces IT Workload and Improves Productivity Provides granular user permissions that remain with user login regardless of machine. Leverages existing directory information when enforcing policies. Reduces workload and improves productivity while enforcing security policy. Reduces set-up / start-up / ramp-up time.
Flexible / Scalable Architecture Organization-wide control and enforcement using scalable client-server architecture with a central database that is optimized to reduce its footprint. The system can be installed on a single machine for smaller organizations, and expanded to include multiple servers to support complex networks. Compatible with virtual servers, including VMware® Infrastructure 3 and Windows® 2008 Hyper-V. Endpoints can connect to one or more servers to facilitate load-balancing. One or more separate Management Console(s) provide administrative control from anywhere in the organization.	Adapts to Your Growing Business Supports entire range of organizations, from small, local start-ups to large, global corporations, from hundreds of thousands to hundreds of thousand endpoints; fast growing organizations can scale installation as needs dictate. Decreases administrative costs by reducing the database footprint and increasing database query and maintenance speed. Supports server-side cost reduction in capital expenses and enables full utilization of existing infrastructure.
Windows Infrastructure Support Install on all currently supported Microsoft 32- and 64-bit platforms, with support for any Windows-recognized ports / devices and multiple end-user languages; for details - view the Requirements tab.	Operates Across Your Diverse Network Provides security policy enforcement for heterogeneous Windows environments and across geographic regions.

Requirements

Supported Operating Systems

	Client	Admin	Server	Database
Windows® 2000 Professional
Windows 2000 Server
Windows XP Professional
Windows Vista
Windows 7
Windows Server 2003
Windows Server 2008
Windows Server 2008 R2
Windows XP Embedded (XPe)
Windows Embedded Point of Service
Windows XP Tablet PC Edition
Windows 2008 Hyper-V
VMware® Infrastructure 3

Hardware and Software Requirements

Component
Database	Hardware	512 MB (4 GB recommended) memory Pentium® Dual-Core or AMD equivalent CPU 3 GB minimum hard disk drive 100 MBits/s NIC
Database	Software	One of the following: Microsoft® SQL Server 2005 Microsoft SQL Server 2005 Express Edition Microsoft SQL Server 2008 Microsoft SQL Server 2008 Express Edition
Application Server	Hardware	512 MB (1 GB recommended) memory Pentium® Dual-Core or AMD equivalent CPU 3 GB minimum hard disk drive 100 MBits/s NIC
Application Server	Software	Install Microsoft Certificate Authority for encryption
Management Console	Hardware	512 MB (1 GB recommended) memory Pentium® Dual-Core or AMD equivalent CPU 15 MB hard disk drive for installation, and 150 MB additional for application files 100 MBits/s NIC 1024 by 768 pixels for display
Management Console	Software	No additional software requirements
Client	Hardware	256 MB (1 GB recommended) memory Pentium® Dual-Core or AMD equivalent CPU 10 MB hard disk drive for installation, and several additional GB for full shadowing (if enabled) 100 MBits/s NIC
Client	Software	No additional software requirements

Multi-Language Support: Supports 12 languages on client machines, including Traditional Chinese, Simplified Chinese, Dutch, English, French, German, Italian, Japanese, Portuguese, Russian, Spanish and Swedish.

Source:

Deloitte & Touche and Ponemon Institute, Enterprise@Risk: 2007 Privacy & Data Protection Survey, December 2007
Ponemon Institute, 2009 Annual Study: Cost of a Data Breach, February 2010

Next Steps

Newest Resources

Products

Live Chat by LivePerson

Don't Miss This...

Are you a Microsoft System Center User?

Learn how to implement award-winning device / port control and data encryption in your SCCM environment - without requiring new infrastructure and without additional administration overhead.

Learn More »