Data Loss & Theft Prevention
Lumension® Device Control provides organizations with the means to control the use of removable storage devices / media.
Software Demo: Securing Your USB Flash Drives

Protect valuable organization and customer data from loss or theft via removable devices / media

• Provides visibility into who is using what devices on which endpoints to eliminate a common security blindspot.
• Controls how these devices are being used to ensure only legitimate business use.
• Ensures that data transferred onto these devices are encrypted to prevent unauthorized use or dissemination.

Media Encryption
Lumension® Device Control provides organizations with the FIPS 140-2 validated technology needed to protect data on removable storage devices / media.

Require end users to encrypt data being copied to removable devices / media in compliance with policy and regulation

• Enforces encryption policies on all data transfers to USB flash drives or DVDs/CDs to ensure any data on lost or stolen devices are unreadable.
• Limits the amount of data that can be transferred to minimize the harm done by the loss or theft of any single USB stick, be intentional or through accident.
• Provides visibility into what data are being transferred onto devices at the endpoints to prove they were encrypted (providing “safe harbor” protections in many jurisdictions).
• Encrypted devices can be used on Mac OS X machines using the free Encrypted Device Browser utility.

Detailed Forensics
Lumension® Device Control provides the in-depth information required to understand the risk posed by data transfers, to report on it for compliance or forensics purposes, and to update policies as business needs dictate.

Monitor all files being transferred onto / off your network by file metadata or the patented bi-directional full file shadowing capability

• Logging all device usage and data transfer activities on your network to mitigate risk and remain secure.
• Keeping a copy of the metadata (e.g., name, type, size, etc.) or even the entire contents of any files transferred off your network to quantify risk and report for compliance purposes.
• Leveraging all the Lumension® Endpoint Management and Security Suite reporting mechanisms – including dashboard widgets, interactive reports, or email notifications – to stay on top of events.

Malware Protection
Lumension® Device Control provides an added layer of defense against malware, specifically those being distributed via removable devices like USB flash drives.

Add another layer to your defense-in-depth strategy to protect against USB-borne malware introduction / propagation

• Controls use of devices on your endpoints to prevent access by potentially infected devices (e.g., handouts at a tradeshow or found in the parking lot).
• Controls the types of files which can be downloaded to prevent commonly tainted files (e.g., EXE, DLL, OLE) from getting onto the endpoint.
• Shows what files have been downloaded for forensics purposes and to provide feedback needed to close security gaps.

Per-Device Permissions

• Granular permissions to control access at device class (e.g., all USB flash drives), device group, device model and/or even unique ID levels; for instance, restrict access rights to a specific device of a company-approved model.
  Software Demo: Practical Policy Implementation

Delivers Granular Permissions Control

• Provides greater control at lower levels for effective access management.

Device Whitelisting

• Assign permissions for authorized removable devices (such as USB sticks) and media (such as DVDs / CDs) to individual users or user groups; once in 'enforcement mode' only explicitly authorized devices / media / users are allowed access by default.
  Software Demo: How to Grant or Deny USB Access in Less than a Minute

Allows Only Authorized Devices onto Your Network

• Eliminates unknown or unwanted devices in your network, reducing the risk of data leakage / data loss.
• Limits uploading of unknown or unwanted files (i.e., malware or other unauthorized files).
• Eliminates need to keep up with every new device being brought into your environment; new devices are denied access until you have vetted them and permitted access.

Flexible Policy with Granular Control

• Permission settings include read/write, forced encryption, scheduled / temporary access, online / offline, port accessibility, HDD / non-HDD devices and much more; can be set for individual and/or groups of users, machines, ports and devices.
  Software Demo: Controlling Device Usage

Provides Comprehensive Policy-Driven Protection

• Eliminates risk of unauthorized devices connecting to the network while providing the flexibility users need.
• Allows business needs to drive security implementation, not technology limitations.
• Permits blanket policies to be fine-tuned via exception management.

Read-Only Access

• Define any device (e.g., a floppy drive, DVD / CD writer, USB external hard drive, and so on) as read-only; other device permissions include: write, and encrypt / decrypt restrictions.

Prevents Data Leakage

• Limits potential leakage paths of sensitive data.

Temporary / Scheduled Access

• Grant users temporary access to removable devices / media, which can be used to grant access "in the future" for a limited period. Also, limit device usage during a specific time period; allows for development of sophisticated security policies where certain devices can only be used at certain times (e.g., from 9 A.M. to 5 P.M., Monday to Friday).

Enhances Security Policy Enforcement

• Switches access on without having to remember to switch it off again later.
• Limit unauthorized device usage during off-hours.
• Provides another method to manage access to sensitive data.

Offline Enforcement

• Permissions / Restrictions remain effective even when endpoint is offline; these can be the same as when online or different (see Context-Sensitive Permissions).

Protects Beyond Your Network

• Maintains security posture even when endpoint is not connected to network (e.g., laptops on travel), including all device usage and encryption rules.
• Provides enforcement flexibility required to support business productivity without sacrificing security.

Uniquely Identify and Authorize Specific Media

• Authorize and manage DVD / CD collections, by granting access to specific users or user groups and encrypting removable media with unique IDs.

Secures Data from Loss / Theft

• Limits DVD / CD access to your organization’s standard discs, to avoid use of unauthorized content, and/or encrypts removable media to prevent unauthorized viewing.

Context-Sensitive Permissions

• Apply different permissions / restrictions depending on network connectivity status. For example, disable WiFi cards when laptops are connected to the network, but enable them when the machine does not have a wired connection to the network.

Increases Endpoint Security

• Provides deeper, finer-grained control over access to endpoints, reducing possible problem areas in all anticipated environments.

Device Management

• Detect and manage all devices – including Plug-and-Play and non-standard / user-defined devices – "on the fly" within the system.
  Software Demo: Avoiding Device Blind Spots

Improves Network Security

• Provides flexibility needed to handle unique needs and environments.
• Ensures user productivity is not disrupted by applying permissions for Plug-and-Play devices when detected.

File Type Filtering

• Restrict and manage the types of files that are moved to and from removable devices (such as USB sticks) and media (such as DVDs / CDs); combine with forced encryption for added protection.

Blocks Malware Attacks and Protects Data

• Reduces risk of sensitive files leaving your network, and unwanted files (i.e., malware or other unauthorized files) entering your network.
• Filters data being copied to removable devices and enforces encryption for deeper granularity and better control.

Data Copy Restriction

• Restrict the daily amount of data copied to removable devices (such as USB flash drives) on a per-user basis; can also limit usage to specific timeframes / days (e.g., only from 0900 to 1700 during weekdays).

Limits Data at Risk

• Removes risk of large amounts of data leaving your network at any given time.

FIPS 140-2 level 2 Validated Encryption

• The Lumension® Cryptographic Kernel (LCK), a stand-alone software cryptography module which delivers the core ciphering capabilities, has been FIPS 140-2 Level 2 validated

Highest Level of Software Encryption Available

• Lumension ciphering (incl. AES, SHA, HMAC, RSA and others) meets the highest standards available for software-based cryptography modules.
• The design and implementation of the cryptographic module itself is highly secure.
• It is certified and ready for use by governmental agencies and other organizations requiring the highest level of security and encryption commercially available.

Policy-based Encryption for Removable Storage

• Use central security policy to force FIPS 140-2 level 2 validated encryption of all removable devices (e.g., USB sticks) and media (e.g., DVDs / CDs) across all endpoints on network.

Increases Security Compliance

• Ensures that data cannot be accessed if removable devices or media are lost or stolen.
• Reduces the risk of data leakage / data loss.
• FIPS 140-2 level 2 validated encryption to protect data from unauthorized access.

User-Enabled Encryption

• Allow users to encrypt removable devices / media locally using the strongest commercially-available encryption.

Balances Productivity and Protection

• Ensures that sensitive data is not inadvertently exposed.
• Allows users to encrypt "on the fly" and not have to wait for admin availability.

Portable Encryption

• Enforce policies which enable users to access encrypted devices outside the organizational network, or limit it to network-attached endpoints only.

Secures Data Inside and Outside Your Network

• Self-contained portable encryption of large removable devices allows authorized users access to the data while obscuring it from others.

Encrypted Device Browser

• Enable access to Lumension-encrypted devices / media from Mac OS X machines, enabling users to move data both from and to encrypted devices or media.

Balances Productivity and Protection

• The free Encrypted Device Browser utility allows organizations to support Mac users without compromising data security in case the device / media is lost or stolen.

Enforce "Strong" Password Requirements

• Use existing password length and complexity rules in compliance with Microsoft® standards.

Ensures Password Consistency

• Reduces administrative burden and end user confusion by maintaining consistency with organization-wide policies.
• Increases security of password protected data saved onto removable devices / media.

Password Lockout / Recovery

• Lock users out after five (5) failed attempts; administrators can recover access when passwords are forgotten or user leaves the organization.

Increases Data Protection

• Reduces risk of hackers breaking into lost or stolen removable devices (such as USB memory drives) and media (such as DVDs / CDs) using brute force methods (e.g., "dictionary attacks").

Detailed Event Logging / Reporting

• Log all device usage and data transfer activity, including:
  • all (allowed/blocked) events;
  • all policies by device, machine and/or user; and
  • all file metadata (name, type, etc.) or complete file copy.
• View results via dashboard widgets, interactive reports, or email notifications.

Provides In-Depth Visibility

• Improves insight of all events involving removable storage devices like USB flash drives and DVDs/CDs.
• Supplies the daily operational data needed to update policies as business needs dictate, and drive compliance by user community.
• Leverages core Suite capabilities to reduce gaps in visibility, training time, and time-to-protection

Filename Tracking / Full File Shadowing

• Keep a complete copy (i.e., entire file contents) of all files that are read from and/or written to removable devices (e.g., USB memory drives) and media (e.g., DVDs / CDs) on a per user (or user group) basis using the patented bi-directional shadowing technology.
• Alternatively, track just file metadata (name, type, size, etc.).
• Capture all events (e.g., device attached, data transferred, etc.) in logs which are accessible by admin at any time for compliance auditing / forensics.

Delivers Audit Readiness

• Captures the flow of information into and out of your network via removable devices / media.
• Enables you to quantify the risk and report for compliance purposes.
• Enables audits of filename and/or full file content for forensic purposes.

Syslog Support

• All endpoint event logs are compliant with Syslog protocols.

Enables Integrated Event Management

• Allows for event correlation to other system logs for centralized forensics.
• Adds more options for administrator alerts and reporting to reduce the cost of compliance.