Sanctuary Device Control

Home \ Products \ Sanctuary Device Control

Control Peripheral Devices to Eliminate Data Leakage

The proliferation of data loss due to the inappropriate or sometimes criminal use of removable media devices has reached alarming levels. According to recent security reports, 75 percent of Fortune 1000 companies fell victim to data leakage in 2006¹, with an average cost of recovery that exceeded $5,000,000².

Sanctuary Device Control eliminates data loss from removable devices through the policy-based enforcement of device use to control the flow of inbound and outbound data from your endpoints. Sanctuary Device Control ensures security that:

  • Controls and manages any I/O devices through any ports including USB, Firewire, WIFI, Bluetooth, etc.
  • Prevents data theft / data leakage
  • Prevents malware introduction via removable media
  • Audits I/O Device usage
  • Blocks USB Keyloggers
  • Encrypts removable media
  • Enables Regulatory Compliance


1. 2006 CSI/FBI Computer Crime and Security Survey
2. Ponemon Institute, 2006 Cost of Data Breach Study

WHAT OUR CUSTOMERS SAY
“Sanctuary® Device Control ensures that no device, unless authorized, can ever be used, no matter how it gets plugged in.”
Paul Douglas, ADIR Desktop Build Team Manager, Barclays

Overview

Sanctuary Device Control allows you to regain control of the peripheral storage devices that your user community attempts to connect to your network assets. Through granular policy-based controls, Sanctuary Device Control reduces risk of data theft, data leakage and malware introduction via unauthorized removable media and assures compliance with the landslide of regulations governing privacy and accountability.

Positive Approach to USB Security

Hardware such as USB memory sticks, FireWire external hard-drives, scanners, music players, digital cameras, PDAs, and CD/DVD burner drives are scattered throughout offices around the world. Their proliferation amplifies the threats posed by outsiders or users who plug in devices that could compromise the security of sensitive data.

By employing a whitelist approach, Sanctuary enables only authorized devices to connect to a network, laptop or PC - facilitating security and systems management, while providing the necessary flexibility to the organization.


Simple, Fast, Flexible Administration and Management

Sanctuary enables administrators to quickly establish and enforce device control policies by rapidly identifying devices and then assigning permissions at a high level or all the way down to specific application per users, user groups or even a particular computer. Policies are also enforced by time constraints, encryption, volume of data, data transfer and much more criteria. Sanctuary links device policies to user and user group information stored in Microsoft Active Directory or Novell eDirectory and has also been ported to Windows Embedded platforms in addition to traditional Server and Desktop Windows OS, dramatically simplifying the management of endpoint application resources.

Sanctuary controls the use of a vast range of devices that are key sources of security breaches, and manages and audits device usage according to their type and not on how they are connected. If needed, Sanctuary Device Control can be set to completely block USB ports or any other port (Bluetooth, FireWire, IrDA, WiFi, etc.) or prevent access to any device category independently from the way users are attempting to connect them. Granular policies also allow for access rights (R/W) down to unique device model or identifiable unit per user or user group.


USB Security Built to Scale

With a three-tier architecture and load-balancing capability, Sanctuary is designed to provide USB security to organizations ranging in size from 50 to 100,000 endpoints. Through integration with Active Directory or eDirectory, Sanctuary integrates with your existing technical infrastructure and logical organization. Sanctuary has also been ported to Windows Embedded platforms to protect the growing number of exposed embedded devices.

Comprehensive Security and Auditing Capabilities for USB Devices

Lumension Security Patented Shadowing I/O bi-directional technology tracks information as it is read from or written to floppy, CD/DVD and removable devices, and provides a comprehensive audit log of every event whether allowed or attempted - including those by unauthorized code and all writes to removable media and specific ports. Optionally, a full copy of the data written to or from a device can be captured and retained as well.

Not only is an audit log invaluable in measuring and enforcing policy compliance, it also bundles the information you need as proof of compliance with a number of governmental regulations such as the Sarbanes-Oxley Act of 2002 (SOX), the Gramm-Leach-Bliley Act (GLBA) or the Health Insurance Portability and Accountability Act (HIPAA).

Features & Benefits

Feature Function Benefit
Whitelist Assign permissions for authorized devices to user or user group, and by default those not authorized are not allowed Eliminates unknown or unwanted devices in your network, reducing the risk of data leakage
Access Control List Based Permissions Assign permissions to a user/user group based on their Active Directory or eDirectory identity Provides granular user permissions that remain with user login regardless of machine
Granular Device Control Permission Settings Permission settings include read/write, scheduled access, temporary access, online/offline, I/O bus type, HDD/non-HDD devices and much more Eliminates risk of unauthorized devices connecting to the network while providing the flexibility users need to conduct business
Uniquely Identify and Authorize Specific Media Authorize DVD/CD-ROM collections, grant access to users or user groups and encrypt removable media with unique ID's Limits DVD/CD-ROM access to company standard discs, to avoid use of unauthorized content and/or encrypt removable media to prevent the content from being viewed by unauthorized users
Silent Unattended Installations Install with any deployment tools which use MSI Setup (e.g. Microsoft Systems Management Server (SMS), Group Policies, WinInstall, etc). Enables faster and easier deployment
Plug and Play Devices: Hot Plug Support Detect Plug and Play Devices "on the fly" Ensures user productivity is not disrupted by applying permissions for plug and play devices when detected
Bi-Directional Shadowing Option Patented Shadowing technology records filename or complete file that is read from and/or written to a removable device Captures the flow of information into and out of your network, reducing risk and containing impact of data leakage
Restrict the Amount of Data Copied Restrict the daily amount of data copied from an endpoint to a device on a per-user basis Removes risk of large pieces of confidential information leaving the network
Prevention of PS/2 and USB Hardware Keyloggers Block PS/2 port, enforce USB keyboard usage and detect/block popular models of USB keyloggers Reduces risk of attackers capturing passwords and other confidential information through keyloggers
Flexible Encryption Options for Removable Media Administrators may centrally encrypt removable media or force users to encrypt media at time of use Ensures that sensitive data is not inadvertently exposed to those without authorized access
File Type Filtering Control the type of files that are moved to and from removable devices Reduces risk of unwanted files from entering and sensitive files from leaving the network
Disconnected/ Remote Computer Protected Enables constant protection by keeping a local copy of the last list of permissions on the disconnected machine Secures computer regardless of network connection, ensuring that remote or disconnected users are also protected
Highly Scalable Architecture Three tier architecture with Database, one or more Application servers, and Client Provides flexible and scalable deployment options in large and complex networks
Powerful Log Analysis and Reporting Detailed log analysis with flexible filter, sort and display options and stored query templates as well as central reporting Demonstrates policy compliance and drills down on suspicious behavior for legal or management follow up
Active Directory and eDirectory Support Leverages user and user group definitions in existing Active Directory and eDirectory Reduces setup and maintenance of users and user groups
Multi-Language Support Supports 12 languages on Sanctuary client machines Improves user experience in international organizations
Custom Reports Custom query templates can be scheduled to automatically generate reports in HTML, XML or CSV formats and delivered via email or network file share Produces data required for compliance audit purposes and management reporting in a report format or data format for easy integration into a 3rd party system
Password Lockout and Recovery Lockout users after a number of failed attempts; recover access to devices when passwords are forgotten Reduces risk of hackers breaking into devices; enables recovery of encrypted data on devices
Offline Temporary Permissions Challenge/response system generates new permissions on disconnected machines, allowing for temporary permissions to users on demand, even when a user is not connected to the network Enables provision of temporary permissions to users on demand, even when not connected

Requirements

Client (32-bit unless specified) Database Server Management Console
Windows 2000 (SP 4+) Professional, Windows XP Professional, Windows XPe, Windows Embedded Point of Service, Windows XP Tablet PC Edition, Windows Vista (32 and 64 bit) Windows 2000 Server (SP 4 or later) or Professional, Windows XP Professional (SP2 or later), Windows Server 2003 SP1 or SR2 (32-bit) or Vista (32-bit) Windows 2000 Server (SP 4 or later) or Windows Server 2003 SP1 or SR2 (32-bit) Windows 2000 Professional (SP 4 or later), Windows XP Professional (SP2 or later), Windows XPe SP2, Windows Embedded for Point of Service (WEPOS) SP2, Windows XP Tablet PC Edition SP2 and Vista (32-and 64-bit versions)
Supported Device Types:
  • Biometric devices
  • COM/serial ports
  • DVD/CD drives
  • Floppy disk drives
  • Imaging devices/Scanners
  • LPT/parallel ports
  • Modems/Secondary network access devices
  • Palm handheld devices
  • Plug and Play devices
  • Printers (USB/Bluetooth )
  • PS/2 ports
  • Removable storage devices
  • RIM BlackBerry handhelds
  • Smart Card readers
  • Tape drives
  • User Defined devices
  • Windows CE handheld devices
  • Wireless network interface cards

 Supported Connectivity:
  • USB
  • FireWire
  • Bluetooth
  • WiFi
  • PCMCIA
  • PS/2
  • LPT
  • IrDA
  • IDE
  • COM
  • S-ATA
  • SCSI

Product Modules

To accommodate organizations’ different endpoint policy, auditing and enforcement requirements, Sanctuary Device Control is available in a modular way:

SANCTUARY DEVICE CONTROL - AUDIT ONLY
Focusing on audit and reporting requirements to comply with regulatory requirements or internal policies, Sanctuary Device Control – Audit Only provides extensive auditing & reporting features:

  • Logging of user actions - Keeps track of access denied (read/write), new device entered, by whom, when, on what host, etc.
  • Patented Bi-Directional Shadowing of all copied data - Tracks all data read from and/or copied to removable devices. First level provides file name, type, size, by whom, when, etc. while second level captures and retains a full copy of all data written to / from removable devices for audit needs by administrators.
  • Reporting to third party systems - Allows the export of CSV files to any compliant third party reporting system for further processing (e.g. statistics on device usage, denied access, etc.). A flexible and intuitive query builder generates the export files to be re-imported to MS Excel, Crystal Reports, Intellitactics and others.
  • Use of Sanctuary Device Scanner in order to create an inventory of all devices that have ever been plugged into the hosts connected to the corporate network.

SANCTUARY DEVICE CONTROL – BASE
Sanctuary Device Control – Base includes the audit and reporting features of Sanctuary Device Control – Audit Only and adds on top of these all enforcement features of our award-winning policy enforcement product, including access attributes; device management; enforcement by class, sub class, device level, etc.; administrative roles, etc. Note that this module does not include removable media encryption features.

SANCTUARY DEVICE CONTROL – ENCRYPTION ADD-ON
This is an add-on module to Sanctuary Device Control – Base (which is therefore a prerequisite to this add-on). Management of unique and encrypted devices offers the possibility to encrypt memory keys (AES-256) and thereby to uniquely identify them. The media authorizer module provides the capability to authorize a specific removable device to a particular user. The module specifically allows the encryption and protection of data stored on removable media.

SANCTUARY DEVICE CONTROL – ENTERPRISE
For organizations that need the entire set of the above mentioned modules, Sanctuary Device Control – Enterprise provides within a unique bundle the full feature set enabling auditing, reporting, enforcement and encryption features of our product.

For more information on this modular offering, please contact your Lumension Security representative or contact us directly.

Read the datasheet here.