Protection against Lost or Stolen Data with Novell ZENworks Endpoint Security Management

Protection Against Lost or Stolen Data with Novell® ZENworks® Endpoint Security Management

Brent BeachemSoftware Consultant EngineerNovell, Inc./[email protected]

Merrill SmithSoftware Consultant EngineerNovell, Inc./[email protected]

Steve McLainSenior Software EngineerNovell, Inc./[email protected]

mailto:[email protected]



© Novell, Inc. All rights reserved.2

Agenda

• Overview of current reality of “mobile data”• Examples of recent and common lost or stolen data scenarios• Simple examples of ZENworks® Endpoint Security Management

(ZESM) features to mitigate these security breaches• Detailed discussion and examples of using native ZESM Features

to resolve these security breaches– Encryption– USB Controls– Adapter Controls

• Discussion on unique 3rd party integration options for ZESM

NOTE: PLEASE... Ask questions and interrupt!


Mobile Endpoints = Mobile Data

Desktopvideo

Conferencing

CollaborationSoftware

MessagingSoftware

PDA Room Basedvideo

Phone

Laptop

Voice Mail

Fax

AudioConferencing

Mobile PhoneE-mail

Pager

ERP CRMSCMSuppliers Customers

Your Business

FrontOffice

BackOffice

Employees

Exhibit 2.The B orderless EnterpriseSource: Yankee Group, 2009

• “There used to be this thing called the ‘Network Perimeter’”.


Mobile Devices + Mobile Endpoints = Even More Mobile Data

• USB-enabled electronics device annual shipments will double from 1.4 billion in 2005 to 2.8 billion in 2010.

– Storage devices (flash drives as large as 256 GB today)– Networking adapters (rapid rise in Wireless USB)– Printers, scanners, webcams (all with storage devices embedded)– MP3/iPods – over 240 million iPods alone have been sold by Jan 2010

• Bluetooth – over 12 million Bluetooth enabled devices are sold every week.

• eSATA, PCMCIA, 1394a/b, USB, etc – Removable storage device interfaces offering up to several Terabytes in data storage capacity

Source: In-STAT/MDR

Other DevicesUSB Products


Key Areas Of Sensitive Data

Data at Rest

Data in Motion

Data in Use

-Microsoft file shares-Unix file shares-NAS/SAN storage-Windows 2000, 2003-Windows XP, Vista

-Microsoft Office Files-PDF's-PSTs-Zip Files

-SharePoint, Documentum-Lotus Notes, Exchange-Microsoft Access-Oracle, SQL, DB2-Contact Mgmt Systems

-SMTP email-Exchange, Lotus, etc.-Webmail-Text and attachments

-Yahoo IM-MSN Messenger-AOL Messenger

-FTP-HTTP-HTTPS-TCP/IP

-Local printers-Network printers-Burn ro CDs/DVDs

-External hard drives-Memory sticks-Removable media

-Copy to Network shares-Copy to external drives-Save As to external drives

File shares, Servers, Laptops 300+ File Typed Databases and Repositories

File shares, Servers, Laptops Instant Messages Web Traffic

Print and Burn USB Copy and Save As


• Stanford University– Stolen Laptop with unencrypted data

• Cal State Los Angeles, CA– Employee USB Storage Device stolen with unencrypted data

• Veterans Administration– Stolen Laptop with unencrypted data– USB Storage Device used to move data from work to home

• TJ Stores (TJX)– “War Driving” parking lot hacking of WEP keys

Examples of Recent and CommonLost or Stolen Data Scenarios


Stanford University

• 72,000 personal records• Names, SSN’s, birth dates, addresses, salary info, etc• Questions Remain: “Has the information been used?”• School issued credit monitoring service – $3.6 M• Breach:

– Stolen laptop contained unencrypted records


Cal State Los Angeles

• 2,500 Student and Faculty ‘personal records’• CSLA immediately issued ‘User Guidelines for Portable

Electronic Storage Media’– “All confidential, personal, and proprietary information stored on

portable electronic storage media must be encrypted.”

• Breach:– Unencrypted USB drive stolen from car


Veterans Administration

• 28.6 M records stolen• Class-action lawsuits filed on behalf of every veteran• Breach:

– Data removed from unencrypted (stolen) laptop– Employee removed data from office on USB storage device to

‘work from home’


TJ Stores (TJX) - TJMaxx, Marshalls, Winners, HomeSense, AJWright, TKMaxx, Bob’s Stores

• 47.5 M credit / debit card numbers stolen• Largest data breach in US history• $216 M ‘breach cost’ (estimate)• Transaction data from 2003 – 2006 compromised• Data used in $8 M ‘Gift Card’ scheme• Breach:

– ‘War Driving’ – parking lot Wi-Fi hacking– Wireless transmissions only protected by ‘broken’ WEP protocol


High Profile Breaches

Source: Privacy Rights Clearinghouse


Resolutions for Recent and Common Lost or Stolen Data Scenarios

Data Breach Resolution

Lost or stolen laptop with unencrypted, sensitive data

Require fixed disk data encryption

Lost or stolen RSD with unencrypted, sensitive data

Require encryption of RSD or control use of RSD

Unauthorized movement of data with USB device

Control use of USB devices

Wi-Fi hacking of WEP keys Prevent connections to insecure (or less secure) Wi-Fi devices


Details of ZENworks® Endpoint Security Management Fixed Disk Encryption Solution

Encrypt Safe Harbors on Fixed Disks– What we do

> File and Folder based encryption> Policy define “safe harbors”> User selectable “safe harbors”> Secondary authentication for decryption> Simplified encryption key management

– What we don't do> Directly compete with Full Disk Encryption (FDE) - see comparison table for

trade-offs> Cost as much as FDE


Trade-offs of Full Disk Encryption(FDE) Verses file/folder Encryption

Full Disk Encryption– Automatically ensures entire hard drive (or

partition) is encrypted (you don't have to force sensitive data to be stored in a “safe harbor” location

– Automatically encrypts pagefile, hibernate file, and other OS files containing sensitive information loaded in memory and written to disk during power state transitions.

– Decryption requires Pre-boot authentication (PBA) login when the machine boots up. This is a HUGE COST for corporations wanting to do remote computer diagnostics, patches, etc.

– Data recovery options can be cumbersome or difficult

– Some disk encryption implementations controlled only by username/password (others have smart card, or certificate based authentication). Simple authentication mechanisms can easily be compromised.

ZENworks® Endpoint Security Management File/Folder Based

Encryption– Specified “safe harbor” folders are designated

for saving sensitive data (most commercial grade applications allow for mandating files to be saved in specified locations. Microsoft applications can be controlled by Group Policy Objects (GPO) settings.

– The allowance (and use) of pagefile, hibernate file, and other OS files containing sensitive information can be controlled by GPO settings.

– No PBA required. Administrators always have the ability to access and decrypt data through normal remote administration tools.

– Data recovery options is built into the policies and separate, simple tools exist.

– Secondary authentication and strong password requirements exist for file/folder decryption.


Details of ZENworks® Endpoint Security Management RSD Encryption Solution

Encrypt Removable Storage Devices (RSD)– What we do

> General, simple control (Any RSD gets encrypted)> Password based folder encryption (simplifies workflow when dealing with

outside customers needing access to data when not running ZESM)> Simplified encryption key management> Seamlessly use the encrypted RSD throughout your corporation (decryption

within the same “encryption key island' is transparent– What we don't do

> “White list” RSD that do not get encrypted, while encrypting all other – This is under investigation for a future feature

> Automatically launch an application to decrypt RSD data after a successful authentication (like U3 devices with encryption do) - In the ZENworks® Configuration Management 11 version, we will provide an option to copy a stand-alone decryption tool to the RSD


Example ZENworks® Endpoint Security Management Encryption Policy


Example ZENworks® Endpoint Security Management RSD Policy


Details of ZENworks® Endpoint Security Management USB Controls• Removable Storage Devices (RSD) Encryption

– Mandate all RSD are encrypted– Password based folder

• USB General Connectivity– Stop ALL USB devices– Control by USB Device Groups– “White-list” only approved USB peripherals (certificate

providers, printers, RIM devices for syncing, 3G/Broadband modem devices, etc)

• USB – Integrate with 3rd party USB RSD providers with portable

encryption (Examples: Kingston DataTraveler2 Private)


Example ZENworks® Endpoint Security Management USB Policy


Details of ZENworks® Endpoint Security Management Adapter Controls• Unique Network Adapter Control

– Wireless Ethernet> Disable Wi-Fi when Wired (help prevent dual homing, bridging into corporate

connections)> Disable AdHoc connections (stop peer-to-peer connections and control

MESH networking) > Block Wi-Fi connections (Prevent connections, but allows for wireless

reporting information)> “White-list” specific approved Wi-Fi adapters (allow wireless connections with

only approved devices having adequate security implementations and/or administrative controls)

> Network utilization control (through SSID, MAC, and Key management approaches)

> Mandate a minimum level of Wi-Fi security for endpoints to connect to


Example ZENworks® Endpoint Security Management Wi-Fi Adapter Policy


Example ZENworks® Endpoint Security Management Wi-Fi Control Policy


Example ZENworks® Endpoint Security Management Wi-Fi Security Policy


Details of ZENworks® Endpoint Security Management Adapter Controls (cont.)

• Unique Network Adapter Control (cont.)– Wired Ethernet

> Disable Wi-Fi when Wired (help prevent dual homing, bridging into corporate connections)

> “White-list” specific approved Wired adapters (allow wired connections with only approved devices having adequate security implementations and/or administrative controls)

> Disable adapter bridging (help prevent dual homing, bridging into corporate connections)

• Hardware Device Control (Firewire, serial, parallel, etc)• VPN Enforcement (simple model with

connect/disconnect commands)• Integrity Rules (simple tests and quarantine)


Example ZENworks® Endpoint Security Management Communication Hardware Control Policy


Have You Ever Wanted to do These With Your Currently Deployed Applications?• Ensure services and applications to always run despite end users

having local administrative privileges.• Initiate A/V and Anti-Spyware scans based off network locations,

other applications running, network connectivity, etc and not just time of day/week.

• Ensure diverse VPN solutions are running in hot-spots, hotels, airports, and other public locations.

• Provide user messages, warnings, information based on various security events.

• Require VBScripts and/or Jscripts to be run without end user modification, intervention, or circumvention.


Unique 3rd Party Integration Options

• Integrate and leverage ZENworks® Endpoint Security Management native security options:

– ZESM is always loaded and running, so it can ensure other security events happen as well.

– Location Awareness (determination, changing, triggering)

– Firewall control

– Adapter Controls (connection, types, disabling/control)

– Simple User Interface (UI), message dialogs, and/or workflow controls

– Custom dialogs/UI

• Advanced Scripts examples:

– Various Patch, A/V, and Anti-Spyware integration

– Customer's use of Microsoft VPN Enforcement to save money

– Wireless UI controls

– Remote Admin tools/services running

– Policy enforced and controlled VB Scripts and JScripts


Example ZENworks® Endpoint Security Management 3rd Party Integration Through Scripting Policy

Questions and Answers


Questions and Answers

• What other security issues are you dealing with now?

• What would you like ZENworks® Endpoint Security Management to do for you?

• What other detailed questions or information about the product or features do you need answered at this time?

Detailed Data Slides


Inside ZENworks Endpoint Security

Unpublished Work of Novell, Inc. All Rights Reserved.This work is an unpublished work and contains confidential, proprietary, and trade secret information of Novell, Inc. Access to this work is restricted to Novell employees who have a need to know to perform tasks within the scope of their assignments. No part of this work may be practiced, performed, copied, distributed, revised, modified, translated, abridged, condensed, expanded, collected, or adapted without the prior written consent of Novell, Inc. Any use or exploitation of this work without authorization could subject the perpetrator to criminal and civil liability.

General DisclaimerThis document is not to be construed as a promise by any participating company to develop, deliver, or market a product. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions. Novell, Inc. makes no representations or warranties with respect to the contents of this document, and specifically disclaims any express or implied warranties of merchantability or fitness for any particular purpose. The development, release, and timing of features or functionality described for Novell products remains at the sole discretion of Novell. Further, Novell, Inc. reserves the right to revise this document and to make changes to its content, at any time, without obligation to notify any person or entity of such revisions or changes. All Novell marks referenced in this presentation are trademarks or registered trademarks of Novell, Inc. in the United States and other countries. All third-party trademarks are the property of their respective owners.

Protection against Lost or Stolen Data with Novell ZENworks Endpoint Security Management

Documents

Transcript of Protection against Lost or Stolen Data with Novell ZENworks Endpoint Security Management