Safend Data Protection Suite 3 4 Reviewer's Guide

SAFEND Data Protection Suite™

Reviewer’s Guide

Version 3.4

Reviewer’s Guide

SAFEND DATA PROTECTION SUITE™

- -

Important Notice

This guide is delivered subject to the following conditions and restrictions:

This guide contains proprietary information belonging to Safend Ltd. Such

information is supplied solely for the purpose of assisting explicitly and

properly authorized Safend Data Protection Suite users, reviewers and

evaluators.

No part of its contents may be used for any other purpose, disclosed to any

person or firm or reproduced by any means, electronic or mechanical, without

the expressed prior written permission of Safend Ltd.

The text and graphics are for the purpose of illustration and reference only.

The specifications on which they are based are subject to change without

notice.

The software described in this guide is furnished under a license. The

software may be used or copied only in accordance with the terms of that

agreement.

Information in this guide is subject to change without notice. Corporate and

individual names and data used in examples herein are fictitious unless

otherwise noted.

The information in this document is provided in good faith but without any

representation or warranty whatsoever, whether it is accurate, or complete or

otherwise and with the expressed understanding that Safend Ltd. shall have

no liability whatsoever to other parties in any way arising from or relating to

the information or its use.

Copyright 2005-2010 Safend Ltd. All rights reserved.

Other company and brand products and service names are trademarks or registered trademarks of their respective

holders.

Reviewer’s Guide


- -

About This Guide

This Reviewer’s Guide presents an overview of Safend Data Protection Suite 3.4. It provides an explanation of how it

works and enables you to understand how to use Safend Data Protection Suite, in order to guard your network

endpoints.

Reviewer’s Contact Information

Presale contact:

Tomer Greenbaum

Pre-sales and Projects Team Leader

+972-3-644-2662 Ext 201

[email protected]

Marketing contact:

Yael Gelberger

Marcom Manager

Safend

[email protected]

Support contact:

Web: www.safend.com/189-en/Safend.aspx

Email: [email protected]

Phone: 1-888-225-9193

mailto:[email protected]


http://www.safend.com/189-en/Safend.aspx


Reviewer’s Guide


- -

Table of Contents About Safend ....................................................... 5

The Problem ....................................................... 6

The Safend Data Protection Suite Solution .................................. 7

Why Safend? ....................................................... 7

Features List ....................................................... 8

Safend Encryptor: Hard Disk Encryption ..................................................................................... 8 Safend Protector - Port & Device Control and Removable Storage Encryption ........................................ 8 Data Classification .................................................................... Error! Bookmark not defined. Safend Inspector: Content Inspection & Filtering ......................................................................... 11 Safend Discoverer: Endpoint Data Discovery ............................................................................. 12 Safend Reporter: Reporting and Analysis .................................................................................. 13 Safend Data Protection Suite Management Features .................................................................... 14

Product Walkthrough ................................................ 17 System Architecture ...................................................... 17 Safend Policy Definition.................................................... 20

What Does a Policy Define? ................................................................................................. 20 How Do You Define a Policy?................................................................................................ 20 Safend Encryptor: Hard Disk Encryption Policy ........................................................................... 27 Safend Protector: Port & Device Control and Removable Storage Encryption policy ................................ 21 Configuring Data Classifications ............................................................................................. 27 Safend Inspector: Content Inspection & Filtering ......................................................................... 32 Safend Discoverer: Endpoint Data Discovery ............................................................................. 35 Safend Auditor ................................................................................................................. 36 Safend Policy Enforcement – Safend Data Protection Suite Client .................................................... 37

Safend Data Protection Suite Implementation Workflow ....................... 38

Reviewer’s Guide


- -

About Safend

Safend software solutions protect an organization’s confidential information from loss and theft by monitoring,

detecting and restricting data transfers from the endpoint. It also allows encrypting both detachable devices and

internal hard disks.

Safend's solutions, available through channel partners worldwide, are deployed by multi-national enterprises,

government agencies and small to large scale companies across the globe.

Safend Data Protection Suite

Safend Data Protection Suite is centrally managed using a single management server, single management console

and single, lightweight agent. The combination of the Safend Data Protection Suite license-activated components,

Safend Protector, Encryptor, Inspector, Discoverer, Auditor and Reporter, provides a comprehensive endpoint

protection solution, thus protecting an organization’s sensitive data residing on PCs, laptops and detachable devices.

Safend Encryptor ensures that mobile users’ data is secure, by

encrypting any data stored on internal hard disks.

Safend Protector applies customized, highly-granular security

policies over all ports: physical ports, wireless ports and devices. It

can also mandate the encryption of all data transferred to

removable storage devices and CD/DVD media.

Safend Inspector provides an additional protection layer for data

transferred over approved data transfer channels, such as a white-

listed storage device, an approved WiFi connection, or even a

machine’s LAN connection. It enforces an accurate, data-centric

security policy on data transferred via these endpoint channels,

without disrupting legitimate business processes and disturbing

end user productivity.

Safend Auditor provides organizations with the visibility needed to

assess and manage vulnerabilities in an enterprise’s PCs and

laptop environment, by identifying and logging all devices that are

or have been locally connected, before the Safend Data Protection

Agent has been deployed to these endpoints.

Safend Discoverer allows security administrators to locate

sensitive data stored on organizational endpoints. It helps identify

gaps in data protection and compliance initiatives, and provides

insight into what policies should be implemented, using other

components of the Safend Data Protection Suite.

Safend Reporter provides security and IT personnel with built-in

reports that provide visibility into an organization’s security status

and operational needs.

Reviewer’s Guide


- -

The Problem

Business survival and success is built on data security. Organizations depend on the security of their data, from

intellectual property such as business plans and trade secrets, to sensitive customer data like health records,

financial information and social security numbers.

Regulatory security initiatives such as Sarbanes Oxley (SOX), HIPAA, PCI, FISMA, and the UK Data Protection Act

(DPA), require organizations to maintain ongoing visibility into endpoint activity. In today’s sensitive regulatory

climate, organizations are expected to demonstrate a comprehensive data protection strategy and understanding of

all data transfer activities.

Industry statistics consistently show that the most significant security threat to the enterprise comes from within. With

over 60% of corporate data residing on endpoints, gateway solutions and written security policies alone cannot

mitigate the risk.

Growing numbers of laptops, removable storage devices, interfaces (physical and wireless), and users with access to

sensitive data have made data leakage via endpoints, both accidental and malicious, a very real threat. An inevitable

fact of life is that laptops are sometimes lost or stolen. It is simply too easy for sensitive data to walk out the door on

an iPod or be uploaded to the Web. According to Forrester, data loss through endpoints is now a leading endpoint

security concern, ahead of Malware, Spyware and other threats.

Despite the clear and present danger of data leakage and loss, implementing effective endpoint data protection

remains an uphill battle for most organizations. Securing endpoints, without impacting employee productivity and

system performance, demands a highly flexible solution that takes into account the dynamics of real-world work

environments.

Many end users view external devices and outbound communications as personal, and view encryption of any kind

as a headache, often balking at and circumventing imposed security measures. As a result, today’s data protection

solutions need to be transparent without compromising the data security of an organization. All possible endpoint

data leakage avenues must be managed with powerful, enforceable, tamper-proof security.

Endpoint data can exit organizational boundaries in any number of ways: it can be carried away on an unencrypted

storage device, mistakenly sent to unauthorized email recipients, or stolen with the laptop it is stored on. An effective

endpoint security program must address the entire range of risks in order to properly protect an organization’s data.

Reviewer’s Guide


- -

The Safend Data Protection Suite Solution Safend Data Protection Suite provides complete endpoint data protection in a single product, with a single

management server and a single, lightweight agent. Featuring easy deployment, seamless maintenance for

administrators, and maximum transparency for end users, Safend Data Protection Suite provides comprehensive

endpoint data security without sacrificing productivity.

Safend Data Protection Suite eliminates data leakage from endpoints, delivering comprehensive visibility, complete

data protection and total control over all available avenues to sensitive data.

Only with detailed visibility of endpoint activity, ongoing and historical, can security administrators effectively monitor

and enforce a security policy that is in-line with real world usage. With Safend Data Protection Suite, security

administrators can rapidly query all organizational endpoints while locating and documenting all devices that are or

have ever been locally connected. Safend Data Protection Suite’s advanced reporting capabilities provide ongoing

insight into the organization’s security status.

Safend Data Protection Suite monitors real-time traffic and applies granular security policies over all physical,

wireless and removable storage interfaces. Safend Data Protection Suite detects, logs, and restricts unapproved data

transfer from any computer in the enterprise. Each computer is protected 100% of the time, even when it is not

connected to the network. Safend Data Protection Suite’s control is built from the ground up to enforce a

comprehensive security policy which is appropriate for all organizational security needs. Sensitive data transfers can

be controlled at different logical levels: redundant physical and wireless ports can be blocked, devices and wireless

networks can be approved or denied by their types and specific characteristics, storage device’s functionality can be

partially or completely disabled, and the data which exits the organizational boundaries through approved data

transfer channels can be controlled according to its actual content.

Safend Data Protection Suite guards the data stored on hard drives with its innovative, easy to manage hard disk

encryption. Safend Data Protection Suite also ensures that mobile users and data are secure by encrypting any data

written to removable media such as USB flash drives, external hard drives and CD/DVD.

Why Safend?

Control all your data protection measures with a single management

server, single management console and a single lightweight agent.

Operationally friendly deployment and management.

Best-of-breed port and device control.

Hard disk encryption is completely transparent and does not change

end user experience and common IT procedures.

Comprehensive and enforceable removable media encryption.

Full control over sensitive data both inside and outside the

organizational network.

Reviewer’s Guide


- -

Suite Components Safend Data Protection Suite provides complete endpoint data protection with a single software product. It includes

several, license activated components. Each component within the Safend Data Protection Suite can be

implemented stand alone or in combination and compliments your existing security infrastructure.

The following are the main features of the product, divided according to the different components:

Safend Protector - Port & Device Control and Removable Storage Encryption

Safend Protector, a license-activated component of the Safend Data Protection Suite, protects endpoints by applying

customized, highly-granular security policies over all ports: physical ports, wireless ports and devices. It can also

mandate the encryption of all data transferred to removable storage devices and CD/DVD media.

Port Control – intelligently allows, blocks or restricts the usage of any or all

computer ports in your organization, according to the computer on which they

are located, the user who is logged in and/or the type of port. Safend controls:

USB, PCMCIA, FireWire, Secure Digital, Serial, Parallel, Modem (e.g., dialup,

3G, etc.), WiFi, IrDA and Bluetooth ports.

Device Control – Highly granular identification and approval of devices,

including a comprehensive list of device types and robust white listing of

device models and even distinct devices (by serial number).

Storage Control – Special control over external and internal storage devices,

including Removable media, External Hard Drives, CD/DVD media, Floppy

and Tape drives. A policy can block usage of device types, models and even

distinct devices (by serial number), restrict usage for read only, or enforce

encryption (see below).

Removable Media Encryption - Unique to the Safend Data Protection Suite

solution is the ability to restrict the usage of encrypted storage devices to

company computers by use of encryption. This extends the security borders

of organizations and prevents rogue employees from deliberately leaking data

through removable storage devices and media.

Offline Usage of Encrypted Devices - Specific, pre-approved users can

access encrypted devices outside the protected organization on unprotected

machines using an access password.

Reviewer’s Guide


- -

Track Offline Usage of Encrypted Devices - Safend Data Protection Suite

provides administrators with improved visibility on the usage of encrypted

devices outside the organization. With this unique feature, every offline

access to an encrypted device is tracked, providing a comprehensive log of

each file transfer to/from this device. With this powerful log, administrators

can audit users' actions even on non-company computers, in order to validate

legitimate use of corporate data.

Configurable Password Policy – Administrators can define the security

criteria for the device access password. Administrators can predefine

password parameters such as minimal password length and the types of

characters it contains, in order to comply with the organization's security

guidelines.

Inbound File-Type Control – This feature provides an additional layer of

granularity and security by inspecting files for their type as they are

transferred from external storage devices, and blocking dangerous or

inappropriate content from being used inside the organization.

Granular WiFi control - by MAC address, SSID, or the security level of the

network.

Block Hybrid Network Bridging - Safend Data Protection Suite allows

administrators to control and prevent simultaneous use of various networking

protocols that can lead to inadvertent or intentional hybrid network bridging

(such as WiFi bridging and 3G card bridging). Configuring Safend Data

Protection Suite Clients to block access to WiFi, Bluetooth, Modems or IrDA

links, while the main wired TCP/IP network interface is connected to a

network, enables users to employ the various networking protocols only when

they are disconnected from the network. This avoids the creation and

potential abuse of a hybrid network bridge.

U3 and autorun control - Turns U3 USB drives into regular USB drives while

attached to organizational endpoints, and protects against dangerous auto-

launch programs by blocking autorun.

Block USB and PS/2 Hardware Key-Loggers - block or detect the widest

variety of USB and PS/2 hardware keyloggers in the industry, which are

devices that can tap and record every keystroke in your endpoints.

Reviewer’s Guide


- -

Safend Encryptor: Hard Disk Encryption

As incidents of stolen and lost computers continue to make the headlines, it is crucial for organizations to secure the

data stored on the hard drives of PCs and laptops. Safend Encryptor, a license-activated component of the Safend

Data Protection Suite, encrypts the data stored on PCs and laptops and the result is that sensitive data cannot be

read by any unauthorized user, in the case of loss or theft.

Enforced by Policy - Encryption of data on internal hard drives is controlled

by policy, and cannot be bypassed by the end user.

Key Management - Safend Encryptor incorporates a fully automated key

management solution. All encryption keys are centrally generated and

securely stored on the management server before encryption is initialized.

Encryption keys are generated using a FIPS approved PRNG.

Transparent to End Users – Transparently uses Windows login to

access the encrypted data and therefore does not require any end-

user training.

Transparent to Help Desk - Transparently uses the generic AD

domain password reset process. No dedicated password recovery

procedure is required.

User Authentication - Safend Encryptor transparently supports any multi-

factor authentication device supported by Windows (smart card, USB token,

biometric, etc.), including multi-factor devices that change the Windows GINA

or use a custom one.

Encryption Technology - Safend’s encryption concept utilizes Total Data

Encryption technology. Using this technology, Safend Encryptor encrypts only

files which may contain sensitive data while avoiding encryption of the

operating system and program files. The encryption is performed in real time,

with minimal performance impact on the endpoint and utilizes the industry

standard AES algorithm with 256 bit key length.

Data Recovery - Offers an intuitive, easy to implement recovery process in

case of malfunction.

Full Audit Trail - Comprehensive logs are provided for all activities.

Reviewer’s Guide


- -

Safend Inspector: Content Inspection & Filtering

Safend Inspector, a license-activated component of the Safend Data Protection Suite, provides an additional

protection layer for data transferred over approved data transfer channels. It enforces an accurate,

data-centric security policy on data transferred from the endpoint without disrupting legitimate

business processes and disturbing end user productivity.

Permanent Protection - Whenever a user attempts to extract

data from the endpoint, Safend Inspector monitors the action and,

if necessary, enforces the appropriate security policy. This

protection is activated whether the machine is connected to the

organization’s network, a home network or used offline.

Applying Security Actions - According to the security policy,

Safend Inspector can enforce the following security actions:

Block - prevents the user from extracting the information from the

endpoint.

Ask User - warns the user of their problematic action, and asks

them if they are sure they want to continue.

Encrypt - ensures that the data is encrypted when it is extracted

from the endpoint (This security action can be enforced only on

external storage devices).

Multiple Channels Control - Safend Inspector controls data transferred

over the following channels: Email (using Microsoft Outlook), Web (using

Windows Internet Explorer), external storage devices, local printers, and

network printers. Security administrators can control additional channels

using Application Data Access Control, which controls the access of pre-

defined applications to sensitive data.

Channel-Specific Exemptions - Security policies are highly granular, and

can include specific exemptions for different protected channels. For

example, a security policy can be set to prevent users from downloading

confidential data to all external storage devices, except for company issued

hardware encrypted devices.

Reviewer’s Guide


- -

Safend Discoverer: Endpoint Data Discovery

Safend Discoverer, a license-activated component of the Safend Data Protection Suite, allows security administrators

to locate sensitive data stored on organizational endpoints.

Policy-Based Endpoint Discovery - the endpoint discovery process is

triggered by applying a discovery policy on the protected endpoint. This policy

indicates which data classifications should be searched for on the

organizational endpoints. The discovery policy also specifies the type of log

record that will be sent to the management server when sensitive data is

discovered.

When a discovery policy is applied on an endpoint, the Safend Data

Protection Agent scans and classifies all data files on the machine. When a

classified file is discovered, a log record is sent to the Management Server.

Limit Logs From a Single Endpoint - the administrator can limit the amount

of data sent from a single endpoint in order to balance allocation of network

and storage resources.

Safend Inspector & Discoverer: Data Classification

An effective data-centric security policy requires reliably identifying the data which the policy aims to protect. The

Safend Inspector and Safend Discoverer components of the Safend Data Protection Suite both utilize the

mechanism, which its features described below:

Multiple Classification Techniques - Safend Data Protection Suite

provides multiple data identification techniques which can be used

individually or in combination to create an effective data

classification scheme:

Keyword Lists – keyword lists are used to identify data transfer

incidents which contain specific keywords or keyword sequences. A

sophisticated “weight” mechanism facilitates the identification of

logical content, by using dictionaries with different importance

levels assigned to different phrases.

Textual Pattern Recognition – Textual pattern recognition is

used to identify incidents which contain a pre-defined textual

pattern, such as an email address, a phone number, a serial

number or a credit card. The patterns are defined using Regular

Expressions (.net).

Reviewer’s Guide


- -

Mathematical Verifiers – Mathematical Verifiers are applied to

content which matches a pre-defined pattern (such as a credit card

number or an ID number), and are used to ensure that the content

was not falsely matched.

File Types – Individual file types are recognized according to a full

analysis of the file format.

File Properties – Multiple meta-data parameters can be used to

identify sensitive content, including full or partial file name, file

size, and more.

Data Fingerprinting – Data fingerprinting is used to identify

known content, even if the data has been partially modified.

Built-in Classifications - Safend Data Protection Suite includes

out-of-the-box, pre-configured classifications which identify

common types of sensitive data, such as Patient Health Information

(PHI), Personally Identifiable Information (PII), and credit card

numbers.

Deep Content Inspection – files are analyzed in depth, including

data stored inside compressed folders and embedded objects.

Safend Reporter: Reporting and Analysis

Safend Reporter, a license-activated component of the Safend Data Protection Suite, includes several built-in reports

that are designed to accommodate the security and operational needs of the organization and its security and IT

personnel. The information is provided in a clear, easy to understand format for the benefit of non-technical viewers,

such as executives within the organization.

Security Reports – the security reports allow easy detection of specific

employees and departments that frequently disregard internal security

policies,

Administrative Reports – the administrative reports assist in the

deployment, policy distribution and overall visibility of endpoint activity within

the organization.

Drill down reports - the Safend Reporter interface allows a step-by-step drill

down into different aspects of the report, and enables a quick and intuitive

transition from a high-level view to specific detailed information.

Reports Export - the reports can either be viewed from within the Safend

Data Protection Suite Management Console or be exported to one of several

popular formats for viewing and analysis outside of the Management

Console.

Reviewer’s Guide


- -

Report Scheduling - the reports can be scheduled and sent periodically by

email to pre-defined recipients in order to ensure continuous tracking of the

organization’s data security status and compliance with internal security

policies.

Safend Data Protection Suite Management Features

Safend Data Protection Suite Management Server - A single Management

Server can be used to manage tens of thousands of endpoints, and can be

accessed through the Safend Data Protection Suite Management Console.

Safend Data Protection Suite Management Console - All Safend

management tools are combined into a single Management Console, which

can be installed and run from any computer on your network. The

Management Console provides unified management of policies, logs and

Clients. The management console supports one-click deployment from the

server website.

Extensive Logging - enables you to view and analyze the logs collected

from all the endpoints in your organization, both immediately and over time.

Flexible Monitoring Level - Data-related security incidents are recorded and

sent to the Management Server. The administrator can set the record level to

be kept: log record only, the incident including all transferred text, or the full

incident, including a hidden copy (shadow) of the data. The appropriate

monitoring level can be set according to the available storage resources and

the expected volume of information.

Logs Data View – Data-related security incidents are filtered, viewed and

analyzed from the Management Console. This incident information contains

all incident data (subject to activating the appropriate monitoring level), and

allows security administrators to analyze easily the incident and understand

why it was triggered.

Client Management - allows you to browse the status of your machines and

check whether they are protected by the latest version of the Client, what

policy they are using, when they were last updated and more.

Immediate Updates – Enables you to push a new policy to Clients without

having to wait for the policy update interval to complete. The new policy

becomes effective immediately on all connected Clients. In addition, collect all

the logs that were accumulated by the Clients on endpoints immediately,

without having to wait for the log sending interval to complete.

Reviewer’s Guide


- -

Active Directory Synchronization - Allows you to look at Logs and manage

Clients from your native organizational units view, through the organizational

tree. The tree is continuously synchronized with your Active Directory to

ensure it remains current at all times.

Built-In Real-Time Alerts – Enable you to issue alerts of your choice (e. g.,

e-mail, SNMP and more) to desired destinations. Administrators can set the

destinations for sending alerts on a per-policy basis. For example, it is

possible for alerts from different computers/users to be sent to different email

addresses.

Rich End User Interaction - Proper end user information security education

is a vital component in a successful security program. Safend Data Protection

Suite provides security administrators with the tools necessary for ensuring

end user education and involvement in the data protection process.

When a policy violation is detected, a customizable message is displayed to

the end user. This message can be configured to require end users to enter

the justification for their action, by choosing it from a list of options or inserting

free text. This is a highly effective method of deterring users from committing

potentially harmful actions, without disrupting legitimate business procedures.

The information provided by the end users is sent to the Management Server

together with the incident record, dramatically improving the incident

management process.

Monitoring Actions Based on End User Decisions – subject to the security

policy configuration, end user decisions can change the monitoring action

applied to a specific incident. For example, the administrator can set the

policy to send logs only for data transfer incidents which the user was warned

about but decided to commit anyway, and avoid sending logs for incidents

which the user aborted.

Internal Database – Safend Data Protection Suite includes a built-in MySQL

database in order to simplify the installation of small/medium systems. This

database is automatically installed with the Management Server and is fully

maintained by the application. No user maintenance is required.

Database Management – Administrators can set the amount of days for logs

to be stored, as well as set a quota for the database files. Safend Data

Protection Suite Management Server also features manual as well as

scheduled backups for its keys, configuration and logs (logs backup only

available for Internal Database). These backups can be used when

recovering from hardware failures as well as when upgrading hardware

platforms.

Reviewer’s Guide


- -

External Database - Customers with existing database infrastructures may

prefer to use these for storing the Safend Data Protection Suite configuration

and log information instead of using the built-in internal database provided

with the Management Server installation package. This provides higher

system scalability and leverages existing infrastructures and know-how.

When installed, Safend Data Protection Suite Management Server can

connect to an existing Microsoft SQL (MSSQL) database instead of creating

its internal database. Day-to-day maintenance of this database is still handled

by Safend Data Protection Suite including indexing, purging, and

key/configuration backup. However, in this case it is the administrator's

responsibility to backup log data.

MSI-Based Client Deployment – The client installation is packaged in an

MSI file, featuring silent as well as manual installation. The client can be

deployed with any 3rd party tool for MSI deployment, and more specifically

Active Directory GPO, Microsoft SMS and IBM Tivoli.

Suspend Client – enables you to suspend Client operations temporarily,

without having to uninstall it, even when the endpoint does not have any

Internet connection. All user actions (such as accessing storage devices or

sending a classified email) are allowed and monitored for the duration of the

suspension, after which the original policy enforcement is resumed.

Stealth Mode – Safend Data Protection Suite Agent can be configured to be

invisible on endpoints. In this mode, the user doesn’t see the product icon

and no end user messages are shown.

Reviewer’s Guide


- -

Product Walkthrough

System Architecture

The system architecture is presented in the following figure:

Reviewer’s Guide


- -

The system comprises the following components:

Component Description


Management Server(s)

Safend Data Protection Suite Management Server(s) store policies

and other definitions, collect logs from Clients, enable Client

management and distribute policies to Clients. The Management

Server(s) uses either an internal/external database for its

repository (see below).

The Management Server(s) use IIS to communicate with Clients

and Management Consoles (over SSL). Controlling Clients is

performed via WMI. LDAP compliant protocols are used to

synchronize with the existing organizational objects stored in

Active Directory.

The Management Server(s) distributes policies directly to Clients

(via SSL).

Internal/External Database Standard databases are used for storing system configuration,

policies and log data. Administrators may opt to use an internal

MySQL database supplied in the Management Server installation

package or to connect to existing MSSQL database

infrastructures. Even though using the internal database is simpler

and maintenance free, connecting to an external database

provides better performance and scalability.


Management Console

This enables you to manage Clients, view logs, define policies and

administer the system. The Management Console can be installed

and run from any computer on your network and uses SSL when

communicating with the Management Server. The Management

Console supports one-click deployment from the server website.


Client

This protects and monitors the endpoints in your organization and

alerts/reports about user activity. The Client communicates with a

Safend Data Protection Suite Management Server using SSL.

Safend Auditor Although not an integral part of Safend Data Protection Suite,

Safend Auditor is a light-weight client-less tool that goes hand in

hand with Safend Data Protection Suite and completes it by

providing you with a full view of what ports, devices and networks

are (or were previously) in use by your organization's users. You

use the output of a Safend Auditor scan to select the devices and

Reviewer’s Guide


- -

Component Description

networks whose usage you want to approve.


Management Server Cluster

A server cluster enables the installation of several Safend Data

Protection Suite Management Servers connected to a single

external database, so that they seamlessly share the load of traffic

from the endpoints, as well as provide redundancy and high

availability.

Reviewer’s Guide


- -

Safend Policy Definition

What Does a Policy Define?

Using the Safend Data Protection Suite, the administrator can create different types of policies. Each type of policy

configures a different component of the Safend Data Protection Suite:

Hard Disk Encryption Security Policy defines whether or not the data on your internal Hard disks will be encrypted.

Port & Device Control Security Policy specifies your organization’s policy regarding the usage of physical ports,

wireless ports, devices and WiFi networks. It also specifies whether the data on removable storage devices and

CD/DVD media will be encrypted.

Data Control Security Policy specifies your organization’s policy regarding sensitive data transferred out of the

protected machine using endpoint or network data transfer channels.

Data Control Discovery Policy defines the parameters for the data discovery process, which locates and maps

sensitive data stored on the organizational endpoints.

How Do You Define a Policy?

Safend Data Protection Suite Policies are defined in the Safend Data Protection Suite Management Console. You

can define one policy for your entire organization, or define different policies for different organizational object defined

in your Active Directory. Policies need to be defined once and then updated on an as-needed basis when the need

arises in your organization.

Once you have defined and distributed a policy to the Safend Data Protection Suite Clients you can view activity logs

from each client through the Logs World in the Safend Data Protection Suite Management Console.

After analyzing the logs, you may wish to adjust your policies.

Reviewer’s Guide


- -

Safend Protector: Port & Device Control and Removable Storage Encryption policy

Port Control

Safend Data Protection Suite can intelligently allow, block or restrict the usage of any or all computer ports in your

organization, according to the computer on which they are located, the user who is logged in and/or the type of port.

Safend controls: USB, PCMCIA, FireWire, Secure Digital, Serial, Parallel, Modem (e.g., dialup, 3G, etc.), WiFi, IrDA

and Bluetooth ports.

A blocked port is unavailable, as if its wires were cut. An indication that a port is blocked is given when the computer

boots or when a policy is applied that disables a previously allowed port.

Reviewer’s Guide


- -

Device Control

In addition to controlling port access, Safend Data Protection Suite provides another level of granularity by enabling

you to define which devices can access a port.

For USB, PCMCIA, FireWire ports you can define which device types, device models and/or distinct devices can

access a port, as follows.

Devices Types: This option enables you to restrict access

to a port according to the type of device that is connected

to it. Examples of device types are printing devices,

network adapters, human interface devices (such as a

mouse) or imaging devices.

The device types that are available for selection are built

into Safend Data Protection Suite. If you would like to

allow a device that is not of one of the types listed here,

you can use the Models or the Distinct Devices option,

described below.

Models: This option refers to the model of a specific device type,

such as all HP printers or all M-Systems disk-on-keys.

Distinct Devices: This option refers to a list of distinct devices each with their

own unique serial number, meaning each is an actual specific device. For

example: the CEO's PDA may be allowed and all other PDAs may be

blocked.

Reviewer’s Guide


- -

Protection against Hardware Key Loggers

Hardware Key Loggers are devices that can be placed by a hostile entity between a keyboard and its host computer

in order to tap and record keyboard input and steal vital information, especially identity and password.

With Safend Data Protection Suite you can block or detect the widest variety of USB and PS/2 hardware keyloggers

in the industry.

Storage Control

Storage control provides an additional level of detail in which to specify the security requirements of your

organization. This can apply to all storage devices regardless of the port to which they are connected. You can block

storage devices completely, allow read-only access or encrypt the device.

Like non-storage devices, removable storage devices can also be white listed according to the device module or the

specific device serial number.

Reviewer’s Guide


- -

Safend Removable Storage Encryption

Safend Media Encryption allows administrators to mandate the encryption of all the data being transferred off

organization endpoints to approved storage devices, such as USB flash drives, memory sticks and SD cards, as well

as CD/DVD media and external hard drives, using the 256-bit AES encryption algorithm. This provides organizations

with comprehensive protection from both accidental data loss and deliberate leakage of corporate assets.

Unique to the Safend Data Protection Suite solution is the ability to restrict the usage of encrypted devices to

company computers. This extends the security borders of organizations and prevents rogue employees from

deliberately leaking data through these high-capacity devices.

Within the organization, media encryption is completely transparent and encrypted devices can be read and used

interchangeably on any computer in the organization. End-users are able to read and write to storage devices just as

they would do normally. However, when the same device is plugged into a computer that is not part of the

organization, the data on it will not be accessible.

The Safend Data Protection Suite administrator can choose whether or not to allow specific users password-

protected access to the data on non-authorized computers. If allowed, individual users are able to set their own

device password, which is required for accessing the device on non-company computers. When plugging in the

device outside the organization, a utility residing on the device is used to validate this password and provide access

to encrypted information.

File Control

File Control includes an additional layer of granularity and security by monitoring and controlling file transfers to/from

external storage devices. Definitions are set at the level of file type, providing the ability to allow or block specific file

transfers as well as to generate logs and alerts, or even to send a hidden copy of the file to the Management Server.

With File Type Control a highly reliable classification of files is performed by inspecting the file header contents rather

than using file extensions, thus preventing users from easily bypassing the protection by renaming file extensions.

File type control and logging is enabled both for files written to external storage devices and files read from them.

However, if you are using the complete Safend Data Protection Suite, including Safend Inspector for Data Control, it

is recommended to use the Port and Device Control Security Policy only for files read from the device, and use the

Data Control Security Policy to control files written to the device according to their classification.

By inspecting both the files downloaded to external storage devices and those uploaded to the protected endpoint,

multiple benefits can be achieved:

An additional protection layer for preventing data leakage (see comment

above)

Prevention of viruses/malware introduced via external storage devices

Prevention of inappropriate content introduced via external storage devices.

Examples of such content: Unlicensed software, Unlicensed content (e.g.,

music and movies), Non work-related content (e.g., personal pictures).

Reviewer’s Guide


- -

The file control aspect of the policy will apply to approve storage devices which were configured to

apply file type control in the Devices tab of the policy:

For these devices, the relevant file type control configurations will apply:

Reviewer’s Guide


- -

WiFi Control

WiFi control ensures that users only connect to approved networks. You can specify which networks or ad hoc links

are allowed access by the MAC address of the access points, SSID of the network, authentication method and

encryption methods to define approved links.

Reviewer’s Guide


- -

Safend Encryptor: Hard Disk Encryption Policy

Safend Encryptor enforces an enterprise wide policy which protects the data stored on PC and laptop hard drives, so

that sensitive data cannot be read by unauthorized users in the case of loss or theft.

Safend Encryptor utilizes Total Data Encryption technology that encrypts all data files, while avoiding unnecessary

encryption of the operating system and program files. This innovative concept minimizes the risk of operating system

failure, and poses negligible performance impact on user productivity.

Leveraging this unique encryption technology, Safend Encryptor provides a genuinely transparent Hard Disk

Encryption solution, by using the existing Windows login interface for user authentication.

Safend Encryptor utilizes industry standard AES-256 encryption, and is Common Criteria Certified (Evaluation

Assurance Level 2 for Sensitive Data Protection), and FIPS 140-2 Certified. Encryption of data on internal hard drives

is controlled by policy and enforced by the Safend Client on the endpoint.

Applying Hard Disk Encryption using Safend Encryptor is performed with a few simple steps, described below. The

encryption process is completely transparent to both end users and security administrators.

Safend Encryptor Encryption Flow:

Here is a description of the Safend Encryptor encryption flow:

1. Create a new Hard Disk Encryption Security Policy, set the Internal Hard Disk Encryption to Encrypt and

associate the policy with the appropriate machines, groups or OU’s.

Reviewer’s Guide


- -

2. Click OK. This will apply the encryption policy to all computers associated with the security policy the next

time the Client will communicate with the Management Server.

3. Once the policy is updated on the Client, the system automatically conducts machine and user

authentication. This phase is comprised of two steps:

a. Machine registration – makes sure that the machine is listed only once in the domain computer

list.

b. User authentication – ensures that the currently logged on user is a valid domain user, which will

be able to access the encrypted data.

4. The Safend Server creates encryption keys and securely distributes them to the Client.

5. The encryption process begins automatically. This process runs in the background, and therefore does not

require any user action, and the user can continue working normally. The user can shut down or restart the

endpoint during the encryption process; encryption will resume the next time the computer is powered on.

The encryption status and progress is continuously updated on the Management Server, and can be

viewed in the Clients World.

6. The machine is now protected, and secure data will not be compromised in case the computer is lost or

stolen. Security administrators can view the current encryption status of the organizational endpoints, either

through the Clients World or with the Safend Reporter, by running the Encryption Status Report.

Key Management and Distribution

The system encryption mechanism and Key Management is presented in the following figure:

Document

Document Encrypted

with File Encryption Key

File Key is Encrypted with Machine

Encryption Key and Protected with User

Credentials and Recovery Secrets

Machine Encryption Keys Safend Management Console

Endpoint Computer

Safend Management Server

SSL Encrypted Log

One Time Access Key, Secret

All Safend Administrator’s

actions are audited and logged

SS

L C

om

munic

atio

n

SSL Com

munica

tion

SSL Com

munica

tion

Reviewer’s Guide


- -

Preparations before Encrypting Hard Disks

Before implementing hard disk encryption using Safend Encryptor, it is recommended to follow several steps to

ensure smooth and easy product implementation, while enabling swift data recovery in all failure scenarios:

1. Backup Server Secrets - create a backup server’s private and public keys in order to be able to re-install

the server in case of a hardware or software failure.

2. Backup Server Configuration (Scheduled Backup) – define a scheduled backup for the server

configuration file. All encryption keys are centrally generated and securely stored on the Management

Server before encryption is initialized.

Reviewer’s Guide


- -

Safend Inspector & Discoverer : Configuring Data Classifications

An effective data-centric security policy requires reliably identifying the data which the policy aims to

protect.

Data classification is a set of definitions which is used by the system to automatically identify data.

Safend Inspector and Safend Discoverer components both utilize the Data Classification Mechanism.

Safend Data Protection Suite includes out-of-the-box, preconfigured classifications identifying

common types of sensitive data such as Patient Health Information (PHI), Personally Identifiable

Information (PII), and credit card numbers. Organizations can use these classifications as is, or

customize them according to their requirements.

To customize a built in classification, right click the classification you want to modify and click

Customize:

Alternatively, organizations can configure their own custom classifications from scratch.

Reviewer’s Guide


- -

Data classification consists of one or more classification rules and the Boolean relationship between

them (and, or, not):

The administrator can add additional rules to the classification. Each type of classification rule uses a

different method of identifying the data:

Together, these rules can be used to create highly accurate data classifications, which

will be used to locate and control sensitive data within your organization.

Reviewer’s Guide


- -

Safend Inspector: Content Inspection & Filtering

Safend Inspector provides an additional protection layer for data transferred over approved data transfer channels,

such as a white-listed storage device, an approved WiFi connection, or even a machine’s LAN connection. It

enforces an accurate, data-centric security policy on data transferred via these endpoint channels, without disrupting

legitimate business processes and disturbing end user productivity.

A Data Control Security Policy defines how the Safend Data Protection Suite reacts when classified data is

transferred through controlled channels. Each data control policy defines how the Safend Data Protection Suite

reacts to a specific Data Classification.

This tab is divided into two sections. The first section, Data to Control, allows you to select the classification to which

the policy will refer. The bottom part of the tab, Channels Where this Data is Restricted, allows you to define what will

happen when the user attempts to transfer classified data using the specified channels.

Reviewer’s Guide


- -

Safend Data Protection Suite controls data transferred over the following channels:

Email: controls outgoing email using Microsoft Outlook.

Web: controls web posts using Windows Internet Explorer.

External Storage: controls data transfer to external

storage devices (DOK, external HD, SD cards, etc.).

Local Printers: controls data printed to local printers.

Network Printers: controls printing data using a network

printer.

Application Data Access Control: controls pre-defined

application access to confidential data via direct file access

or the clipboard. Applications are divided into application

groups, and each application group can be added to any

policy and controlled as a data transfer channel.

Channel Configuration

For each channel, you can define what happens when the user attempts to transfer classified data out of the machine

(Security Action):

Allow: Allows the action to be performed.

Block: Stops the action the user is trying to perform.

Encrypt: Allows the data transfer action, only if the device

is encrypted (Only for external storage).

Ask User: Prompts the user with an "are you sure?"

question, and allows the action to be performed only if the

user selected "yes".

You can also configure what kind of event will be sent to the server following the user action. You can decide if the

action will generate a log or an alert (monitoring action), and what information will be included in it (monitoring level).

In addition, you can configure the message which will be displayed to the end user following their actions. This

message can be configured to require end users to enter the justification for their action, by choosing it from a list of

options or inserting free text. This is a highly effective method of deterring users from committing potentially harmful

actions, without disrupting legitimate business procedures. The information which is provided by the end users is sent

to the Management Server together with the incident record, dramatically improving the incident management

process:

Reviewer’s Guide


- -

Finally, you can configure exemptions for each channel. For example, you may want to apply the data control policy

to all emails except for those sent only to recipients in your company, or prevent users from downloading confidential

data to all external storage devices except for the CEO’s hardware encrypted device. Different parameters are used

to define exemptions for the different channels.

To define the channel specific exemption, mark the channel and click Edit Channel. In this window, you can

configure the data destinations you wish to exempt from inspection.

Reviewer’s Guide


- -

Safend Discoverer: Endpoint Data Discovery

Understanding where sensitive data is located is the foundation of any data protection project. Safend Data

Protection Suite allows security administrators to locate sensitive data stored on organizational endpoints. This

process helps identify gaps in data protection and compliance initiatives and provides insight into what policies

should be implemented using other components of the Safend Data Protection Suite.

The endpoint discovery process is triggered by applying a Discovery Policy on the protected endpoint. This policy

indicates which data classifications, should be searched for on the organizational endpoints. The Discovery Policy

also specifies the type of log record that will be sent to the Management Server when sensitive date is discovered.

When a Discovery policy is applied on the endpoint, the Safend Data Protection Suite Agent scans and classifies all

data files on the machine. When a classified file is discovered, a log record is sent to the Management Server. The

discovery process runs in the background, with minimal affect on endpoint performance.

The status of the discovery process conducted on each endpoint is displayed in the Clients World.

Reviewer’s Guide


- -

Safend Auditor

Safend Auditor is a tool that goes hand in hand with Safend Data Protection Suite and complements its capabilities

by providing you with the visibility needed to identify and manage endpoint vulnerabilities: a full view of what ports,

devices and networks are (or were previously) in use by your organization's users. Organizations can use the output

of a Safend Auditor scan to select the devices and networks whose usage they want to approve.

Reviewer’s Guide


- -

Safend Policy Enforcement – Safend Data Protection Suite Client

Safend Data Protection Suite Client is a lightweight software package that transparently runs on endpoint computers,

at the kernel level, and enforces protection policies on each machine on which it is applied. It has a minimal footprint

(in terms of file size, CPU and memory resources) and includes redundant, multi-tiered anti-tampering features to

guarantee permanent control over endpoints.

Safend Data Protection Suite Clients can be silently installed on all endpoints. Once policies have been distributed,

the Client immediately starts protecting the computer.

When a violation of a Safend Data Protection Suite policy occurs or during certain usage activities, a message is

displayed on the endpoint computer. A log entry may be created to record this event, according to the preferences

you defined in your policy.

If you wish, you may install the Client in Stealth Mode, hiding both Safend tray icon and messages and making

Safend Data Protection Suite Client invisible to the user at the endpoint.

Reviewer’s Guide


- -

Safend Data Protection Suite Implementation Workflow The following is an overview of the workflow for implementing and using Safend Data Protection Suite.

Step 1: Install the Safend Data Protection Suite Management Server and

Console.

Step 2 (optional): Install Additional Management Consoles.

Step 3: Define General Safend Data Protection Suite Administration

Settings.

Step 4 (optional): Scan Computers and Detect Port/Device

Usage. Use Safend Auditor to detect the ports that have been used

in your organization and the devices and WiFi networks that are, or

were connected to these ports.

Step 5: Define Safend Data Protection Suite 1st Policies. In this stage, is it

recommended to create a permissive policy for the entire organization, which

monitors end user activities. This policy will allow you to learn how devices

and data are used in your organization for legitimate business processes

before enforcing a more restrictive policy.

Step 6: Install Safend Data Protection Suite Client on Endpoints.

Step 8: Discover Sensitive Data. In this stage, you create and associate a

discovery policy to organizational endpoints to determine which endpoints

store sensitive data.

Step 9: Analyze Initial Logs. In this stage, you review the logs received from

the endpoints and determine which user activity is an appropriate business

process which should be allowed by policy and which is a potentially harmful

action which should be blocked.

Step 10: Create and distribute enforcement policies. In this stage you

define how data is protected in your organization: which machines and

removable storage devices are encrypted; how ports, devices and WiFi

networks are used and which data can be transferred out of protected

endpoints.

Step 11: Endpoints are Protected by Safend Data Protection Suite

Policies: In this stage, all security policies are enforced on the endpoints.

Logs about attempts to violate these policies, as well as tampering attempts,

are created and sent to the Management Server.

Reviewer’s Guide


- -

Step 12: Monitoring Logs and Alerts, View the log entries generated by

Safend Data Protection Suite Clients. Analyze these logs and maintain

ongoing visibility into the organization’s security status, using Safend

Reporter.

Safend Data Protection Suite 3 4 Reviewer's Guide

Documents

Transcript of Safend Data Protection Suite 3 4 Reviewer's Guide