Sanctuary Device Control - Lumension Security - CyProtect AG Germany

The proliferation of data loss due to the inappropriate or sometimes criminal use of removable media devices has reached alarming levels. According to recent security reports, 75 percent of Fortune 1000 companies fell victim to data leakage in 2006¹, with an average cost of recovery that exceeded $5,000,000².

Sanctuary Device Control eliminates data loss from removable devices through the policy-based enforcement of device use to control the flow of inbound and outbound data from your endpoints. Sanctuary Device Control ensures security that:

1. 2006 CSI/FBI Computer Crime and Security Survey
2. Ponemon Institute, 2006 Cost of Data Breach Study

Overview

Sanctuary Device Control allows you to regain control of the peripheral storage devices that your user community attempts to connect to your network assets. Through granular policy-based controls, Sanctuary Device Control reduces risk of data theft, data leakage and malware introduction via unauthorized removable media and assures compliance with the landslide of regulations governing privacy and accountability.

Positive Approach to USB Security

By employing a whitelist approach, Sanctuary enables only authorized devices to connect to a network, laptop or PC - facilitating security and systems management, while providing the necessary flexibility to the organization.

Simple, Fast, Flexible Administration and Management

Sanctuary enables administrators to quickly establish and enforce device control policies by rapidly identifying devices and then assigning permissions at a high level or all the way down to specific application per users, user groups or even a particular computer. Policies are also enforced by time constraints, encryption, volume of data, data transfer and much more criteria. Sanctuary links device policies to user and user group information stored in Microsoft Active Directory or Novell eDirectory and has also been ported to Windows Embedded platforms in addition to traditional Server and Desktop Windows OS, dramatically simplifying the management of endpoint application resources.

Sanctuary controls the use of a vast range of devices that are key sources of security breaches, and manages and audits device usage according to their type and not on how they are connected. If needed, Sanctuary Device Control can be set to completely block USB ports or any other port (Bluetooth, FireWire, IrDA, WiFi, etc.) or prevent access to any device category independently from the way users are attempting to connect them. Granular policies also allow for access rights (R/W) down to unique device model or identifiable unit per user or user group.

USB Security Built to Scale

With a three-tier architecture and load-balancing capability, Sanctuary is designed to provide USB security to organizations ranging in size from 50 to 100,000 endpoints. Through integration with Active Directory or eDirectory, Sanctuary integrates with your existing technical infrastructure and logical organization. Sanctuary has also been ported to Windows Embedded platforms to protect the growing number of exposed embedded devices.

Comprehensive Security and Auditing Capabilities for USB Devices

Lumension Security Patented Shadowing I/O bi-directional technology tracks information as it is read from or written to floppy, CD/DVD and removable devices, and provides a comprehensive audit log of every event whether allowed or attempted - including those by unauthorized code and all writes to removable media and specific ports. Optionally, a full copy of the data written to or from a device can be captured and retained as well.

Not only is an audit log invaluable in measuring and enforcing policy compliance, it also bundles the information you need as proof of compliance with a number of governmental regulations such as the Sarbanes-Oxley Act of 2002 (SOX), the Gramm-Leach-Bliley Act (GLBA) or the Health Insurance Portability and Accountability Act (HIPAA).

Features & Benefits

Feature	Function	Benefit
Whitelist	Assign permissions for authorized devices to user or user group, and by default those not authorized are not allowed	Eliminates unknown or unwanted devices in your network, reducing the risk of data leakage
Access Control List Based Permissions	Assign permissions to a user/user group based on their Active Directory or eDirectory identity	Provides granular user permissions that remain with user login regardless of machine
Granular Device Control Permission Settings	Permission settings include read/write, scheduled access, temporary access, online/offline, I/O bus type, HDD/non-HDD devices and much more	Eliminates risk of unauthorized devices connecting to the network while providing the flexibility users need to conduct business
Uniquely Identify and Authorize Specific Media	Authorize DVD/CD-ROM collections, grant access to users or user groups and encrypt removable media with unique ID's	Limits DVD/CD-ROM access to company standard discs, to avoid use of unauthorized content and/or encrypt removable media to prevent the content from being viewed by unauthorized users
Silent Unattended Installations	Install with any deployment tools which use MSI Setup (e.g. Microsoft Systems Management Server (SMS), Group Policies, WinInstall, etc).	Enables faster and easier deployment
Plug and Play Devices: Hot Plug Support	Detect Plug and Play Devices "on the fly"	Ensures user productivity is not disrupted by applying permissions for plug and play devices when detected
Bi-Directional Shadowing Option	Patented Shadowing technology records filename or complete file that is read from and/or written to a removable device	Captures the flow of information into and out of your network, reducing risk and containing impact of data leakage
Restrict the Amount of Data Copied	Restrict the daily amount of data copied from an endpoint to a device on a per-user basis	Removes risk of large pieces of confidential information leaving the network
Prevention of PS/2 and USB Hardware Keyloggers	Block PS/2 port, enforce USB keyboard usage and detect/block popular models of USB keyloggers	Reduces risk of attackers capturing passwords and other confidential information through keyloggers
Flexible Encryption Options for Removable Media	Administrators may centrally encrypt removable media or force users to encrypt media at time of use	Ensures that sensitive data is not inadvertently exposed to those without authorized access
File Type Filtering	Control the type of files that are moved to and from removable devices	Reduces risk of unwanted files from entering and sensitive files from leaving the network
Disconnected/ Remote Computer Protected	Enables constant protection by keeping a local copy of the last list of permissions on the disconnected machine	Secures computer regardless of network connection, ensuring that remote or disconnected users are also protected
Highly Scalable Architecture	Three tier architecture with Database, one or more Application servers, and Client	Provides flexible and scalable deployment options in large and complex networks
Powerful Log Analysis and Reporting	Detailed log analysis with flexible filter, sort and display options and stored query templates as well as central reporting	Demonstrates policy compliance and drills down on suspicious behavior for legal or management follow up
Active Directory and eDirectory Support	Leverages user and user group definitions in existing Active Directory and eDirectory	Reduces setup and maintenance of users and user groups
Multi-Language Support	Supports 12 languages on Sanctuary client machines	Improves user experience in international organizations
Custom Reports	Custom query templates can be scheduled to automatically generate reports in HTML, XML or CSV formats and delivered via email or network file share	Produces data required for compliance audit purposes and management reporting in a report format or data format for easy integration into a 3rd party system
Password Lockout and Recovery	Lockout users after a number of failed attempts; recover access to devices when passwords are forgotten	Reduces risk of hackers breaking into devices; enables recovery of encrypted data on devices
Offline Temporary Permissions	Challenge/response system generates new permissions on disconnected machines, allowing for temporary permissions to users on demand, even when a user is not connected to the network	Enables provision of temporary permissions to users on demand, even when not connected