270 likes | 575 Views
GuardianEdge Hard Disk Encryption. January 28, 2008. Agenda. About GuardianEdge Product Overview Product Introduction Competition Summary. Who We Are. GuardianEdge is the leader in enterprise-grade Endpoint Data Protection
E N D
GuardianEdge Hard Disk Encryption January 28, 2008
Agenda • About GuardianEdge • Product Overview • Product Introduction • Competition • Summary The Leader in Endpoint Data Protection
Who We Are GuardianEdge is the leader in enterprise-grade Endpoint Data Protection GuardianEdge provides endpoint protectionfor data that is at rest or portablethrough enterprise-wide management of • Laptops, Desktops, Smartphones • Disk and Removable Media Encryption • Port and Device Control • Policies, Keys, Authentication and Reporting The Leader in Endpoint Data Protection
GuardianEdge Solution Overview • Data Loss Prevention • Encrypt data at rest • PCs, Removable media, Handheld devices • Data Leakage Prevention • Control access to ports and devices • Data classification • Monitor and block • Breadth of solution • Smartphones and PDAs • Laptops, Desktops, Servers • Removable media • Enterprise manageability • Ease-of-use • Simple provisioning and updates • Single console policy management • Unified audit and reporting • Extensible and robust infrastructure • Role-based administration • Key management • Strong authentication Completeness of solution Breadth of platform support Depth of Enterprise manageability The Leader in Endpoint Data Protection
GuardianEdge Data Protection Platform • Data Loss Prevention • Full Disk Encryption • Removable Storage Encryption • Smartphone Encryption • Advanced Authentication • Data Leakage Prevention • Port and Device Access Control • In-line File Type Inspection • Activity Logging and Shadowing • Smartphone Compliance Validation • Central Unified Management • Active Directory integrated • Single console administration • Common security and management services across applications • Basic authentication Endpoint Data Protection Products Hard Disk Encryption Removable Storage Encryption Device Control Smartphone Protection Advanced Authentication Data Protection Services Key Management Auditing Basic Authentication Encryption Policy Management Backup / Recovery Data Protection Server The Leader in Endpoint Data Protection
Product Overview • GuardianEdge Hard Disk Encryption • Solution to critical business problem • Key benefits • System diagram • Endpoint data protection solutions from GuardianEdge • Integrated solution management The Leader in Endpoint Data Protection
What GuardianEdge Hard Disk Encryption does • GuardianEdge Hard Disk Encryption allows enterprises to maximize the productivity of mobile computing while eliminating the need for expensive or embarrassing public disclosure in the event of computer theft or loss. • Gain a competitive advantage by optimizing the benefits of mobile computing • Eliminate the legal liability, customer service costs and other ramifications of data breach disclosures • Reduce the cost of meeting regulatory compliance requirements for data security and privacy by leveraging existing IT infrastructure • Strengthen investor confidence and prevent brand erosion The Leader in Endpoint Data Protection
GuardianEdge Hard Disk Encryption • Mandatory pre-boot authentication • Full disk encryption • Master boot record • OS and system files • Swap / hibernation files • Data / multiple partitions • Multiple user / administrator accts. • Linux pre-boot environment • Multi-factor authentication • Available when combined with GuardianEdge Advanced Authentication • Smartcard/CAC card and PKI token support • Password recovery • Self-Service Authenti-Check™ • Remote one-time password recovery • Advanced management tools • Software setup • SysAdmin recovery: • Access drive to repair OS, perform audit • Wake on LAN • FIPS 140-2 validated, CC EAL4 pending The Leader in Endpoint Data Protection
Product Introduction • Full disk encryption • Pre-boot authentication • Multiple user and administrator accounts • Password recovery • Deployment and administration • Advanced management tools • Operating system support • Security validations • Multi-factor authentication • Competition • Key competitive differentiation The Leader in Endpoint Data Protection
Full disk encryption • Full partition or disk encryption • Encrypts system boot partition • Encrypts up to 26 partitions on system boot disk • FIPS 140-2 validated AES cryptography • 256-bit key (default) or 128-bit key for disk encryption • Excellent performance • Partition or disk level encryption • Runs in low priority background • Users can continue to use their machine • Power loss feature always enabled • Run-time encryption • Users typically do not notice performance • 5% to 15% depending on variety of factors The Leader in Endpoint Data Protection
Full disk encryption • Encrypts all disk sectors • Includes swap files, hibernation files, temporary files • Supports standby and hibernation modes • Encrypts hibernation file • Prompts for user credentials when resume from hibernation if pre-boot authentication enabled • Low level encryption driver • Intercepts all Windows calls to read and write files • Encrypts data from memory and writes to disk • Decrypts data from disk and writes to memory • Completely transparent to all Windows applications • Completely transparent to Windows operating system • Data stored on disk is always encrypted • No temporary files with decrypted data The Leader in Endpoint Data Protection
Pre-boot authentication • Hardened pre-boot operating system • Small footprint and attack surface • Adds extra layer of security when enabled • Users authenticate to pre-boot logon dialog • Key management included • Does not require separate key management infrastructure • User logon credentials securely stored in PB environment • Single sign-on • Passes credentials securely to Windows logon client • User password changes automatically synchronized • Recovery • Recovery keys automatically encrypted and escrowed in server • Optional per installation by administrator • Customers can elect to deploy without it • Windows responsible for user authentication • Drive fully encrypted even if pre-boot authentication is disabled • Cannot slave drive (appears as unformatted drive) The Leader in Endpoint Data Protection
Multiple user and administrator accounts • Supports multiple users • Up to 100 registered users per endpoint • Option for automatic user registration • Supports public machines or kiosks • No prompt for user during registration process • Clear separation of administrative accounts and roles • Server administration • Installation, administration, password management • Endpoint policy administration • Creating and deploying security policies to endpoints • Leverages Active Directory by using Group Policy Objects • Assisting users with One-Time Password access • Help Desk personnel • Read-only access to OTP challenge/response keys • Hands-on endpoint administration • User lockout recovery, data recovery, decryption • Up to 100 Client Administrators per endpoint The Leader in Endpoint Data Protection
Password recovery • Self-service recovery for lost or forgotten passwords • Authenti-Check™ challenge/response questions and answers • Administrator or user provisioned questions • User provisioned responses • Administrator option to deploy • Help Desk assisted One-Time Password • Challenge/response keys • Unique to each workstation • Keys automatically escrowed to server during client check-in • Separate administrative role with read-only access to necessary key information • Separate application for Help Desk personnel only • Administrator option to deploy • Requires user to change password after OTP gives access to machine The Leader in Endpoint Data Protection
Deployment and administration • Server installation • Standard MSI installer packages • Includes bundled server installer • Active Directory Application Mode (ADAM) • Includes management console and administrative tools • Client installation • Standard MSI installer package • Supports installation through GPO or any enterprise software deployment tool • E.g. Tivoli, SMS, Altiris, etc. • Silent installation • Automatically launches disk encryption • Automatically reports back to server • Escrows encrypted recovery keys • Periodically reports state of encryption for all partitions • Audit trail for validating endpoint state when it goes lost or missing The Leader in Endpoint Data Protection
Automatic client reporting and audit trail The GuardianEdge Manager Watchlist displays comprehensive audit information on the state of endpoint encryption The Leader in Endpoint Data Protection
Deployment and administration • Management console • Integrates all GuardianEdge applications into a single console • MMC snap-in • Standard and familiar administrative interface for lower TCO • Natively integrates Active Directory • Users and Groups • Group Policy • Create client installer packages • Create and deploy security policy • Monitor state of endpoint encryption • Policy administration • Active Directory Group Policy Objects • Controls security profile on endpoint • Create and edit policy using standard Microsoft environment • AD organization tree natively integrated into GuardianEdge Manager • Deploy policy at any level within the AD OU tree • Separate administrative role The Leader in Endpoint Data Protection
Native AD integration Close integration with Active Directory Users and Groups and Group Policy Management enable deployment, administration and reporting within a common and familiar user interface. The Leader in Endpoint Data Protection
Operating system support • Supports all enterprise Windows 32-bit versions • Client • Microsoft Windows 2000 SP4 • Microsoft Windows XP Professional SP 2 • Microsoft Windows Vista • Business Edition • Ultimate Edition • Enterprise Edition • Server • Microsoft Windows Server 2003 • All service packs • Support for Microsoft Windows Server 2008 (Longhorn) targeted after release from Microsoft The Leader in Endpoint Data Protection
Advanced management tools • Comprehensive suite of administrative tools • Remote machine access • Supports Wake On Lan • Pre-boot authentication suppressed for machine maintenance • Deployed by administrator policy or MSI • Local machine access • Enables local machine administration while disk remains encrypted • Data recovery • Enables local data recovery for failed or corrupted disks • Uses escrowed recovery keys if local keys damaged • Includes ability to force disk or partition decryption • Forensic data recovery • Integration with Guidant Software EnCase forensic data recovery solution • Server and client key recovery • Recover server key from encrypted backup • Create new server key if backup not available • Replace client keys to synchronize with new server key The Leader in Endpoint Data Protection
Security validations • FIPS 140-2 validated cryptographic library • AES encryption algorithm • Industry and government standard • Fast symmetrical encryption algorithm • Primarily used for data encryption and decryption • SHA-1 hash algorithm • One-way hash • Primarily used for credential and key management • Securely encrypts user credentials in pre-boot environment • Pseudo-random number generator • Generates unique workstation keys for encryption • Common Criteria • EAL 1 validated, EAL 4 pending The Leader in Endpoint Data Protection
Multi-factor authentication • Two-factor authentication support • Support for tokens and Smartcards in pre-boot authentication • Supports both password and token authentication • Requires separate license for GuardianEdge Advanced Authentication module (GEAA) • Supports tokens and readers • Tokens and Smartcards • X.509 certificate-based authentication • Includes support for US DOD CAC model • Readers • Embedded machine readers • Includes PCMCIA readers • USB readers • USB CCID-compatible readers The Leader in Endpoint Data Protection
Why GuardianEdge Hard Disk Encryption • Strong Security • 256-bit AES encryption • FIPS-certified encryption • Certificate authentication to encrypted data with GuardianEdge Advanced Authentication • Global Deployability • 128-bit allows product to be deployed in China, France, etc. • Best-in-class Machine Coverage • Years of maturity in driver development and support • Demonstrated Ability To Scale • Reference customers with successful large-scale enterprise deployments • Leverages the existing enterprise IT environment • Usability • Password recovery • Enterprise-grade Manageability • Single console for data protection administration (HD, DC, and RS) • Integrates into existing environment • Does not create separate administrative system • Minimal learning curve • Scales operationally • Scales physically The Leader in Endpoint Data Protection
Competitive Summary Full Support Some Support o No Support x *Requires separate license for GuardianEdge Advanced Authentication The Leader in Endpoint Data Protection
Key Differentiators • Business differentiation • Mature offering with many satisfied, large-scale production customers • Enterprise-wide data protection controls on a shared platform • Seasoned, experienced enterprise software leadership • Product differentiation • Native Active Directory integration • Familiarity, Robustness, Scalability, Lower TCO • Single console management across platforms and applications • Unified Data Loss and Data Leakage protection • Compliance and Activity reporting • Extensible SOA Data Protection Platform • Easy to add additional services and data protection applications The Leader in Endpoint Data Protection
The Leader in Endpoint Data Protection Protects mobile and desktop data • Best-in-class machine coverage • Strong security • Enterprise-grade manageability • Global deployability Trusted, proven partner • Thirteen year pioneer in Endpoint Data Protection • Strong company with mature product, experienced and reliable • Customers: Over 700 enterprises, 2 million licenses The Leader in Endpoint Data Protection