Categories Top Downloads
Login Register Upload

Safend Data Protection Suite 3 4 Reviewer's Guide

June 2, 2016 | Author: ptarnowskijr | Category: N/A
Share Embed Donate
Report this link


Short Description

Download Safend Data Protection Suite 3 4 Reviewer's Guide...

Description

SAFEND Data Protection Suite™ Reviewer’s Guide

Version 3.4

Reviewer’s Guide SAFEND DATA PROTECTION SUITE™

Important Notice This guide is delivered subject to the following conditions and restrictions: 

This guide contains proprietary information belonging to Safend Ltd. Such information is supplied solely for the purpose of assisting explicitly and properly authorized Safend Data Protection Suite users, reviewers and evaluators.



No part of its contents may be used for any other purpose, disclosed to any person or firm or reproduced by any means, electronic or mechanical, without the expressed prior written permission of Safend Ltd.



The text and graphics are for the purpose of illustration and reference only. The specifications on which they are based are subject to change without notice.



The software described in this guide is furnished under a license. The software may be used or copied only in accordance with the terms of that agreement.



Information in this guide is subject to change without notice. Corporate and individual names and data used in examples herein are fictitious unless otherwise noted.



The information in this document is provided in good faith but without any representation or warranty whatsoever, whether it is accurate, or complete or otherwise and with the expressed understanding that Safend Ltd. shall have no liability whatsoever to other parties in any way arising from or relating to the information or its use.

Copyright 2005-2010 Safend Ltd. All rights reserved. Other company and brand products and service names are trademarks or registered trademarks of their respective holders.

- Page 2 -

Reviewer’s Guide SAFEND DATA PROTECTION SUITE™

About This Guide This Reviewer’s Guide presents an overview of Safend Data Protection Suite 3.4. It provides an explanation of how it works and enables you to understand how to use Safend Data Protection Suite, in order to guard your network endpoints.

Reviewer’s Contact Information Presale contact:

Marketing contact:

Tomer Greenbaum

Yael Gelberger

Pre-sales and Projects Team Leader

Marcom Manager

+972-3-644-2662 Ext 201

Safend

[email protected]

[email protected] Support contact: Web: www.safend.com/189-en/Safend.aspx Email: [email protected] Phone: 1-888-225-9193

- Page 3 -

Reviewer’s Guide SAFEND DATA PROTECTION SUITE™

Table of Contents About Safend ....................................................... 5 The Problem ....................................................... 6 The Safend Data Protection Suite Solution .................................. 7 Why Safend? ....................................................... 7 Features List ....................................................... 8 Safend Encryptor: Hard Disk Encryption ..................................................................................... 8 Safend Protector - Port & Device Control and Removable Storage Encryption ........................................ 8 Data Classification .................................................................... Error! Bookmark not defined. Safend Inspector: Content Inspection & Filtering ......................................................................... 11 Safend Discoverer: Endpoint Data Discovery ............................................................................. 12 Safend Reporter: Reporting and Analysis .................................................................................. 13 Safend Data Protection Suite Management Features .................................................................... 14

Product Walkthrough ................................................ 17 System Architecture ...................................................... 17 Safend Policy Definition.................................................... 20 What Does a Policy Define? ................................................................................................. 20 How Do You Define a Policy?................................................................................................ 20 Safend Encryptor: Hard Disk Encryption Policy ........................................................................... 27 Safend Protector: Port & Device Control and Removable Storage Encryption policy ................................ 21 Configuring Data Classifications ............................................................................................. 27 Safend Inspector: Content Inspection & Filtering ......................................................................... 32 Safend Discoverer: Endpoint Data Discovery ............................................................................. 35 Safend Auditor ................................................................................................................. 36 Safend Policy Enforcement – Safend Data Protection Suite Client .................................................... 37

Safend Data Protection Suite Implementation Workflow ....................... 38

- Page 4 -

Reviewer’s Guide SAFEND DATA PROTECTION SUITE™

About Safend Safend software solutions protect an organization’s confidential information from loss and theft by monitoring, detecting and restricting data transfers from the endpoint. It also allows encrypting both detachable devices and internal hard disks. Safend's solutions, available through channel partners worldwide, are deployed by multi-national enterprises, government agencies and small to large scale companies across the globe.

Safend Data Protection Suite Safend Data Protection Suite is centrally managed using a single management server, single management console and single, lightweight agent. The combination of the Safend Data Protection Suite license-activated components, Safend Protector, Encryptor, Inspector, Discoverer, Auditor and Reporter, provides a comprehensive endpoint protection solution, thus protecting an organization’s sensitive data residing on PCs, laptops and detachable devices. 

Safend Encryptor ensures that mobile users’ data is secure, by encrypting any data stored on internal hard disks.



Safend Protector applies customized, highly-granular security policies over all ports: physical ports, wireless ports and devices. It can also mandate the encryption of all data transferred to removable storage devices and CD/DVD media.



Safend Inspector provides an additional protection layer for data transferred over approved data transfer channels, such as a whitelisted storage device, an approved WiFi connection, or even a machine’s LAN connection. It enforces an accurate, data-centric security policy on data transferred via these endpoint channels, without disrupting legitimate business processes and disturbing end user productivity.



Safend Auditor provides organizations with the visibility needed to assess and manage vulnerabilities in an enterprise’s PCs and laptop environment, by identifying and logging all devices that are or have been locally connected, before the Safend Data Protection Agent has been deployed to these endpoints.



Safend Discoverer allows security administrators to locate sensitive data stored on organizational endpoints. It helps identify gaps in data protection and compliance initiatives, and provides insight into what policies should be implemented, using other components of the Safend Data Protection Suite.



Safend Reporter provides security and IT personnel with built-in reports that provide visibility into an organization’s security status and operational needs.

- Page 5 -

Reviewer’s Guide SAFEND DATA PROTECTION SUITE™

The Problem Business survival and success is built on data security. Organizations depend on the security of their data, from intellectual property such as business plans and trade secrets, to sensitive customer data like health records, financial information and social security numbers. Regulatory security initiatives such as Sarbanes Oxley (SOX), HIPAA, PCI, FISMA, and the UK Data Protection Act (DPA), require organizations to maintain ongoing visibility into endpoint activity. In today’s sensitive regulatory climate, organizations are expected to demonstrate a comprehensive data protection strategy and understanding of all data transfer activities. Industry statistics consistently show that the most significant security threat to the enterprise comes from within. With over 60% of corporate data residing on endpoints, gateway solutions and written security policies alone cannot mitigate the risk. Growing numbers of laptops, removable storage devices, interfaces (physical and wireless), and users with access to sensitive data have made data leakage via endpoints, both accidental and malicious, a very real threat. An inevitable fact of life is that laptops are sometimes lost or stolen. It is simply too easy for sensitive data to walk out the door on an iPod or be uploaded to the Web. According to Forrester, data loss through endpoints is now a leading endpoint security concern, ahead of Malware, Spyware and other threats. Despite the clear and present danger of data leakage and loss, implementing effective endpoint data protection remains an uphill battle for most organizations. Securing endpoints, without impacting employee productivity and system performance, demands a highly flexible solution that takes into account the dynamics of real-world work environments. Many end users view external devices and outbound communications as personal, and view encryption of any kind as a headache, often balking at and circumventing imposed security measures. As a result, today’s data protection solutions need to be transparent without compromising the data security of an organization. All possible endpoint data leakage avenues must be managed with powerful, enforceable, tamper-proof security. Endpoint data can exit organizational boundaries in any number of ways: it can be carried away on an unencrypted storage device, mistakenly sent to unauthorized email recipients, or stolen with the laptop it is stored on. An effective endpoint security program must address the entire range of risks in order to properly protect an organization’s data.

- Page 6 -

Reviewer’s Guide SAFEND DATA PROTECTION SUITE™

The Safend Data Protection Suite Solution Safend Data Protection Suite provides complete endpoint data protection in a single product, with a single management server and a single, lightweight agent. Featuring easy deployment, seamless maintenance for administrators, and maximum transparency for end users, Safend Data Protection Suite provides comprehensive endpoint data security without sacrificing productivity. Safend Data Protection Suite eliminates data leakage from endpoints, delivering comprehensive visibility, complete data protection and total control over all available avenues to sensitive data. Only with detailed visibility of endpoint activity, ongoing and historical, can security administrators effectively monitor and enforce a security policy that is in-line with real world usage. With Safend Data Protection Suite, security administrators can rapidly query all organizational endpoints while locating and documenting all devices that are or have ever been locally connected. Safend Data Protection Suite’s advanced reporting capabilities provide ongoing insight into the organization’s security status. Safend Data Protection Suite monitors real-time traffic and applies granular security policies over all physical, wireless and removable storage interfaces. Safend Data Protection Suite detects, logs, and restricts unapproved data transfer from any computer in the enterprise. Each computer is protected 100% of the time, even when it is not connected to the network. Safend Data Protection Suite’s control is built from the ground up to enforce a comprehensive security policy which is appropriate for all organizational security needs. Sensitive data transfers can be controlled at different logical levels: redundant physical and wireless ports can be blocked, devices and wireless networks can be approved or denied by their types and specific characteristics, storage device’s functionality can be partially or completely disabled, and the data which exits the organizational boundaries through approved data transfer channels can be controlled according to its actual content. Safend Data Protection Suite guards the data stored on hard drives with its innovative, easy to manage hard disk encryption. Safend Data Protection Suite also ensures that mobile users and data are secure by encrypting any data written to removable media such as USB flash drives, external hard drives and CD/DVD.

Why Safend? 

Control all your data protection measures with a single management server, single management console and a single lightweight agent.



Operationally friendly deployment and management.



Best-of-breed port and device control.



Hard disk encryption is completely transparent and does not change end user experience and common IT procedures.



Comprehensive and enforceable removable media encryption.



Full control over sensitive data both inside and outside the organizational network.

- Page 7 -

Reviewer’s Guide SAFEND DATA PROTECTION SUITE™

Suite Components Safend Data Protection Suite provides complete endpoint data protection with a single software product. It includes several, license activated components. Each component within the Safend Data Protection Suite can be implemented stand alone or in combination and compliments your existing security infrastructure. The following are the main features of the product, divided according to the different components:

Safend Protector - Port & Device Control and Removable Storage Encryption Safend Protector, a license-activated component of the Safend Data Protection Suite, protects endpoints by applying customized, highly-granular security policies over all ports: physical ports, wireless ports and devices. It can also mandate the encryption of all data transferred to removable storage devices and CD/DVD media. 

Port Control – intelligently allows, blocks or restricts the usage of any or all computer ports in your organization, according to the computer on which they are located, the user who is logged in and/or the type of port. Safend controls: USB, PCMCIA, FireWire, Secure Digital, Serial, Parallel, Modem (e.g., dialup, 3G, etc.), WiFi, IrDA and Bluetooth ports.



Device Control – Highly granular identification and approval of devices, including a comprehensive list of device types and robust white listing of device models and even distinct devices (by serial number).



Storage Control – Special control over external and internal storage devices, including Removable media, External Hard Drives, CD/DVD media, Floppy and Tape drives. A policy can block usage of device types, models and even distinct devices (by serial number), restrict usage for read only, or enforce encryption (see below).



Removable Media Encryption - Unique to the Safend Data Protection Suite solution is the ability to restrict the usage of encrypted storage devices to company computers by use of encryption. This extends the security borders of organizations and prevents rogue employees from deliberately leaking data through removable storage devices and media.



Offline Usage of Encrypted Devices - Specific, pre-approved users can access encrypted devices outside the protected organization on unprotected machines using an access password.

- Page 8 -

Reviewer’s Guide SAFEND DATA PROTECTION SUITE™



Track Offline Usage of Encrypted Devices - Safend Data Protection Suite provides administrators with improved visibility on the usage of encrypted devices outside the organization. With this unique feature, every offline access to an encrypted device is tracked, providing a comprehensive log of each file transfer to/from this device. With this powerful log, administrators can audit users' actions even on non-company computers, in order to validate legitimate use of corporate data.



Configurable Password Policy – Administrators can define the security criteria for the device access password. Administrators can predefine password parameters such as minimal password length and the types of characters it contains, in order to comply with the organization's security guidelines.



Inbound File-Type Control – This feature provides an additional layer of granularity and security by inspecting files for their type as they are transferred from external storage devices, and blocking dangerous or inappropriate content from being used inside the organization.



Granular WiFi control - by MAC address, SSID, or the security level of the network.



Block Hybrid Network Bridging - Safend Data Protection Suite allows administrators to control and prevent simultaneous use of various networking protocols that can lead to inadvertent or intentional hybrid network bridging (such as WiFi bridging and 3G card bridging). Configuring Safend Data Protection Suite Clients to block access to WiFi, Bluetooth, Modems or IrDA links, while the main wired TCP/IP network interface is connected to a network, enables users to employ the various networking protocols only when they are disconnected from the network. This avoids the creation and potential abuse of a hybrid network bridge.



U3 and autorun control - Turns U3 USB drives into regular USB drives while attached to organizational endpoints, and protects against dangerous autolaunch programs by blocking autorun.



Block USB and PS/2 Hardware Key-Loggers - block or detect the widest variety of USB and PS/2 hardware keyloggers in the industry, which are devices that can tap and record every keystroke in your endpoints.

- Page 9 -

Reviewer’s Guide SAFEND DATA PROTECTION SUITE™

Safend Encryptor: Hard Disk Encryption As incidents of stolen and lost computers continue to make the headlines, it is crucial for organizations to secure the data stored on the hard drives of PCs and laptops. Safend Encryptor, a license-activated component of the Safend Data Protection Suite, encrypts the data stored on PCs and laptops and the result is that sensitive data cannot be read by any unauthorized user, in the case of loss or theft. 

Enforced by Policy - Encryption of data on internal hard drives is controlled by policy, and cannot be bypassed by the end user.



Key Management - Safend Encryptor incorporates a fully automated key management solution. All encryption keys are centrally generated and securely stored on the management server before encryption is initialized. Encryption keys are generated using a FIPS approved PRNG.



Transparent to End Users – Transparently uses Windows login to access the encrypted data and therefore does not require any enduser training.



Transparent to Help Desk - Transparently uses the generic AD domain password reset process. No dedicated password recovery procedure is required.



User Authentication - Safend Encryptor transparently supports any multifactor authentication device supported by Windows (smart card, USB token, biometric, etc.), including multi-factor devices that change the Windows GINA or use a custom one.



Encryption Technology - Safend’s encryption concept utilizes Total Data Encryption technology. Using this technology, Safend Encryptor encrypts only files which may contain sensitive data while avoiding encryption of the operating system and program files. The encryption is performed in real time, with minimal performance impact on the endpoint and utilizes the industry standard AES algorithm with 256 bit key length.



Data Recovery - Offers an intuitive, easy to implement recovery process in case of malfunction.



Full Audit Trail - Comprehensive logs are provided for all activities.

- Page 10 -

Reviewer’s Guide SAFEND DATA PROTECTION SUITE™

Safend Inspector: Content Inspection & Filtering Safend Inspector, a license-activated component of the Safend Data Protection Suite, provides an additional protection layer for data transferred over approved data transfer channels. It enforces an accurate, data-centric security policy on data transferred from the endpoint without disrupting legitimate business processes and disturbing end user productivity. 

Permanent Protection - Whenever a user attempts to extract data from the endpoint, Safend Inspector monitors the action and, if necessary, enforces the appropriate security policy. This protection is activated whether the machine is connected to the organization’s network, a home network or used offline.



Applying Security Actions - According to the security policy, Safend Inspector can enforce the following security actions: Block - prevents the user from extracting the information from the endpoint. Ask User - warns the user of their problematic action, and asks them if they are sure they want to continue. Encrypt - ensures that the data is encrypted when it is extracted from the endpoint (This security action can be enforced only on external storage devices).



Multiple Channels Control - Safend Inspector controls data transferred over the following channels: Email (using Microsoft Outlook), Web (using Windows Internet Explorer), external storage devices, local printers, and network printers. Security administrators can control additional channels using Application Data Access Control, which controls the access of predefined applications to sensitive data.



Channel-Specific Exemptions - Security policies are highly granular, and can include specific exemptions for different protected channels. For example, a security policy can be set to prevent users from downloading confidential data to all external storage devices, except for company issued hardware encrypted devices.

- Page 11 -

Reviewer’s Guide SAFEND DATA PROTECTION SUITE™

Safend Discoverer: Endpoint Data Discovery Safend Discoverer, a license-activated component of the Safend Data Protection Suite, allows security administrators to locate sensitive data stored on organizational endpoints. 

Policy-Based Endpoint Discovery - the endpoint discovery process is triggered by applying a discovery policy on the protected endpoint. This policy indicates which data classifications should be searched for on the organizational endpoints. The discovery policy also specifies the type of log record that will be sent to the management server when sensitive data is discovered. When a discovery policy is applied on an endpoint, the Safend Data Protection Agent scans and classifies all data files on the machine. When a classified file is discovered, a log record is sent to the Management Server.



Limit Logs From a Single Endpoint - the administrator can limit the amount of data sent from a single endpoint in order to balance allocation of network and storage resources.

Safend Inspector & Discoverer: Data Classification An effective data-centric security policy requires reliably identifying the data which the policy aims to protect. The Safend Inspector and Safend Discoverer components of the Safend Data Protection Suite both utilize the mechanism, which its features described below: 

Multiple Classification Techniques - Safend Data Protection Suite provides multiple data identification techniques which can be used individually or in combination to create an effective data classification scheme: Keyword Lists – keyword lists are used to identify data transfer incidents which contain specific keywords or keyword sequences. A sophisticated “weight” mechanism facilitates the identification of logical content, by using dictionaries with different importance levels assigned to different phrases. Textual Pattern Recognition – Textual pattern recognition is used to identify incidents which contain a pre-defined textual pattern, such as an email address, a phone number, a serial number or a credit card. The patterns are defined using Regular Expressions (.net).

- Page 12 -

Reviewer’s Guide SAFEND DATA PROTECTION SUITE™

Mathematical Verifiers – Mathematical Verifiers are applied to content which matches a pre-defined pattern (such as a credit card number or an ID number), and are used to ensure that the content was not falsely matched. File Types – Individual file types are recognized according to a full analysis of the file format. File Properties – Multiple meta-data parameters can be used to identify sensitive content, including full or partial file name, file size, and more. Data Fingerprinting – Data fingerprinting is used to identify known content, even if the data has been partially modified. 

Built-in Classifications - Safend Data Protection Suite includes out-of-the-box, pre-configured classifications which identify common types of sensitive data, such as Patient Health Information (PHI), Personally Identifiable Information (PII), and credit card numbers.



Deep Content Inspection – files are analyzed in depth, including data stored inside compressed folders and embedded objects.

Safend Reporter: Reporting and Analysis Safend Reporter, a license-activated component of the Safend Data Protection Suite, includes several built-in reports that are designed to accommodate the security and operational needs of the organization and its security and IT personnel. The information is provided in a clear, easy to understand format for the benefit of non-technical viewers, such as executives within the organization. 

Security Reports – the security reports allow easy detection of specific employees and departments that frequently disregard internal security policies,



Administrative Reports – the administrative reports assist in the deployment, policy distribution and overall visibility of endpoint activity within the organization.



Drill down reports - the Safend Reporter interface allows a step-by-step drill down into different aspects of the report, and enables a quick and intuitive transition from a high-level view to specific detailed information.



Reports Export - the reports can either be viewed from within the Safend Data Protection Suite Management Console or be exported to one of several popular formats for viewing and analysis outside of the Management Console. - Page 13 -

Reviewer’s Guide SAFEND DATA PROTECTION SUITE™



Report Scheduling - the reports can be scheduled and sent periodically by email to pre-defined recipients in order to ensure continuous tracking of the organization’s data security status and compliance with internal security policies.

Safend Data Protection Suite Management Features 

Safend Data Protection Suite Management Server - A single Management Server can be used to manage tens of thousands of endpoints, and can be accessed through the Safend Data Protection Suite Management Console.



Safend Data Protection Suite Management Console - All Safend management tools are combined into a single Management Console, which can be installed and run from any computer on your network. The Management Console provides unified management of policies, logs and Clients. The management console supports one-click deployment from the server website.



Extensive Logging - enables you to view and analyze the logs collected from all the endpoints in your organization, both immediately and over time.



Flexible Monitoring Level - Data-related security incidents are recorded and sent to the Management Server. The administrator can set the record level to be kept: log record only, the incident including all transferred text, or the full incident, including a hidden copy (shadow) of the data. The appropriate monitoring level can be set according to the available storage resources and the expected volume of information.



Logs Data View – Data-related security incidents are filtered, viewed and analyzed from the Management Console. This incident information contains all incident data (subject to activating the appropriate monitoring level), and allows security administrators to analyze easily the incident and understand why it was triggered.



Client Management - allows you to browse the status of your machines and check whether they are protected by the latest version of the Client, what policy they are using, when they were last updated and more.



Immediate Updates – Enables you to push a new policy to Clients without having to wait for the policy update interval to complete. The new policy becomes effective immediately on all connected Clients. In addition, collect all the logs that were accumulated by the Clients on endpoints immediately, without having to wait for the log sending interval to complete.

- Page 14 -

Reviewer’s Guide SAFEND DATA PROTECTION SUITE™



Active Directory Synchronization - Allows you to look at Logs and manage Clients from your native organizational units view, through the organizational tree. The tree is continuously synchronized with your Active Directory to ensure it remains current at all times.



Built-In Real-Time Alerts – Enable you to issue alerts of your choice (e. g., e-mail, SNMP and more) to desired destinations. Administrators can set the destinations for sending alerts on a per-policy basis. For example, it is possible for alerts from different computers/users to be sent to different email addresses.



Rich End User Interaction - Proper end user information security education is a vital component in a successful security program. Safend Data Protection Suite provides security administrators with the tools necessary for ensuring end user education and involvement in the data protection process. When a policy violation is detected, a customizable message is displayed to the end user. This message can be configured to require end users to enter the justification for their action, by choosing it from a list of options or inserting free text. This is a highly effective method of deterring users from committing potentially harmful actions, without disrupting legitimate business procedures. The information provided by the end users is sent to the Management Server together with the incident record, dramatically improving the incident management process.



Monitoring Actions Based on End User Decisions – subject to the security policy configuration, end user decisions can change the monitoring action applied to a specific incident. For example, the administrator can set the policy to send logs only for data transfer incidents which the user was warned about but decided to commit anyway, and avoid sending logs for incidents which the user aborted.



Internal Database – Safend Data Protection Suite includes a built-in MySQL database in order to simplify the installation of small/medium systems. This database is automatically installed with the Management Server and is fully maintained by the application. No user maintenance is required.



Database Management – Administrators can set the amount of days for logs to be stored, as well as set a quota for the database files. Safend Data Protection Suite Management Server also features manual as well as scheduled backups for its keys, configuration and logs (logs backup only available for Internal Database). These backups can be used when recovering from hardware failures as well as when upgrading hardware platforms.

- Page 15 -

Reviewer’s Guide SAFEND DATA PROTECTION SUITE™



External Database - Customers with existing database infrastructures may prefer to use these for storing the Safend Data Protection Suite configuration and log information instead of using the built-in internal database provided with the Management Server installation package. This provides higher system scalability and leverages existing infrastructures and know-how. When installed, Safend Data Protection Suite Management Server can connect to an existing Microsoft SQL (MSSQL) database instead of creating its internal database. Day-to-day maintenance of this database is still handled by Safend Data Protection Suite including indexing, purging, and key/configuration backup. However, in this case it is the administrator's responsibility to backup log data.



MSI-Based Client Deployment – The client installation is packaged in an MSI file, featuring silent as well as manual installation. The client can be deployed with any 3rd party tool for MSI deployment, and more specifically Active Directory GPO, Microsoft SMS and IBM Tivoli.



Suspend Client – enables you to suspend Client operations temporarily, without having to uninstall it, even when the endpoint does not have any Internet connection. All user actions (such as accessing storage devices or sending a classified email) are allowed and monitored for the duration of the suspension, after which the original policy enforcement is resumed.



Stealth Mode – Safend Data Protection Suite Agent can be configured to be invisible on endpoints. In this mode, the user doesn’t see the product icon and no end user messages are shown.

- Page 16 -

Reviewer’s Guide SAFEND DATA PROTECTION SUITE™

Product Walkthrough System Architecture The system architecture is presented in the following figure:

- Page 17 -

Reviewer’s Guide SAFEND DATA PROTECTION SUITE™

The system comprises the following components:

Component

Description

Safend Data Protection Suite

Safend Data Protection Suite Management Server(s) store policies

Management Server(s)

and other definitions, collect logs from Clients, enable Client management and distribute policies to Clients. The Management Server(s) uses either an internal/external database for its repository (see below). The Management Server(s) use IIS to communicate with Clients and Management Consoles (over SSL). Controlling Clients is performed via WMI. LDAP compliant protocols are used to synchronize with the existing organizational objects stored in Active Directory. The Management Server(s) distributes policies directly to Clients (via SSL).

Internal/External Database

Standard databases are used for storing system configuration, policies and log data. Administrators may opt to use an internal MySQL database supplied in the Management Server installation package or to connect to existing MSSQL database infrastructures. Even though using the internal database is simpler and maintenance free, connecting to an external database provides better performance and scalability.

Safend Data Protection Suite

This enables you to manage Clients, view logs, define policies and

Management Console

administer the system. The Management Console can be installed and run from any computer on your network and uses SSL when communicating with the Management Server. The Management Console supports one-click deployment from the server website.

Safend Data Protection Suite

This protects and monitors the endpoints in your organization and

Client

alerts/reports about user activity. The Client communicates with a Safend Data Protection Suite Management Server using SSL.

Safend Auditor

Although not an integral part of Safend Data Protection Suite, Safend Auditor is a light-weight client-less tool that goes hand in hand with Safend Data Protection Suite and completes it by providing you with a full view of what ports, devices and networks are (or were previously) in use by your organization's users. You use the output of a Safend Auditor scan to select the devices and

- Page 18 -

Reviewer’s Guide SAFEND DATA PROTECTION SUITE™

Component

Description networks whose usage you want to approve.

Safend Data Protection Suite

A server cluster enables the installation of several Safend Data

Management Server Cluster

Protection Suite Management Servers connected to a single external database, so that they seamlessly share the load of traffic from the endpoints, as well as provide redundancy and high availability.

- Page 19 -

Reviewer’s Guide SAFEND DATA PROTECTION SUITE™

Safend Policy Definition What Does a Policy Define? Using the Safend Data Protection Suite, the administrator can create different types of policies. Each type of policy configures a different component of the Safend Data Protection Suite: Hard Disk Encryption Security Policy defines whether or not the data on your internal Hard disks will be encrypted. Port & Device Control Security Policy specifies your organization’s policy regarding the usage of physical ports, wireless ports, devices and WiFi networks. It also specifies whether the data on removable storage devices and CD/DVD media will be encrypted. Data Control Security Policy specifies your organization’s policy regarding sensitive data transferred out of the protected machine using endpoint or network data transfer channels. Data Control Discovery Policy defines the parameters for the data discovery process, which locates and maps sensitive data stored on the organizational endpoints.

How Do You Define a Policy? Safend Data Protection Suite Policies are defined in the Safend Data Protection Suite Management Console. You can define one policy for your entire organization, or define different policies for different organizational object defined in your Active Directory. Policies need to be defined once and then updated on an as-needed basis when the need arises in your organization. Once you have defined and distributed a policy to the Safend Data Protection Suite Clients you can view activity logs from each client through the Logs World in the Safend Data Protection Suite Management Console. After analyzing the logs, you may wish to adjust your policies.

- Page 20 -

Reviewer’s Guide SAFEND DATA PROTECTION SUITE™

Safend Protector: Port & Device Control and Removable Storage Encryption policy Port Control Safend Data Protection Suite can intelligently allow, block or restrict the usage of any or all computer ports in your organization, according to the computer on which they are located, the user who is logged in and/or the type of port. Safend controls: USB, PCMCIA, FireWire, Secure Digital, Serial, Parallel, Modem (e.g., dialup, 3G, etc.), WiFi, IrDA and Bluetooth ports. A blocked port is unavailable, as if its wires were cut. An indication that a port is blocked is given when the computer boots or when a policy is applied that disables a previously allowed port.

- Page 21 -

Reviewer’s Guide SAFEND DATA PROTECTION SUITE™

Device Control In addition to controlling port access, Safend Data Protection Suite provides another level of granularity by enabling you to define which devices can access a port. For USB, PCMCIA, FireWire ports you can define which device types, device models and/or distinct devices can access a port, as follows. 

Devices Types: This option enables you to restrict access to a port according to the type of device that is connected to it. Examples of device types are printing devices, network adapters, human interface devices (such as a mouse) or imaging devices. The device types that are available for selection are built into Safend Data Protection Suite. If you would like to allow a device that is not of one of the types listed here, you can use the Models or the Distinct Devices option, described below.



Models: This option refers to the model of a specific device type, such as all HP printers or all M-Systems disk-on-keys.



Distinct Devices: This option refers to a list of distinct devices each with their own unique serial number, meaning each is an actual specific device. For example: the CEO's PDA may be allowed and all other PDAs may be blocked.

- Page 22 -

Reviewer’s Guide SAFEND DATA PROTECTION SUITE™

Protection against Hardware Key Loggers Hardware Key Loggers are devices that can be placed by a hostile entity between a keyboard and its host computer in order to tap and record keyboard input and steal vital information, especially identity and password. With Safend Data Protection Suite you can block or detect the widest variety of USB and PS/2 hardware keyloggers in the industry. Storage Control Storage control provides an additional level of detail in which to specify the security requirements of your organization. This can apply to all storage devices regardless of the port to which they are connected. You can block storage devices completely, allow read-only access or encrypt the device.

Like non-storage devices, removable storage devices can also be white listed according to the device module or the specific device serial number.

- Page 23 -

Reviewer’s Guide SAFEND DATA PROTECTION SUITE™

Safend Removable Storage Encryption Safend Media Encryption allows administrators to mandate the encryption of all the data being transferred off organization endpoints to approved storage devices, such as USB flash drives, memory sticks and SD cards, as well as CD/DVD media and external hard drives, using the 256-bit AES encryption algorithm. This provides organizations with comprehensive protection from both accidental data loss and deliberate leakage of corporate assets. Unique to the Safend Data Protection Suite solution is the ability to restrict the usage of encrypted devices to company computers. This extends the security borders of organizations and prevents rogue employees from deliberately leaking data through these high-capacity devices. Within the organization, media encryption is completely transparent and encrypted devices can be read and used interchangeably on any computer in the organization. End-users are able to read and write to storage devices just as they would do normally. However, when the same device is plugged into a computer that is not part of the organization, the data on it will not be accessible. The Safend Data Protection Suite administrator can choose whether or not to allow specific users passwordprotected access to the data on non-authorized computers. If allowed, individual users are able to set their own device password, which is required for accessing the device on non-company computers. When plugging in the device outside the organization, a utility residing on the device is used to validate this password and provide access to encrypted information. File Control File Control includes an additional layer of granularity and security by monitoring and controlling file transfers to/from external storage devices. Definitions are set at the level of file type, providing the ability to allow or block specific file transfers as well as to generate logs and alerts, or even to send a hidden copy of the file to the Management Server. With File Type Control a highly reliable classification of files is performed by inspecting the file header contents rather than using file extensions, thus preventing users from easily bypassing the protection by renaming file extensions. File type control and logging is enabled both for files written to external storage devices and files read from them. However, if you are using the complete Safend Data Protection Suite, including Safend Inspector for Data Control, it is recommended to use the Port and Device Control Security Policy only for files read from the device, and use the Data Control Security Policy to control files written to the device according to their classification. By inspecting both the files downloaded to external storage devices and those uploaded to the protected endpoint, multiple benefits can be achieved: 

An additional protection layer for preventing data leakage (see comment above)



Prevention of viruses/malware introduced via external storage devices



Prevention of inappropriate content introduced via external storage devices. Examples of such content: Unlicensed software, Unlicensed content (e.g., music and movies), Non work-related content (e.g., personal pictures).

- Page 24 -

Reviewer’s Guide SAFEND DATA PROTECTION SUITE™

The file control aspect of the policy will apply to approve storage devices which were configured to apply file type control in the Devices tab of the policy:

For these devices, the relevant file type control configurations will apply:

- Page 25 -

Reviewer’s Guide SAFEND DATA PROTECTION SUITE™

WiFi Control WiFi control ensures that users only connect to approved networks. You can specify which networks or ad hoc links are allowed access by the MAC address of the access points, SSID of the network, authentication method and encryption methods to define approved links.

- Page 26 -

Reviewer’s Guide SAFEND DATA PROTECTION SUITE™

Safend Encryptor: Hard Disk Encryption Policy Safend Encryptor enforces an enterprise wide policy which protects the data stored on PC and laptop hard drives, so that sensitive data cannot be read by unauthorized users in the case of loss or theft. Safend Encryptor utilizes Total Data Encryption technology that encrypts all data files, while avoiding unnecessary encryption of the operating system and program files. This innovative concept minimizes the risk of operating system failure, and poses negligible performance impact on user productivity. Leveraging this unique encryption technology, Safend Encryptor provides a genuinely transparent Hard Disk Encryption solution, by using the existing Windows login interface for user authentication. Safend Encryptor utilizes industry standard AES-256 encryption, and is Common Criteria Certified (Evaluation Assurance Level 2 for Sensitive Data Protection), and FIPS 140-2 Certified. Encryption of data on internal hard drives is controlled by policy and enforced by the Safend Client on the endpoint. Applying Hard Disk Encryption using Safend Encryptor is performed with a few simple steps, described below. The encryption process is completely transparent to both end users and security administrators. Safend Encryptor Encryption Flow: Here is a description of the Safend Encryptor encryption flow: 1.

Create a new Hard Disk Encryption Security Policy, set the Internal Hard Disk Encryption to Encrypt and associate the policy with the appropriate machines, groups or OU’s.

- Page 27 -

Reviewer’s Guide SAFEND DATA PROTECTION SUITE™

2.

Click OK. This will apply the encryption policy to all computers associated with the security policy the next time the Client will communicate with the Management Server.

3.

Once the policy is updated on the Client, the system automatically conducts machine and user authentication. This phase is comprised of two steps: a.

Machine registration – makes sure that the machine is listed only once in the domain computer list.

b.

User authentication – ensures that the currently logged on user is a valid domain user, which will be able to access the encrypted data.

4.

The Safend Server creates encryption keys and securely distributes them to the Client.

5.

The encryption process begins automatically. This process runs in the background, and therefore does not require any user action, and the user can continue working normally. The user can shut down or restart the endpoint during the encryption process; encryption will resume the next time the computer is powered on. The encryption status and progress is continuously updated on the Management Server, and can be viewed in the Clients World.

6.

The machine is now protected, and secure data will not be compromised in case the computer is lost or stolen. Security administrators can view the current encryption status of the organizational endpoints, either through the Clients World or with the Safend Reporter, by running the Encryption Status Report.

Key Management and Distribution The system encryption mechanism and Key Management is presented in the following figure:

Safend Management Server

m

un

i ca

n tio

Co SSL mmu

L SS

m Co

nicatio

SSL Encrypted Log

n

Safend Management Console

Machine Encryption Keys

One Time Access Key, Secret

Endpoint Computer

L SS

Co

m

m

un

n tio i ca

All Safend Administrator’s actions are audited and logged

File Key is Encrypted with Machine Encryption Key and Protected with User Credentials and Recovery Secrets

Document Encrypted with File Encryption Key

Document

- Page 28 -

Reviewer’s Guide SAFEND DATA PROTECTION SUITE™

Preparations before Encrypting Hard Disks Before implementing hard disk encryption using Safend Encryptor, it is recommended to follow several steps to ensure smooth and easy product implementation, while enabling swift data recovery in all failure scenarios: 1.

Backup Server Secrets - create a backup server’s private and public keys in order to be able to re-install the server in case of a hardware or software failure.

2.

Backup Server Configuration (Scheduled Backup) – define a scheduled backup for the server configuration file. All encryption keys are centrally generated and securely stored on the Management Server before encryption is initialized.

- Page 29 -

Reviewer’s Guide SAFEND DATA PROTECTION SUITE™

Safend Inspector & Discoverer : Configuring Data Classifications An effective data-centric security policy requires reliably identifying the data which the policy aims to protect. Data classification is a set of definitions which is used by the system to automatically identify data. Safend Inspector and Safend Discoverer components both utilize the Data Classification Mechanism. Safend Data Protection Suite includes out-of-the-box, preconfigured classifications identifying common types of sensitive data such as Patient Health Information (PHI), Personally Identifiable Information (PII), and credit card numbers. Organizations can use these classifications as is, or customize them according to their requirements. To customize a built in classification, right click the classification you want to modify and click Customize:

Alternatively, organizations can configure their own custom classifications from scratch.

- Page 30 -

Reviewer’s Guide SAFEND DATA PROTECTION SUITE™

Data classification consists of one or more classification rules and the Boolean relationship between them (and, or, not):

The administrator can add additional rules to the classification. Each type of classification rule uses a different method of identifying the data:

Together, these rules can be used to create highly accurate data classifications, which will be used to locate and control sensitive data within your organization.

- Page 31 -

Reviewer’s Guide SAFEND DATA PROTECTION SUITE™

Safend Inspector: Content Inspection & Filtering Safend Inspector provides an additional protection layer for data transferred over approved data transfer channels, such as a white-listed storage device, an approved WiFi connection, or even a machine’s LAN connection. It enforces an accurate, data-centric security policy on data transferred via these endpoint channels, without disrupting legitimate business processes and disturbing end user productivity. A Data Control Security Policy defines how the Safend Data Protection Suite reacts when classified data is transferred through controlled channels. Each data control policy defines how the Safend Data Protection Suite reacts to a specific Data Classification.

This tab is divided into two sections. The first section, Data to Control, allows you to select the classification to which the policy will refer. The bottom part of the tab, Channels Where this Data is Restricted, allows you to define what will happen when the user attempts to transfer classified data using the specified channels.

- Page 32 -

Reviewer’s Guide SAFEND DATA PROTECTION SUITE™

Safend Data Protection Suite controls data transferred over the following channels: 

Email: controls outgoing email using Microsoft Outlook.



Web: controls web posts using Windows Internet Explorer. 

External Storage: controls data transfer to external storage devices (DOK, external HD, SD cards, etc.).



Local Printers: controls data printed to local printers.



Network Printers: controls printing data using a network printer.



Application Data Access Control: controls pre-defined application access to confidential data via direct file access or the clipboard. Applications are divided into application groups, and each application group can be added to any policy and controlled as a data transfer channel.

Channel Configuration For each channel, you can define what happens when the user attempts to transfer classified data out of the machine (Security Action): 

Allow: Allows the action to be performed.



Block: Stops the action the user is trying to perform.



Encrypt: Allows the data transfer action, only if the device is encrypted (Only for external storage).



Ask User: Prompts the user with an "are you sure?" question, and allows the action to be performed only if the user selected "yes".

You can also configure what kind of event will be sent to the server following the user action. You can decide if the action will generate a log or an alert (monitoring action), and what information will be included in it (monitoring level). In addition, you can configure the message which will be displayed to the end user following their actions. This message can be configured to require end users to enter the justification for their action, by choosing it from a list of options or inserting free text. This is a highly effective method of deterring users from committing potentially harmful actions, without disrupting legitimate business procedures. The information which is provided by the end users is sent to the Management Server together with the incident record, dramatically improving the incident management process:

- Page 33 -

Reviewer’s Guide SAFEND DATA PROTECTION SUITE™

Finally, you can configure exemptions for each channel. For example, you may want to apply the data control policy to all emails except for those sent only to recipients in your company, or prevent users from downloading confidential data to all external storage devices except for the CEO’s hardware encrypted device. Different parameters are used to define exemptions for the different channels. To define the channel specific exemption, mark the channel and click Edit Channel. In this window, you can configure the data destinations you wish to exempt from inspection.

- Page 34 -

Reviewer’s Guide SAFEND DATA PROTECTION SUITE™

Safend Discoverer: Endpoint Data Discovery Understanding where sensitive data is located is the foundation of any data protection project. Safend Data Protection Suite allows security administrators to locate sensitive data stored on organizational endpoints. This process helps identify gaps in data protection and compliance initiatives and provides insight into what policies should be implemented using other components of the Safend Data Protection Suite. The endpoint discovery process is triggered by applying a Discovery Policy on the protected endpoint. This policy indicates which data classifications, should be searched for on the organizational endpoints. The Discovery Policy also specifies the type of log record that will be sent to the Management Server when sensitive date is discovered.

When a Discovery policy is applied on the endpoint, the Safend Data Protection Suite Agent scans and classifies all data files on the machine. When a classified file is discovered, a log record is sent to the Management Server. The discovery process runs in the background, with minimal affect on endpoint performance. The status of the discovery process conducted on each endpoint is displayed in the Clients World.

- Page 35 -

Reviewer’s Guide SAFEND DATA PROTECTION SUITE™

Safend Auditor Safend Auditor is a tool that goes hand in hand with Safend Data Protection Suite and complements its capabilities by providing you with the visibility needed to identify and manage endpoint vulnerabilities: a full view of what ports, devices and networks are (or were previously) in use by your organization's users. Organizations can use the output of a Safend Auditor scan to select the devices and networks whose usage they want to approve.

- Page 36 -

Reviewer’s Guide SAFEND DATA PROTECTION SUITE™

Safend Policy Enforcement – Safend Data Protection Suite Client Safend Data Protection Suite Client is a lightweight software package that transparently runs on endpoint computers, at the kernel level, and enforces protection policies on each machine on which it is applied. It has a minimal footprint (in terms of file size, CPU and memory resources) and includes redundant, multi-tiered anti-tampering features to guarantee permanent control over endpoints. Safend Data Protection Suite Clients can be silently installed on all endpoints. Once policies have been distributed, the Client immediately starts protecting the computer. When a violation of a Safend Data Protection Suite policy occurs or during certain usage activities, a message is displayed on the endpoint computer. A log entry may be created to record this event, according to the preferences you defined in your policy. If you wish, you may install the Client in Stealth Mode, hiding both Safend tray icon and messages and making Safend Data Protection Suite Client invisible to the user at the endpoint.

- Page 37 -

Reviewer’s Guide SAFEND DATA PROTECTION SUITE™

Safend Data Protection Suite Implementation Workflow The following is an overview of the workflow for implementing and using Safend Data Protection Suite. 

Step 1: Install the Safend Data Protection Suite Management Server and Console.



Step 2 (optional): Install Additional Management Consoles.



Step 3: Define General Safend Data Protection Suite Administration Settings.



Step 4 (optional): Scan Computers and Detect Port/Device Usage. Use Safend Auditor to detect the ports that have been used in your organization and the devices and WiFi networks that are, or were connected to these ports. Step 5: Define Safend Data Protection Suite 1st Policies. In this stage, is it recommended to create a permissive policy for the entire organization, which monitors end user activities. This policy will allow you to learn how devices and data are used in your organization for legitimate business processes before enforcing a more restrictive policy.



Step 6: Install Safend Data Protection Suite Client on Endpoints.



Step 8: Discover Sensitive Data. In this stage, you create and associate a discovery policy to organizational endpoints to determine which endpoints store sensitive data.



Step 9: Analyze Initial Logs. In this stage, you review the logs received from the endpoints and determine which user activity is an appropriate business process which should be allowed by policy and which is a potentially harmful action which should be blocked.



Step 10: Create and distribute enforcement policies. In this stage you define how data is protected in your organization: which machines and removable storage devices are encrypted; how ports, devices and WiFi networks are used and which data can be transferred out of protected endpoints.



Step 11: Endpoints are Protected by Safend Data Protection Suite Policies: In this stage, all security policies are enforced on the endpoints. Logs about attempts to violate these policies, as well as tampering attempts, are created and sent to the Management Server.

- Page 38 -

Reviewer’s Guide SAFEND DATA PROTECTION SUITE™



Step 12: Monitoring Logs and Alerts, View the log entries generated by Safend Data Protection Suite Clients. Analyze these logs and maintain ongoing visibility into the organization’s security status, using Safend Reporter.

- Page 39 -

View more...

Comments

Copyright ©2017 KUPDF Inc.
SUPPORT KUPDF