Sanctuary Device Control

Home \ Products \ Sanctuary Device Control

Control Removable USB Devices to Protect Data

The rapidly growing issue of data leakage due to the accidental or sometimes malicious use of removable media devices (such as USB sticks, CDs, DVD, etc.) has reached alarming levels. In fact, over 85 percent of privacy and security professionals reported at least one breach and almost 64 percent reported multiple breaches that required notification. ¹ Information such as customer data, personally identifiable information (PII), corporate data such as financials, and intellectual property such as product specs are worth billions to some. And the costs for recovery of data, customer notification, loss of brand equity and ultimately lost business are rapidly rising as well with the average yearly cost up to $6.3 million².

Debunking the Most Common Myths about Data Protection
Lumension Security's SVP Business Development sits down to debunk the most common myths about data protection.

Sanctuary Device Control from Lumension Security prevents data loss and theft by enforcing removable device use policies to control the flow of inbound and outbound data from your endpoints. Ensuring the protection of data-at-rest or data-in-motion, Sanctuary Device Control can:

Identify all the devices that are currently connected or have ever been connected to network assets
Protect against data theft and data loss
Enforce the encryption of information transferred to removable media, including USB sticks, CDs, DVDs and more
Control and manage any removable devices through any ports including USB, Firewire, WIFI, Bluetooth, etc.
Deliver detailed forensics of device usage and data transfer
Prevent malware introduction via removable media

1. Deloitte & Touche and Ponemon Institute, Enterprise@Risk: 2007 Privacy & Data Protection Survey, December 2007
2. Ponemon Institute, 2007 Cost of Data Breach Study, November 2007

WHAT OUR CUSTOMERS SAY
“Sanctuary® Device Control ensures that no device, unless authorized, can ever be used, no matter how it gets plugged in.” Paul Douglas, ADIR Desktop Build Team Manager, Barclays

Overview

Sanctuary Device Control from Lumension Security enforces enterprise-wide usage policies for removable devices and data (such as read/write, encryption). Using a whitelist / “default deny” approach, administrators can centrally:

Manage and control access of any “plug and play” device by class, model and/or specific ID;
Uniquely identify and authorize specific media;
Implement file copy limitations (amount per day, time of day) and file type filtering;
Enforce encryption policies for data moved onto removable devices / media;
Apply permissions to specific and/or groups of endpoints, ports, devices and users (both on- and off-line), including scheduled / temporary access;
Create role-based Admin accounts (e.g., for regional sites);
Save a copy of entire file being moved using the patented bi-directional shadowing technology, or just log the file name; and
Create both standard and customized reports on all system activity which can be saved into a repository, shared via email, and/or imported into 3rd party applications.

Sanctuary Device Control from Lumension Security enables organizations to embrace productivity-enhancing tools while limiting the potential for data leakage (and the impacts thereof).

Device Control and USB Security for the Enterprise

USB memory drives, FireWire external hard-drives, CD/DVD burner drives, PDAs / smartphones, scanners, MP3 players / iPods, and digital cameras are scattered throughout offices around the world. While these devices enable increased collaboration and productivity, they also create risk of data being lost, misused or stolen. Sanctuary Device Control from Lumension Security provides organizations centralized “on-the-fly” management of removable devices / media without impeding productivity. Furthermore, automated agent installation on endpoints minimizes administrative and end-user training costs.

Proactive Approach to Data Protection

Sanctuary Device Control from Lumension Security provides proactive data protection using a whitelisting or “default deny” approach: endpoints (e.g., desktops, laptops) can only accessed by explicitly authorized devices, while all other devices are prohibited by default. Not only does this provide the flexibility required to promote new productivity tools while enforcing policies which reduce risk, it eliminates the need to keep up with the ever-changing landscape (new devices, new people, new threats) that organizations face daily. This reduces the security workload, allowing organizations to focus on more strategic activities such as developing more robust security policies.

Complete Control over Data Transfer and Port Access

Sanctuary Device Control from Lumension Security enables administrators to quickly establish and enforce data protection policies by rapidly identifying all devices that are now or have ever been connected to the network, and via which endpoints and ports. Permissions can be assigned to specific users and/or groups of users (both on- and off-line), devices (including class, manufacturer or even specific ID), ports and endpoints. These permissions can be linked to the user and user group information stored in Microsoft Active Directory or Novell eDirectory. Data usage restrictions can include file copy limitations (amount per day, time of day), file type filtering and forced encryption.

Comprehensive USB Security and Auditing Capabilities

A comprehensive log of every event (e.g., attempts to connect what device to which endpoint via what port), whether allowed or not, is generated. Optionally, Lumension Security’s bi-directional shadowing technology can capture and retain a full copy of all data written to and/or read from removable devices (e.g., USB flash drives, CDs/DVDs).
This detailed information is valuable in quantifying risk to the organization. In additions it helps demonstrate compliance with data protection regulations and standards such as SOX, HIPAA or PCI DSS. Finally, it is invaluable for forensic, or after-the-fact event re-creation.

Features & Benefits

Feature	Function	Benefit
Whitelist	Assign permissions for authorized devices to user or user group, and by default those not authorized are not allowed	Eliminates unknown or unwanted devices in your network, reducing the risk of data leakage
Policy Controlled Encryption for Removable Media and CD/DVD	Administrators may centrally encrypt removable media and CD/DVDs or force users to encrypt media and CD/DVDs and the time of use	Ensures that sensitive data is not inadvertently exposed to those without authorized access
Uniquely Identify and Authorize Specific Media	Authorize DVD/CD-ROM collections, grant access to users or user groups and encrypt removable media with unique ID's	Limits DVD/CD-ROM access to company standard discs, to avoid use of unauthorized content and/or encrypts removable media to prevent unauthorized viewing
Flexible Policy with Granular Control	Permission settings include read/write, scheduled access, temporary access, online/offline, I/O bus type, HDD/non-HDD devices and much more	Eliminates risk of unauthorized devices connecting to the network while providing the flexibility users demand
Plug and Play Devices	Detect Plug and Play Devices "on the fly"	Ensures user productivity is not disrupted by applying permissions for plug and play devices when detected
Patented Bi-Directional Shadowing Option	Shadowing technology records data that is read from and/or written to a removable device	Captures the flow of information into and out of your network, reducing risk and containing data leakage
Data Copy Restriction	Restrict the daily amount of data copied from an endpoint to a device on a per-user basis	Removes risk of large pieces of confidential information leaving the network
Role Based Access Control	Assign permissions to a user/user group based on their Active Directory or eDirectory identity	Provides granular user permissions that remain with user login regardless of machine
PGP Whole Disk Encryption	Administrators may optionally enforce standard FIPS-compliant encryption technology with centralized encryption key management and support for large secondary hard drives provided by PGP Whole Disk Encryption	Ensures that data on external devices can be protected with FIPS-validated encryption
File Type Filtering	Control the type of files that are moved to and from removable devices	Reduces risk of unwanted files (or malware) from entering and sensitive files from leaving the network
Password Lockout	Lockout users after three failed password attempts	Reduces risk of hackers breaking into lost or stolen devices
Password Recovery	Recover access to devices when passwords are forgotten or user leaves company	Enables recovery of encrypted data on devices
Multi-Language Support	Supports 12 languages on Sanctuary client machines	Improves user experience in international organizations
64-bit Platform Support	Utilize and protect powerful 64-bit business infrastructure with Sanctuary including agent support for 64-bit Windows Server 2003, Windows XP and Windows Vista as well as 64-bit support for SQL Server 2005	Delivers device control capabilities for both 32 and 64-bit platforms.

Requirements

Supported Device Types:

Biometric devices
COM/serial ports
DVD/CD drives
Floppy disk drives
Imaging devices/Scanners
LPT/parallel ports
Modems/Secondary network access devices
Palm handheld devices
Plug and Play devices
Printers (USB/Bluetooth )
PS/2 ports
Removable storage devices
RIM BlackBerry handhelds
Smart Card readers
Tape drives
User Defined devices
Windows CE handheld devices
Wireless network interface cards

Supported Connectivity:

USB
FireWire
Bluetooth
WiFi
PCMCIA
PS/2
LPT
IrDA
IDE
COM
S-ATA
SCSI

Supported Operating Systems:

Platform	Version	Agent	Console	Server	Database
Windows 2000 Professional	(SP4+)	32	32	-	32
Windows 2000 Server	(SP4+)	32	32	32	32
Windows XP Professional	(SP2+)	32 and 34	32	-	32
Windows Server 2003	(SP1/SR2+)	32 and 34	32	32	32 and 64
Windows Vista		32 and 34	-	-	-
Windows XP Embedded (XPe)	(SP2+)	32	n/a	n/a	n/a
Windows Embedded Point of Service (WEPOS)	(SP2+)	32	n/a	n/a	n/a
Windows XP Tablet PC Edition	(SP2+)	32	n/a	n/a	n/a
Citrix Access Gateway 4.2		yes	n/a	n/a	n/a
Citrix Access Gateway 4.5		yes	n/a	n/a	n/a
Citrix Presentation Server 4.0 for Windows Server 2003 (SP1/SR2+)		32	n/a	n/a	n/a
Citrix Presentation Server 4.5 for Windows Server 2003 (SP1/SR2+)		32 and 64	n/a	n/a	n/a
SQL 2005 Express Edition	(SP2+)	n/a	n/a	n/a	32
SQL Server 2000	(SP4+)	n/a	n/a	n/a	32
SQL Server 2005	(SP2+)	n/a	n/a	n/a	32 and 64

Hardware Requirements:

	Disk space	Memory	Other
Agent	8 MB free disk space for program files 15 MB for the installation --> With Shadowing enabled, disk space requirements could grow up to several GB (depending on intervals between logging onto network)	256 MB (512 MB recommended)
Management Console	150 MB free disk space for program files 15 MB for the installation	128 MB (512 MB recommended)	Display = 1024x768
Application Server	4 MB free disk space for program files 15 MB for the installation	128 MB (512 MB recommended)	MDAC v2.6 SP1 or later, if you are using Windows 2000 Server
Database	1 MB free disk space for program files 40 MB for the installation --> From 10 MB up to several GB for data (depending on the number of users)	512 MB (2.0 GB recommended)	Microsoft SQL Server 2000 SP4 Microsoft SQL 2005 SP1 Microsoft SQL 2005 SP1 64-bit SQL Server 2005 Express Edition (requires Microsoft .NET Framework 2.0)MDAC V2.6 SP1, if using Windows 2000 Server