Protection Against Lost or Stolen
Data with Novell ZENworks            ®                            ®



Endpoint Security...
Agenda

    •   Overview of current reality of “mobile data”
    •   Examples of recent and common lost or stolen data sce...
Mobile Endpoints = Mobile Data

    •   “There used to be this thing called the ‘Network Perimeter’”.
                    ...
Mobile Devices + Mobile Endpoints =
    Even More Mobile Data

    •   USB-enabled electronics device annual shipments wil...
Key Areas Of Sensitive Data

                                     File shares, Servers, Laptops       300+ File Typed     ...
Examples of Recent and Common
    Lost or Stolen Data Scenarios

    •   Stanford University
         –   Stolen Laptop wi...
Stanford University

    •   72,000 personal records
    •   Names, SSN’s, birth dates, addresses, salary info, etc
    • ...
Cal State Los Angeles

    •   2,500 Student and Faculty ‘personal records’
    •   CSLA immediately issued ‘User Guidelin...
Veterans Administration

    •   28.6 M records stolen
    •   Class-action lawsuits filed on behalf of every veteran
    ...
TJ Stores (TJX) - TJMaxx, Marshalls, Winners,
     HomeSense, AJWright, TKMaxx, Bob’s Stores

     •   47.5 M credit / deb...
High Profile Breaches




                                           Source: Privacy Rights Clearinghouse




11   © Novel...
Resolutions for Recent and Common
     Lost or Stolen Data Scenarios



                              Data Breach         ...
Details of ZENworks Endpoint Security        ®



     Management Fixed Disk Encryption Solution

        Encrypt Safe Har...
Trade-offs of Full Disk Encryption
     (FDE) Verses file/folder Encryption

                        Full Disk Encryption ...
Details of ZENworks Endpoint Security       ®



     Management RSD Encryption Solution
        Encrypt Removable Storage...
Example ZENworks Endpoint Security    ®



     Management Encryption Policy




16   © Novell, Inc. All rights reserved.
Example ZENworks Endpoint Security    ®



     Management RSD Policy




17   © Novell, Inc. All rights reserved.
Details of ZENworks Endpoint           ®



     Security Management USB Controls
     •   Removable Storage Devices (RSD)...
Example ZENworks Endpoint Security    ®



     Management USB Policy




19   © Novell, Inc. All rights reserved.
Details of ZENworks Endpoint Security           ®



     Management Adapter Controls
     •   Unique Network Adapter Cont...
Example ZENworks Endpoint Security    ®



     Management Wi-Fi Adapter Policy




21   © Novell, Inc. All rights reserve...
Example ZENworks Endpoint Security    ®



     Management Wi-Fi Control Policy




22   © Novell, Inc. All rights reserve...
Example ZENworks Endpoint Security    ®



     Management Wi-Fi Security Policy




23   © Novell, Inc. All rights reserv...
Details of ZENworks Endpoint Security         ®



     Management Adapter Controls (cont.)
     •   Unique Network Adapte...
Example ZENworks Endpoint Security Management
                                           ®



     Communication Hardware ...
Have You Ever Wanted to do These With
     Your Currently Deployed Applications?
     •   Ensure services and applications...
rd
     Unique 3 Party Integration Options
     •   Integrate and leverage ZENworks Endpoint Security Management native se...
Example ZENworks Endpoint Security Management
                                           ®



     3rd Party Integration T...
Questions and Answers
Questions and Answers

     •   What other security issues are you dealing with now?

     •   What would you like ZENwork...
Detailed Data Slides
Inside ZENworks Endpoint Security




32   © Novell, Inc. All rights reserved.
Unpublished Work of Novell, Inc. All Rights Reserved.
This work is an unpublished work and contains confidential, propriet...
Protection against Lost or Stolen Data with Novell ZENworks Endpoint Security Management
Upcoming SlideShare
Loading in...5
×

Protection against Lost or Stolen Data with Novell ZENworks Endpoint Security Management

1,580

Published on

Laptops and mobile devices—carrying more business-critical data than ever before—are frequently the target of theft or accidental loss. And with a host of removable media devices connecting to networks every day, keeping your data safe has never been more important. In this session we'll discuss the capabilities Novell ZENworks Endpoint Security Management provides to do just that. You'll learn about the product's unique file and folder-based encryption (with advanced data encryption key management), removable storage device controls, USB device controls, and other features designed to protect data residing on lost or stolen devices.

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
1,580
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
64
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Protection against Lost or Stolen Data with Novell ZENworks Endpoint Security Management

  1. 1. Protection Against Lost or Stolen Data with Novell ZENworks ® ® Endpoint Security Management Brent Beachem Merrill Smith Software Consultant Engineer Software Consultant Engineer Novell, Inc./bbeachem@novell.com Novell, Inc./mksmith@novell.com Steve McLain Senior Software Engineer Novell, Inc./stmclain@novell.com
  2. 2. Agenda • Overview of current reality of “mobile data” • Examples of recent and common lost or stolen data scenarios • Simple examples of ZENworks Endpoint Security Management ® (ZESM) features to mitigate these security breaches • Detailed discussion and examples of using native ZESM Features to resolve these security breaches – Encryption – USB Controls – Adapter Controls • Discussion on unique 3rd party integration options for ZESM NOTE: PLEASE... Ask questions and interrupt! 2 © Novell, Inc. All rights reserved.
  3. 3. Mobile Endpoints = Mobile Data • “There used to be this thing called the ‘Network Perimeter’”. Exhibit 2. The B orderless Enterprise Source: Yankee Group, 2009 Desktop Pager video E-mail Mobile Phone Conferencing Audio Your Business Conferencing Front Back Fax Suppliers SCM Office ERP Office CRM Customers Collaboration Software Employees Voice Mail Messaging Software Laptop Phone PDA Room Based video 3 © Novell, Inc. All rights reserved.
  4. 4. Mobile Devices + Mobile Endpoints = Even More Mobile Data • USB-enabled electronics device annual shipments will double from 1.4 billion in 2005 to 2.8 billion in 2010. – Storage devices (flash drives as large as 256 GB today) – Networking adapters (rapid rise in Wireless USB) – Printers, scanners, webcams (all with storage devices embedded) – MP3/iPods – over 240 million iPods alone have been sold by Jan 2010 • Bluetooth – over 12 million Bluetooth enabled devices are sold every week. • eSATA, PCMCIA, 1394a/b, USB, etc – Removable storage device interfaces offering up to several Terabytes in data storage capacity USB Products Other Devices Source: In-STAT/MDR 4 © Novell, Inc. All rights reserved.
  5. 5. Key Areas Of Sensitive Data File shares, Servers, Laptops 300+ File Typed Databases and Repositories -Microsoft file shares -Microsoft Office Files -SharePoint, Documentum -Unix file shares -PDF's -Lotus Notes, Exchange -NAS/SAN storage -PSTs -Microsoft Access -Windows 2000, 2003 -Zip Files -Oracle, SQL, DB2 Data at Rest -Windows XP, Vista -Contact Mgmt Systems File shares, Servers, Laptops Instant Messages Web Traffic -SMTP email -Yahoo IM -FTP -Exchange, Lotus, etc. -MSN Messenger -HTTP -Webmail -AOL Messenger -HTTPS -Text and attachments -TCP/IP Data in Motion Print and Burn USB Copy and Save As -Local printers -External hard drives -Copy to Network shares -Network printers -Memory sticks -Copy to external drives -Burn ro CDs/DVDs -Removable media -Save As to external drives Data in Use 5 © Novell, Inc. All rights reserved.
  6. 6. Examples of Recent and Common Lost or Stolen Data Scenarios • Stanford University – Stolen Laptop with unencrypted data • Cal State Los Angeles, CA – Employee USB Storage Device stolen with unencrypted data • Veterans Administration – Stolen Laptop with unencrypted data – USB Storage Device used to move data from work to home • TJ Stores (TJX) – “War Driving” parking lot hacking of WEP keys 6 © Novell, Inc. All rights reserved.
  7. 7. Stanford University • 72,000 personal records • Names, SSN’s, birth dates, addresses, salary info, etc • Questions Remain: “Has the information been used?” • School issued credit monitoring service – $3.6 M • Breach: – Stolen laptop contained unencrypted records 7 © Novell, Inc. All rights reserved.
  8. 8. Cal State Los Angeles • 2,500 Student and Faculty ‘personal records’ • CSLA immediately issued ‘User Guidelines for Portable Electronic Storage Media’ – “All confidential, personal, and proprietary information stored on portable electronic storage media must be encrypted.” • Breach: – Unencrypted USB drive stolen from car 8 © Novell, Inc. All rights reserved.
  9. 9. Veterans Administration • 28.6 M records stolen • Class-action lawsuits filed on behalf of every veteran • Breach: – Data removed from unencrypted (stolen) laptop – Employee removed data from office on USB storage device to ‘work from home’ 9 © Novell, Inc. All rights reserved.
  10. 10. TJ Stores (TJX) - TJMaxx, Marshalls, Winners, HomeSense, AJWright, TKMaxx, Bob’s Stores • 47.5 M credit / debit card numbers stolen • Largest data breach in US history • $216 M ‘breach cost’ (estimate) • Transaction data from 2003 – 2006 compromised • Data used in $8 M ‘Gift Card’ scheme • Breach: – ‘War Driving’ – parking lot Wi-Fi hacking – Wireless transmissions only protected by ‘broken’ WEP protocol 10 © Novell, Inc. All rights reserved.
  11. 11. High Profile Breaches Source: Privacy Rights Clearinghouse 11 © Novell, Inc. All rights reserved.
  12. 12. Resolutions for Recent and Common Lost or Stolen Data Scenarios Data Breach Resolution Lost or stolen laptop with Require fixed disk data unencrypted, sensitive data encryption Lost or stolen RSD with Require encryption of RSD or unencrypted, sensitive data control use of RSD Unauthorized movement of data Control use of USB devices with USB device Wi-Fi hacking of WEP keys Prevent connections to insecure (or less secure) Wi-Fi devices 12 © Novell, Inc. All rights reserved.
  13. 13. Details of ZENworks Endpoint Security ® Management Fixed Disk Encryption Solution Encrypt Safe Harbors on Fixed Disks – What we do > File and Folder based encryption > Policy define “safe harbors” > User selectable “safe harbors” > Secondary authentication for decryption > Simplified encryption key management – What we don't do > Directly compete with Full Disk Encryption (FDE) - see comparison table for trade-offs > Cost as much as FDE 13 © Novell, Inc. All rights reserved.
  14. 14. Trade-offs of Full Disk Encryption (FDE) Verses file/folder Encryption Full Disk Encryption ZENworks Endpoint Security ® – Automatically ensures entire hard drive (or Management File/Folder Based partition) is encrypted (you don't have to force Encryption sensitive data to be stored in a “safe harbor” location – Specified “safe harbor” folders are designated for saving sensitive data (most commercial – Automatically encrypts pagefile, hibernate file, grade applications allow for mandating files to and other OS files containing sensitive be saved in specified locations. Microsoft information loaded in memory and written to disk applications can be controlled by Group Policy during power state transitions. Objects (GPO) settings. – Decryption requires Pre-boot authentication – The allowance (and use) of pagefile, hibernate (PBA) login when the machine boots up. This is file, and other OS files containing sensitive a HUGE COST for corporations wanting to do information can be controlled by GPO settings. remote computer diagnostics, patches, etc. – No PBA required. Administrators always have – Data recovery options can be cumbersome or the ability to access and decrypt data through difficult normal remote administration tools. – Some disk encryption implementations – Data recovery options is built into the policies controlled only by username/password (others and separate, simple tools exist. have smart card, or certificate based authentication). Simple authentication – Secondary authentication and strong password mechanisms can easily be compromised. requirements exist for file/folder decryption. 14 © Novell, Inc. All rights reserved.
  15. 15. Details of ZENworks Endpoint Security ® Management RSD Encryption Solution Encrypt Removable Storage Devices (RSD) – What we do > General, simple control (Any RSD gets encrypted) > Password based folder encryption (simplifies workflow when dealing with outside customers needing access to data when not running ZESM) > Simplified encryption key management > Seamlessly use the encrypted RSD throughout your corporation (decryption within the same “encryption key island' is transparent – What we don't do > “White list” RSD that do not get encrypted, while encrypting all other – This is under investigation for a future feature > Automatically launch an application to decrypt RSD data after a successful authentication (like U3 devices with encryption do) - In the ZENworks ® Configuration Management 11 version, we will provide an option to copy a stand-alone decryption tool to the RSD 15 © Novell, Inc. All rights reserved.
  16. 16. Example ZENworks Endpoint Security ® Management Encryption Policy 16 © Novell, Inc. All rights reserved.
  17. 17. Example ZENworks Endpoint Security ® Management RSD Policy 17 © Novell, Inc. All rights reserved.
  18. 18. Details of ZENworks Endpoint ® Security Management USB Controls • Removable Storage Devices (RSD) Encryption – Mandate all RSD are encrypted – Password based folder • USB General Connectivity – Stop ALL USB devices – Control by USB Device Groups – “White-list” only approved USB peripherals (certificate providers, printers, RIM devices for syncing, 3G/Broadband modem devices, etc) • USB – Integrate with 3rd party USB RSD providers with portable encryption (Examples: Kingston DataTraveler2 Private) 18 © Novell, Inc. All rights reserved.
  19. 19. Example ZENworks Endpoint Security ® Management USB Policy 19 © Novell, Inc. All rights reserved.
  20. 20. Details of ZENworks Endpoint Security ® Management Adapter Controls • Unique Network Adapter Control – Wireless Ethernet > Disable Wi-Fi when Wired (help prevent dual homing, bridging into corporate connections) > Disable AdHoc connections (stop peer-to-peer connections and control MESH networking) > Block Wi-Fi connections (Prevent connections, but allows for wireless reporting information) > “White-list” specific approved Wi-Fi adapters (allow wireless connections with only approved devices having adequate security implementations and/or administrative controls) > Network utilization control (through SSID, MAC, and Key management approaches) > Mandate a minimum level of Wi-Fi security for endpoints to connect to 20 © Novell, Inc. All rights reserved.
  21. 21. Example ZENworks Endpoint Security ® Management Wi-Fi Adapter Policy 21 © Novell, Inc. All rights reserved.
  22. 22. Example ZENworks Endpoint Security ® Management Wi-Fi Control Policy 22 © Novell, Inc. All rights reserved.
  23. 23. Example ZENworks Endpoint Security ® Management Wi-Fi Security Policy 23 © Novell, Inc. All rights reserved.
  24. 24. Details of ZENworks Endpoint Security ® Management Adapter Controls (cont.) • Unique Network Adapter Control (cont.) – Wired Ethernet > Disable Wi-Fi when Wired (help prevent dual homing, bridging into corporate connections) > “White-list” specific approved Wired adapters (allow wired connections with only approved devices having adequate security implementations and/or administrative controls) > Disable adapter bridging (help prevent dual homing, bridging into corporate connections) • Hardware Device Control (Firewire, serial, parallel, etc) • VPN Enforcement (simple model with connect/disconnect commands) • Integrity Rules (simple tests and quarantine) 24 © Novell, Inc. All rights reserved.
  25. 25. Example ZENworks Endpoint Security Management ® Communication Hardware Control Policy 25 © Novell, Inc. All rights reserved.
  26. 26. Have You Ever Wanted to do These With Your Currently Deployed Applications? • Ensure services and applications to always run despite end users having local administrative privileges. • Initiate A/V and Anti-Spyware scans based off network locations, other applications running, network connectivity, etc and not just time of day/week. • Ensure diverse VPN solutions are running in hot-spots, hotels, airports, and other public locations. • Provide user messages, warnings, information based on various security events. • Require VBScripts and/or Jscripts to be run without end user modification, intervention, or circumvention. 26 © Novell, Inc. All rights reserved.
  27. 27. rd Unique 3 Party Integration Options • Integrate and leverage ZENworks Endpoint Security Management native security options: ® – ZESM is always loaded and running, so it can ensure other security events happen as well. – Location Awareness (determination, changing, triggering) – Firewall control – Adapter Controls (connection, types, disabling/control) – Simple User Interface (UI), message dialogs, and/or workflow controls – Custom dialogs/UI • Advanced Scripts examples: – Various Patch, A/V, and Anti-Spyware integration – Customer's use of Microsoft VPN Enforcement to save money – Wireless UI controls – Remote Admin tools/services running – Policy enforced and controlled VB Scripts and JScripts 27 © Novell, Inc. All rights reserved.
  28. 28. Example ZENworks Endpoint Security Management ® 3rd Party Integration Through Scripting Policy 28 © Novell, Inc. All rights reserved.
  29. 29. Questions and Answers
  30. 30. Questions and Answers • What other security issues are you dealing with now? • What would you like ZENworks Endpoint Security ® Management to do for you? • What other detailed questions or information about the product or features do you need answered at this time? 30 © Novell, Inc. All rights reserved.
  31. 31. Detailed Data Slides
  32. 32. Inside ZENworks Endpoint Security 32 © Novell, Inc. All rights reserved.
  33. 33. Unpublished Work of Novell, Inc. All Rights Reserved. This work is an unpublished work and contains confidential, proprietary, and trade secret information of Novell, Inc. Access to this work is restricted to Novell employees who have a need to know to perform tasks within the scope of their assignments. No part of this work may be practiced, performed, copied, distributed, revised, modified, translated, abridged, condensed, expanded, collected, or adapted without the prior written consent of Novell, Inc. Any use or exploitation of this work without authorization could subject the perpetrator to criminal and civil liability. General Disclaimer This document is not to be construed as a promise by any participating company to develop, deliver, or market a product. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions. Novell, Inc. makes no representations or warranties with respect to the contents of this document, and specifically disclaims any express or implied warranties of merchantability or fitness for any particular purpose. The development, release, and timing of features or functionality described for Novell products remains at the sole discretion of Novell. Further, Novell, Inc. reserves the right to revise this document and to make changes to its content, at any time, without obligation to notify any person or entity of such revisions or changes. All Novell marks referenced in this presentation are trademarks or registered trademarks of Novell, Inc. in the United States and other countries. All third-party trademarks are the property of their respective owners.
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×