SlideShare a Scribd company logo

SPYRUS® Enterprise Management System

SPYRUS
SPYRUS

The SPYRUS Enterprise Management System (“SEMS™”) provides a very strong security and productivity solution for any organization deploying SPYRUS encrypting storage devices and/or our Microsoft certified bootable Windows To Go Drives. While SPYRUS drives provide the strongest Data-­-at-­-Rest protection when used by the mobile workforce, organizations are faced with another challenge that is the management, audit and policy enforcement of these high capacity, small form factor devices. SEMS solves that problem. SEMS was designed to operate on a Windows server ecosystem, on premise, or on Microsoft Azure. It has the ability to scale from proof of concept with a small number of devices, to deployments with tens of thousands of devices under management anywhere on the globe. SEMS enables an organization to manage their data assets wherever they are used. It provides a central, web-based, easy to use management interface for controlling and monitoring SPYRUS secure hardware. Robust role management for SEMS administrators, permits separation of responsibilities and enforcement of enterprise security policies. Recovery is easily facilitated to protect against data loss and employee downtime. A full set of Audit features allows usage to be tracked and an in-built reporting mechanism allows custom reports to be produced. It provides full transparency of all system and device operations. When things go wrong, the system provides the ultimate assurance that your assets don’t fall into the wrong hands. When things go really wrong, a remote device kill operation renders the data on the device unusable. SEMS maintains audit records of management activities performed on the SEMS Management Console and activities on managed SPYRUS endpoint devices. It enables central administration and controls device behavior while transparently enforcing policies set by the organization. SEMS has a web based management console to provide operational views through which administrator can maintain control over all deployed devices. SPYRUS has achieved this balance to give the productivity promised by mobility, but with the security supplied by SPYRUS.

Technology
1 of 13
Download to read offline
SPYRUS,  Inc.    Proprietary   Commercial-­‐in-­‐Confidence                                 SPYRUS®  Enterprise  Management  System   White  Paper    
January  2016     SPYRUS  Enterprise  Management  System   DOCUMENT  NO:  412-­‐420001-­‐02     SPYRUS,  Inc.  Proprietary   Page  i     Commercial-­‐In-­‐Confidence                                 ©  Copyright  2012–2016  by  SPYRUS,  Inc.  All  rights  reserved.   Document  No:  412-­‐420001-­‐02   This  document  (and  the  software  described  in  it)  is  furnished  under  license  and  may  be  used  or  copied   only  in  accordance  with  the  terms  and  conditions  of  such  license.  This  document  is  provided  for   informational  purposes  only  and  is  subject  to  change  without  notice.  SPYRUS,  Inc.  assumes  no   responsibility  or  liability  for  any  errors  or  inaccuracies  that  may  appear  in  this  document.  Except  as   permitted  by  such  license,  no  part  of  this  publication  may  be  reproduced,  stored  in  a  retrieval  system,   or  transmitted,  in  any  form  or  by  any  means,  without  the  prior  written  permission  of  SPYRUS,  Inc.   Patents   This  product  is  protected  under  one  or  more  of  the  U.S.  patents  found  at  the  following  address:     www.spyrus.com/company/patent-­‐markings.html   Trademarks   SPYRUS,  the  SPYRUS  logos,    SPYRUS  Enterprise  Management  System  (SEMS),  Portable  Workplace,   Secure  Portable  Workplace  ,  WorkSafe,  WorkSafePro,  are  either  registered  trademarks  or  trademarks   of  SPYRUS  in  the  United  States  and/or  other  countries.    
January  2016     SPYRUS  Enterprise  Management  System   DOCUMENT  NO:  412-­‐420001-­‐02     SPYRUS,  Inc.  Proprietary   Page  ii     Commercial-­‐In-­‐Confidence   Contents   What Does SEMS Do?..................................................................................................................................   Why use SEMS? ...........................................................................................................................................   Centralized Device Management..............................................................................................................3   Device and User Activity Auditing.............................................................................................................4   Policy and Privilege Enforcement .............................................................................................................4   Cost Effectiveness and Reliability.............................................................................................................4   Data Access Control and Security ............................................................................................................5   What is SEMS? .............................................................................................................................................   System Architecture..................................................................................................................................6   SEMS  Management  Console  ............................................................................................  7   SEMS  Server  .....................................................................................................................  7   SEMS  Security  Module  Service  .........................................................................................  8   SEMS  Database  ................................................................................................................  9   SEMS  Clients  ....................................................................................................................  9   Conclusion....................................................................................................................................................              
  Trusted  Security  To  the  Edge   SPYRUS,  Inc.  Proprietary   1     Commercial-­‐In-­‐Confidence       The  SPYRUS  Enterprise  Management  System  (“SEMS™”)  provides  a  very  strong   security  and  productivity  solution  for  any  organization  deploying  SPYRUS   encrypting  storage  devices  and/or  our  Microsoft  certified  bootable  Windows  To  Go   Drives.    While  SPYRUS  drives  provide  the  strongest  Data-­‐at-­‐Rest  protection  when   used  by  the  mobile  workforce,  organizations  are  faced  with  another  challenge  that   is  the  management,  audit  and  policy  enforcement  of  these  high  capacity,  small  form  factor  devices.    SEMS   solves  that  problem.   SEMS  was  designed  to  operate  on  a  Windows  server  ecosystem,  on  premise,  or  on  Microsoft  Azure.  It  has   the  ability  to  scale  from  proof  of  concept  with  a  small  number  of  devices,  to  deployments  with  tens  of   thousands  of  devices  under  management  anywhere  on  the  globe.     SEMS  enables  an  organization  to  manage  their  data  assets  wherever  they  are  used.    It  provides  a  central,   web-­‐based,  easy  to  use  management  interface  for  controlling  and  monitoring  SPYRUS  secure  hardware.   Robust  role  management  for  SEMS  administrators,  permits  separation  of  responsibilities  and   enforcement  of  enterprise  security  policies.    Recovery  is  easily  facilitated  to  protect  against  data  loss  and   employee  downtime.    A  full  set  of  Audit  features  allows  usage  to  be  tracked  and  an  in-­‐built  reporting   mechanism  allows  custom  reports  to  be  produced.    It  provides  full  transparency  of  all  system  and  device   operations.    When  things  go  wrong,  the  system  provides  the  ultimate  assurance  that  your  assets  don’t  fall   into  the  wrong  hands.      When  things  go  really  wrong,  a  remote  device  kill  operation  renders  the  data  on   the  device  unusable.   SEMS  maintains  audit  records  of  management  activities  performed  on  the  SEMS  Management  Console   and  activities  on  managed  SPYRUS  endpoint  devices.    It  enables  central  administration  and  controls   device  behavior  while  transparently  enforcing  policies  set  by  the  organization.  SEMS  has  a  web  based   management  console  to  provide  operational  views  through  which  administrator  can  maintain  control  over   all  deployed  devices.    SPYRUS  has  achieved  this  balance  to  give  the  productivity  promised  by  mobility,  but   with  the  security  supplied  by  SPYRUS.       What  Does   SEMS  Do?  
  Trusted  Security  To  the  Edge   SPYRUS,  Inc.  Proprietary   2     Commercial-­‐In-­‐Confidence       This  whitepaper  provides  an  overview  of  the  SPYRUS  Enterprise  Management   System  for  remote  security  device  management  and  how  it  addresses  the  concerns   of  IT  and  organizational  mangers  to  provide  effective  and  reliable  protection  for   remotely-­‐distributed  sensitive  stored  data.    The  global  competitive  environment   has  resulted  in  increased  velocity  of  all  phases  of  organization  operations.    This   creates  the  need  to  operate  outside  of  the  office,  and  make  data   mobile  and  almost  instantly  accessible  at  the  point  of  need.     Enterprises  need  to  interact  directly  with  their  customers,   partners,  and  employees  whenever  and  wherever  they  are.     This  trend  has  transformed  the  way  enterprises  deal  with   distributed  data  availability  and  data  security.    Mobility  is  being   embraced  by  end  users  and  business  leaders  alike,  and  IT   departments  are  left  with  the  balancing  act  of  securing  sensitive   or  confidential  enterprise  data  and  ensuring  productivity.     Enterprises  gain  a  competitive  advantage  by  immediate  access   to  the  information  and  applications  necessary  to  act  quickly.       The  need  to  make  sensitive  or  confidential  data  conveniently   transportable  and  available  for  distribution,  has  led  to   widespread  use  of  USB  flash  drives  and  new  security  product  form  factors,  to  physically  move  data  from   data  centers  to  desktop,  laptop,  tablet  computers  and  smartphones,  whether  in  the  office,  the  field,  or  at   home.    Such  mobility  obviously  exposes  this  data  to  physical  loss  through  device  loss  or  theft,  or  electronic   loss  through  malicious  cyberattacks,  even  under  restricted  access  rules  governed  by  other  hardware  and   software  solutions.       There  is  little  need  to  emphasize  or  justify  the  importance  of  protecting  such  data  from  compromise.     International  cyberattacks  and  cybercrimes,  funded  by  hostile  or  IP-­‐hungry  nation-­‐states,  increase  yearly   and  cost  a  law-­‐abiding  nation’s  economy  billions  of  dollars  and  hundreds  of  thousands  of  jobs.      The   impact  of  data  theft  and  loss  of  the  technology  and  know-­‐how  that  fuels  competitive  advantages,  will  be   felt  for  years  to  come  and  again  emphasizes  the  need  for  protecting  and  securing  sensitive  information   against  compromise  and  vulnerabilities,  especially  when  such  data  appears  in  mobile  devices.       Why  use   SEMS?  
  Trusted  Security  To  the  Edge   SPYRUS,  Inc.  Proprietary   3     Commercial-­‐In-­‐Confidence       SPYRUS  Enterprise  Management  System  addresses  an  organization’s  security  concerns  about  data   mobility.     Centralized  Device  Management   With  ever-­‐increasing  storage  capacities,  the  consequences  of  losing  a  mobile  storage  device  containing   sensitive  information,  passwords,  or  cryptographic  keys  can  be  extremely  destructive  to  the  data  owner.     Polices  for  the  encryption  of  sensitive  unclassified  data  while  at-­‐rest  on  mobile  computing  devices  and   removable  storage  media  provide  one  important  step  toward  achieving  higher  assurance  security  for  data   stored  in  a  portable  USB  drive  media.    For  endpoint  protection,  SPYRUS  encrypting  and  bootable  USB   drives  provide  what  is  technically  provable  as  the  strongest  commercially  available  cryptographic  security   for  stored  data.     However,  such  policies  do  not  protect  against  a  rogue  employee  storing  large  amounts  of  valuable  data  on   a  device  and  walking  out  the  door  with  it.    With  millions  of  vetted  personnel  having  access  to  sensitive  and   unclassified  data  over  hundreds  of  networks,  current  events  demonstrate  that  there  are  high  probabilities   of  individual  compromise  for  personal,  financial,  or  political  gain.    The  key  is  to  choose  a  solution  that   meets  corporate  data  governance  and  compliance  needs  as  well  as  end  user  expectations.     The  SPYRUS  SEMS  remote  device  management  system  addresses  this  example  by  selectively  enforcing  a   policy  of  operation  which  precludes  off-­‐line  device  operation,  and  together  with  a  command  to  either   disable  or  “kill”  a  device,  can  render  the  data  absolutely  inaccessible  by  such  a  rogue  employee  as  soon  as   use  of  the  device  is  attempted.    Even  loyal  employees  sometimes  forget  about  security  and  carelessly   leave  their  devices  or  device  passwords  exposed  and  unattended.    SEMS  addresses  this  issue  by  disabling   the  device  and  only  allowing  re-­‐enabling  using  strong  authentication  protocols  and  change  password   protocols  between  the  legitimate  device  holder  and  the  organizational  administrator.       A  suite  of  screens,  allows  passwords  and  BitLocker  recovery  keys  to  be  securely  recovered,  monitoring  of   status  and  device  usage,  and  issuing  customized  policies  to  individual  devices,  groups  of  devices,  or  users,   according  to  organizational  criteria.  Password  policies  mandate  characteristics  and  duration  of  passwords.   Expiry  policies  can  be  set  to  disable  or  destroy  devices  within  a  set  period.  An  offline  policy  defines  how   many  times  a  device  can  be  used  before  re-­‐establishing  a  connection  with  SEMS  or  risk  being  disabled   when  the  offline  logon  count  threshold  is  exceeded.  Devices  can  be  managed  and  audited  regardless  of   location,  and  the  organization’s  security  policies  enforced  whether  or  not  a  device  is  connected  to  a   network.  
  Trusted  Security  To  the  Edge   SPYRUS,  Inc.  Proprietary   4     Commercial-­‐In-­‐Confidence   Device  and  User  Activity  Auditing   For  corporate  security,  it  is  also  important  to  audit  a  user’s  actions  as  well  as  controlling  access  to  the  use   of  the  device.  SPYRUS  encrypting  storage  drives  also  contain  the  facility  for  capturing  the  metadata  for  all   file  transfers  as  well  as  off-­‐line  user  activity.    By  capturing  log-­‐on  and  log-­‐off  activities,  device  disable,   enable  and  password  and  BitLocker  recovery  actions,  and  storing  them  within  the  SEMS  database,  the   organization  can  use  their  own  SIEM  (System  Information  and  Event  Management)  software  to  permit   event  monitoring  and  notification  at  the  user  and  device  levels,  and  to  detect  suspect  operational   behaviors  and  take  corrective  actions,  including  destroying  a  device  in  the  hands  of  the  user.  Audited   transactions  can  also  be  searched  and  reports  created  using  the  SEMS  Management  Console.  SEMS   Management  Console  user  activities  are  monitored,  including  security  configuration  events  such  as,   adding  console  users,  assigning  or  removing  them  from  groups,  and  changing  passwords.   Policy  and  Privilege  Enforcement     For  large  organizations,  both  global  and  national,  policies  differ  based  on  operational  mission,  local  and   national  regulations,  data  classifications  and  specific  project  needs.    Deploying  devices  with  sensitive  data   requires  that  usage  policies  obey  the  rules  of  data  access  and  usage.  SEMS  management  is  performed   based  upon  “Group”  principles  allowing  groups  to  be  defined  that  represent  geographical,  or   organizational  structures,  allowing  each  organization’s  security  policies  to  be  applied  to  the  appropriate   group  or  groups  of  devices  within  the  SEMS  system,  referred  to  as  SEMS  Groups  or  SEMS  Sub-­‐groups.   The  policies  are  downloaded  and  stored  on  the  device,  and  are  enforced  whether  or  not  a  device  is   connected  to  the  SEMS  network.    The  SEMS  Group  structure  supports  the  ongoing  industry  trend  to   virtualization  of  IT  functions  across  geographic  and  system  boundaries,  such  as  those  proposed  for   Software  Defined  Networks  (SDN),  Network  Function  Virtualization  (NVF)  and  other  emerging  paradigms.   The  SEMS  enterprise  hierarchical  architecture  facilitates  this  national  and  organizational  device  policy   definition  and  control,  so  that  multiple  SEMS  Management  Console  help  desks  can  be  deployed.     Administration  is  controlled  at  Group  level,  whereby  console  users  are  assigned  to  manage  a  specific   group  or  groups  of  devices.  Group  separation  is  supported  in  that  console  users  assigned  to  manage  one   group  cannot  see  and  manage  data  in  another  group  without  the  appropriate  permissions.    Roles  and   privileges  authorize  different  levels  of  device  control,  e.g.,  device  disablement  or  destruction  decisions.       Cost  Effectiveness  and  Reliability   Minimizing  labor  costs  of  operations  is  an  important  SEMS  consideration  to  deploy  scalable  device   management  systems.    System  administrators  primarily  operate  in  a  demand-­‐based  environment  to  take   actions  for  control  of  USB  device  usage  based  on  user-­‐driven  operational  help  requests,  threat   circumstances,  or  organization-­‐driven  policy  changes.    The  comprehensiveness  of  SEMS  Management   Console  controls  provides  real-­‐time  responsiveness  to  users  or  to  monitored  alarm  events  without  reliance   on  other  IT  staff  or  vendor  support.    User-­‐based  device  initialization  and  registration  procedures  permit   large-­‐scale  deployments  without  overloading  of  IT  staff  and  console  users.         To  minimize  an  organization’s  total  life-­‐cycle  costs  of  remote  management,  SPYRUS  has  built  SEMS  in   conformance  to  the  scalable  Microsoft  IT  Ecosystem,  employing  Windows  IIS  and  SQL  servers  and  domain  
  Trusted  Security  To  the  Edge   SPYRUS,  Inc.  Proprietary   5     Commercial-­‐In-­‐Confidence   controller  distributed  architecture,  and  using  the  supporting  Microsoft  IT  configuration  software,  so  that   the  SEMS  system  can  be  globally  installed,  deployed,  supported  and  maintained  as  a  centralized  or  cloud-­‐ based  configuration  without  a  dependence  upon  specialized  operating  systems  and  server  components.   This  is  critical  to  offer  reliable,  responsive  and  supportable  global,  national  or  organizational  control  over   corporate  and  personal  IT  information  assets  which  must  be  protected  as  they  travel  all  over  the  world.       Data  Access  Control  and  Security   In  remote  device  management  systems,  where  there  are  one  or  more  administrators  managing  hundreds   or  thousands  of  USB  flash  drive  devices  in  the  hands  of  data  recipients,  global  client-­‐server  architectures   and  networks  are  employed  for  monitoring  and  controlling  the  operation  of  the  secure  devices.   Consequently  the  “security  boundary”  to  defend  against  access  vulnerabilities  increases  dramatically  over   the  entire  network  envelope.    This  requires  that  the  system  that  manages  and  controls  user  access  to  USB   device  data  should  not  itself  be  the  “weakest  link”  and  more  vulnerable  as  a  targeted  attack  point  than  the   device  being  protected.  To  meet  this  need,  SEMS  is  uniquely  developed  upon  international  government-­‐ approved  next-­‐generation  cryptographic  algorithms  such  as  AES  256,  ECDH  P-­‐384,  and  SHA-­‐256  to   protect  data  transfers  among  clients  and  servers.         The  SPYRUS  SEMS  client-­‐server  communications  architecture  employs  an  exclusive  “Defense-­‐in-­‐Depth”   solution.    This  exclusive  layered  architecture  incorporates  a  SEMS  server-­‐based  SPYRUS  Security  Module   Service  for  the  cryptographic  key  management  that  protects  all  sensitive  information  between  client   devices  and  server  elements.    In  addition,  https   protocols  are  employed  in  combination  with  the   hardware-­‐enforced  SPYRUS  SECX  protocol  to  add   session-­‐based  digital  signature  and  content  encryption   to  the  secure  https  tunnel  to  mitigate  man-­‐in-­‐the-­‐
  Trusted  Security  To  the  Edge   SPYRUS,  Inc.  Proprietary   6     Commercial-­‐In-­‐Confidence   middle  attacks  against  command  and  control,  password  recovery  and  change  operations  and  device  audit   communications  throughout  the  network.               SEMS  is  a  combination  of  software  and  hardware  services  separated  by  functional   responsibilities.    These  services  communicate  with  each  other  to  collectively   provide  a  robust  device  management  system.    The  architecture  is  designed  to  easily   grow  and  accommodate  new  functions  and  services  rapidly.     System  Architecture     SEMS  has  been  developed  with  a  number  of  key   architectural  forces  in  mind.   • Designed  from  the  ground  up  as  a   distributed  system.     The  SEMS  server  components  can  easily   be  distributed  across  an  enterprise   network.  It’s  designed  as  a  flexible  set  of   distributable  components.   • Uses  HTTPS  and  TCP  channel   authentication  as  transport  mechanisms   for  messages  between  Server  and  Client   components.     This  means  software  components  will   work  behind  firewalls  and  should  be  easily   integrated  into  an  Enterprises  network.   • Designed  with  Security  in  mind.     All  Client/Server  communications  are  performed  using  HTTPS  and  further  authenticated  using   SECX.  The  password  recovery  mechanisms  use  ECC  and  the  Security  Module  Service  to  strongly   protect  passwords.       What  is   SEMS?  
  Trusted  Security  To  the  Edge   SPYRUS,  Inc.  Proprietary   7     Commercial-­‐In-­‐Confidence     SEMS  Management  Console     The  SEMS  Management  Console  is  a  web  based  management  interface  that  allows  console  users  to   manage  SEMS  enabled  devices.  From  this  console,  policies  can  be  set  to  allow  devices  to  be   enabled/disabled  or  destroyed,  passwords  and  BitLocker  recovery  keys  retrieved,  and  Audit  log  entries  to   be  viewed.   SEMS  Management  Console  logon  can  be  configured  to  use  either  password  or  Rosetta®  USB/Smart  Card   authentication.     SEMS  Server       The  SEMS  Server  is  a  collection  of  independent  services  working  together  to  provide  a  robust  device   management  system.    It  consists  of  three  core  components:   • SEMS  Service   • SEMS  Audit  Service   • SEMS  Management  Console   These  are  installed  within  a  Windows  Internet  Information  Server  (IIS)  and  are  implemented  using   the  .NET  Framework.    SEMS  client  devices  initially  use  the  SEMS  Service  to  register  with  SEMS  and  obtain   policy  settings.  The  SEMS  Audit  service  records  details  of  the  client  registration  event.  Once  registered,   client  devices  regularly  interrogate  the  SEMS  Service  to  discover  if  outstanding  device  actions  are  pending   (e.g.  disable,  destroy,  policy  update,  etc.).    If  any  actions  are  pending,  these  commands  are  delivered  to   the  device.    All  SEMS  Client  action  events  are  recorded  by  the  SEMS  Audit  service.    SEMS  Registration  is   the  process  by  which  SEMS  Clients  transparently  opt-­‐in  to  be  managed  by  SEMS.  There  are  two  aspects  to   registration:  device  registration  and  user  registration.     A  set  of  registration  policies  are  designed  to  aid  the  SEMS  client  registration  process  where:   • Devices  are  to  be  registered  in  SEMS  Groups  other  than  the  domain  to  which  the  logged  on  user’s   Windows  Logon  Account  belongs,  and/or   • The  communication  network  of  the  device  might  not  have  access  to  a  server  where  the  DNS  name   for  the  SEMS  Server  can  be  resolved.   SEMS  Registration  Policies  work  within  the  Windows  Group  Policy  Management  tool.  As  such,  they  can   readily  be  pushed  out  by  Windows  Domain  or  by  Windows  Organizational  Unit,  as  appropriate  for   enterprise  configuration  and  organizational  device  management  directives.  Alternatively,  SEMS   Registration  Policy  can  be  set  within  the  Local  Policy  of  individual  Windows  To  Go  drive  units.   After  successful  SEMS  registration,  the  SEMS  database  contains  such  details  as  the  SEMS  Group  to  which   registration  was  performed,  the  device  type  and  serial  number,  and  the  Windows  logon  account  name  of  
  Trusted  Security  To  the  Edge   SPYRUS,  Inc.  Proprietary   8     Commercial-­‐In-­‐Confidence   the  person  who  registered  the  device.    Only  SEMS  Management  Console  users  who  are  assigned   management  roles  within  the  registered  SEMS  Group  have  visibility  of  the  registered  device  and  its  owner.     The  SEMS  Client  receives  and  enforces,  from  the  SEMS  service,  the  security  policies  of  the  registered   SEMS  Group,  or  SEMS  Sub-­‐group.       Devices  that  are  to  be  managed  by  SEMS  can  reside  on  networks  that  are  external  to  the  SEMS  server’s   network.  In  these  instances,  the  SEMS  service  can  be  configured  to  permit  access  from  specific  networks   in  order  for  those  devices  to  register  with  SEMS.    Here,  Network  IP  Address  filtering  is  implemented  by   adding  a  comma  separated  list  of  the  allowed  external  IP  addresses  and  their  corresponding  subnet  masks   to  the  SEMS  Service’s  configuration.       There  may  be  instances  where  a  fixed  IP  address,  or  even  an  IP  address  range  may  not  be  possible  to   predict.  In  particular,  where  users  of  Windows  To  Go  drive  units  are  allowed  to  operate  offsite  in  a  home   office  environment.  Or  possibly,  an  alternative  to  configuring  numerous  different  IP  filters  might  be   sought.    In  these  instances,  pre-­‐registration  of  SEMS  Client  devices  can  simplify  what  might  otherwise  be   a  prohibitive  registration  process.    Here,  the  device  registration  component  of  SEMS  Registration  is   achieved  by  pre-­‐populating  the  SEMS  database  with  details  of  those  SEMS  Client  devices  where  user   registration  is  allowed  to  be  completed  outside  of  the  SEMS  Server’s  domain  network.    Device  pre-­‐ registration  can  be  performed  on  an  individual  basis  at  the  SEMS  Management  Console.  Alternatively,   multiple  device  registration  can  be  achieved  through  the  use  of  a  script  to  import  device  details  directly   into  the  SEMS  Database.   SEMS  Security  Module  Service     SEMS  provides  a  Security  Module  Service  for  access  to  encrypted  data,  primarily  decryption  and   encryption  of  device  authentication  user  passwords  and  BitLocker  recovery  keys  as  well  as  other  system   security  data.  The  service  also  manages  the  SEMS  Site  License.  The  Security  Module  Service  provides  the   option  of  a  Software  Security  Module  or  a  Security  Module  that  uses  the  SPYRUS  Rosetta  USB  HSM.     The  Software  Security  Module  provides  a  fast  and  secure  key  management  infrastructure  and  supports   limited  access  through  the  use  of  managed  service  account  (see  below).  The  Software  Security  Module  is   intended  for  SEMS  product  trials  or  installations  where  a  hardware  security  module  is  not  necessary  or  not   supported.    When  used  with  a  Rosetta  HSM,  the  Security  Module  Services  can  only  access  keys  when  the   HSM  is  present  and  unlocked.    Without  the  Rosetta  HSM,  the  keys  required  for  password  recovery  cannot   be  recovered,  thus  making  password  recovery  impossible.      Communication  with  the  Security  Module   Service  can  be  configured  to  require  authentication.    A  local  or  managed  Windows  service  account  can   specifically  be  created  for  this  purpose,  and  then  configured  for  use  in  communications  between  the   Security  Module  Service  and  the  SEMS  Service  and  the  SEMS  Management  Console.    Configuring  the   Software  Security  Module  with  a  managed  service  account  provides  the  best  isolation  of  the  SEMS  service   from  other  services  running  on  the  same  machine.             For  disaster  recovery,  the  Security  Module  Service  provides  a  backup  and  restore  mechanism.    During   initial  configuration  of  the  Security  Module  Service,  a  backup  of  the  HSM  is  created  and  stored  off-­‐line  in  a  
  Trusted  Security  To  the  Edge   SPYRUS,  Inc.  Proprietary   9     Commercial-­‐In-­‐Confidence   secure  location.    For  additional  security,  SPYRUS  recommends  using  the  SPYRUS  PocketVault®  P3X   encrypted  USB  3.0  drive  be  used  for  all  backups.       SEMS  Database     SEMS  utilizes  three  database  components.  The  first,  the  enterprise  database,  stores  status  and  security   information  regarding  devices,  users,  groups  and  device  actions.  It  is  the  main  data  repository  for  the   management  of  devices  and  users  in  the  SEMS  system.  It  is  constantly  in  a  state  of  update  and  change  as   events  occur  in  the  SEMS  system.  Key  data  elements  are  encrypted  and  require  the  decryption  services  of   the  SEMS  Security  Module  service.  The  second  is  the  audit  database,  which  records  all  audit  events  on  the   system,  i.e.  device  and  SEMS  Management  Console  activities.  The  database  has  permissions  for  read  and   write  only,  i.e.  modify  permissions  to  the  stored  audit  data  are  denied.  The  final  database  is  the  security   database,  where  all  console  user  and  role  information  is  stored.  It  is  used  in  authenticating  SEMS   Management  Console  users  and  determining  their  roles  within  the  system.   SEMS  Clients       To  operate  with  SEMS,  SPYRUS  portable  USB  devices  require  SEMS  Client  software  to  be  installed  and   configured.  For  SPYRUS  Windows  To  Go  drive  units,  this  is  the  SEMSforWTG  software  module.  All   PocketVault  P-­‐384  devices  are  supplied  with  an  in-­‐built  SEMS  Opt-­‐in  option.  SEMS  Client  software  is   compatible  with  32-­‐bit  and  64-­‐bit  Windows  8,  8.1  and  10  Operating  Systems.   SEMS  enabled  devices  include:   • WorkSafe™,   • WorkSafe  Pro™,   • Secure  Portable  Workplace™,   • Portable  Workplace™,   • PocketVault  P-­‐384.   The  communications  between  the  client  and  the   server  employs  a  “Defense-­‐in-­‐Depth”  layered   architecture  that  includes  authentication,  robust  key   establishment,  rekeying  interval,  and  security   wrappers  for  critical  communication.    The  additional  layers  of  protection  are  implemented  to  protect   against  failures  in  traditional  HTTPS  security.            
  Trusted  Security  To  the  Edge   SPYRUS,  Inc.  Proprietary   10     Commercial-­‐In-­‐Confidence       The  SPYRUS  Enterprise  Management  System  provides  a  fully  featured  and   scalable  system  for  device  management.  It  can  be  scaled  for  global  operations,  can   be  operated  from  the  Cloud  or  on  site,  can  be  structured  to  meet  organizational   boundaries  and  roles,  can  be  integrated  with  Active  Directory  or  run   independently,  and  can  be  implemented  in  a  robust  high  availability  environment.   It  provides  the  tools  necessary  for  large  or  small  organizations  to  manage  their  SPYRUS  encryption   devices  and  provides  the  assurance  that  whatever  happens,  the  data  on  these  devices  will  be  protected.       The  benefits  to  the  organization  that  select  SEMS  to  manage  devices  includes:     1) providing  administration  separation  of  roles  and  duties  and  control  over  the  devices  to  meet   corporate  security  policies;     2) easy  registration  and  deployment  of  devices  on  a  global  basis;     3) leverages  and  uses  existing  Microsoft  ecosystem  investments;     4) configurable  policies  to  protect  data  access,  usage,  encryption,  password  rules,  and  more  for  a   centralized  managed  console;     5) managing  on-­‐line,  off-­‐line,  and  expiration  usage;  and   6) allows  users  to  easily  reset  passwords  without  destructing  the  data  stored  on  the  device  from   remote  locations.   SPYRUS  invites  you  to  visit  www.spyrus.com/sems  and  listen  to  the  video  or  request  a  demonstration  of   the  SEMS  system  in  action  on  Azure  at  http://www.spyrus.com/more-­‐info/.         Conclusion  

Recommended

SPYRUS Secure Portable Workplace and Portable Workplace
SPYRUS Secure Portable Workplace and Portable WorkplaceSPYRUS Secure Portable Workplace and Portable Workplace
SPYRUS Secure Portable Workplace and Portable Workplace
SPYRUS
 
unit5final
unit5finalunit5final
unit5final
Jonathan Paxtor
 
Mii Oracle Biz Map 2009
Mii Oracle Biz Map 2009Mii Oracle Biz Map 2009
Mii Oracle Biz Map 2009
Dira Sabrina
 
PCI DSS v 3.0 and Oracle Security Mapping
PCI DSS v 3.0 and Oracle Security MappingPCI DSS v 3.0 and Oracle Security Mapping
PCI DSS v 3.0 and Oracle Security Mapping
Troy Kitch
 
Ricoh Assure Brochure
Ricoh Assure BrochureRicoh Assure Brochure
Ricoh Assure Brochure
Nick Collings
 
Session Auditor - Transparent Network Behavior Recorder
Session Auditor - Transparent Network Behavior RecorderSession Auditor - Transparent Network Behavior Recorder
Session Auditor - Transparent Network Behavior Recorder
BMST
 
OERCA 2016 e-brochure
OERCA 2016 e-brochureOERCA 2016 e-brochure
OERCA 2016 e-brochure
Todd Feucht
 
Cisco cybersecurity essentials chapter - 6
Cisco cybersecurity essentials chapter - 6Cisco cybersecurity essentials chapter - 6
Cisco cybersecurity essentials chapter - 6
Mukesh Chinta
 

Recommended

SPYRUS Secure Portable Workplace and Portable Workplace
SPYRUS Secure Portable Workplace and Portable WorkplaceSPYRUS Secure Portable Workplace and Portable Workplace
SPYRUS Secure Portable Workplace and Portable Workplace
SPYRUS
 
unit5final
unit5finalunit5final
unit5final
Jonathan Paxtor
 
Mii Oracle Biz Map 2009
Mii Oracle Biz Map 2009Mii Oracle Biz Map 2009
Mii Oracle Biz Map 2009
Dira Sabrina
 
PCI DSS v 3.0 and Oracle Security Mapping
PCI DSS v 3.0 and Oracle Security MappingPCI DSS v 3.0 and Oracle Security Mapping
PCI DSS v 3.0 and Oracle Security Mapping
Troy Kitch
 
Ricoh Assure Brochure
Ricoh Assure BrochureRicoh Assure Brochure
Ricoh Assure Brochure
Nick Collings
 
Session Auditor - Transparent Network Behavior Recorder
Session Auditor - Transparent Network Behavior RecorderSession Auditor - Transparent Network Behavior Recorder
Session Auditor - Transparent Network Behavior Recorder
BMST
 
OERCA 2016 e-brochure
OERCA 2016 e-brochureOERCA 2016 e-brochure
OERCA 2016 e-brochure
Todd Feucht
 
Cisco cybersecurity essentials chapter - 6
Cisco cybersecurity essentials chapter - 6Cisco cybersecurity essentials chapter - 6
Cisco cybersecurity essentials chapter - 6
Mukesh Chinta
 
Safety instrumented functions (sif) safety integrity level (sil) evaluation t...
Safety instrumented functions (sif) safety integrity level (sil) evaluation t...Safety instrumented functions (sif) safety integrity level (sil) evaluation t...
Safety instrumented functions (sif) safety integrity level (sil) evaluation t...
John Kingsley
 
Sil explained in valve actuators
Sil explained in valve actuatorsSil explained in valve actuators
Sil explained in valve actuators
John Kingsley
 
Dedicated Servers Cheap
Dedicated Servers CheapDedicated Servers Cheap
Dedicated Servers Cheap
Medha Hosting
 
Past and future of integrity based attacks in ics environments
Past and future of integrity based attacks in ics environmentsPast and future of integrity based attacks in ics environments
Past and future of integrity based attacks in ics environments
Joe Slowik
 
ESET_ENDPOINT_PROTECTION_ADVANCED_DATASHEET
ESET_ENDPOINT_PROTECTION_ADVANCED_DATASHEETESET_ENDPOINT_PROTECTION_ADVANCED_DATASHEET
ESET_ENDPOINT_PROTECTION_ADVANCED_DATASHEET
ESET Belgique & Luxembourg
 
Cyber consequences, operational dependencies, and full scope security
Cyber consequences, operational dependencies, and full scope securityCyber consequences, operational dependencies, and full scope security
Cyber consequences, operational dependencies, and full scope security
Joe Slowik
 
10 Risky Employee Practices - Security solutions
10 Risky Employee Practices - Security solutions10 Risky Employee Practices - Security solutions
10 Risky Employee Practices - Security solutions
Fuji Xerox Singapore
 
SpectorSoft Spector 360 資料移失防護及網路活動監控軟體產品介紹及應用分析
SpectorSoft Spector 360 資料移失防護及網路活動監控軟體產品介紹及應用分析SpectorSoft Spector 360 資料移失防護及網路活動監控軟體產品介紹及應用分析
SpectorSoft Spector 360 資料移失防護及網路活動監控軟體產品介紹及應用分析
Cheer Chain Enterprise Co., Ltd.
 
Strategies for Data Leakage Prevention
Strategies for Data Leakage PreventionStrategies for Data Leakage Prevention
Strategies for Data Leakage Prevention
IRJET Journal
 
Benefits of automating data protection | Seclore
Benefits of automating data protection | SecloreBenefits of automating data protection | Seclore
Benefits of automating data protection | Seclore
Seclore
 
Accelerite Sentient Executive Briefing
Accelerite Sentient Executive BriefingAccelerite Sentient Executive Briefing
Accelerite Sentient Executive Briefing
Accelerite
 
seqrite-hawkkeye-datasheet.pdf
seqrite-hawkkeye-datasheet.pdfseqrite-hawkkeye-datasheet.pdf
seqrite-hawkkeye-datasheet.pdf
seqriteseo
 
Cloud backup-for-endpoint-devices
Cloud backup-for-endpoint-devicesCloud backup-for-endpoint-devices
Cloud backup-for-endpoint-devices
Icomm Technologies
 
SAP Application Access with Instasafe Zero Trust
SAP Application Access with Instasafe Zero TrustSAP Application Access with Instasafe Zero Trust
SAP Application Access with Instasafe Zero Trust
InstaSafe Technologies
 
4 Reasons Why Automation Is a Crucial Aspect of Data-Centric Security
4 Reasons Why Automation Is a Crucial Aspect of Data-Centric Security4 Reasons Why Automation Is a Crucial Aspect of Data-Centric Security
4 Reasons Why Automation Is a Crucial Aspect of Data-Centric Security
Seclore
 
Intelligence Driven Identity and Access Management
Intelligence Driven Identity and Access ManagementIntelligence Driven Identity and Access Management
Intelligence Driven Identity and Access Management
EMC
 
Infowatch endpoint security
Infowatch endpoint securityInfowatch endpoint security
Infowatch endpoint security
hassan latifi
 
The VMware Mobile Secure Workplace
The VMware Mobile Secure WorkplaceThe VMware Mobile Secure Workplace
The VMware Mobile Secure Workplace
VMware
 
Blbs tn-bloombase-store safe-das-san-benchmarking-uslet-en-r3
Blbs tn-bloombase-store safe-das-san-benchmarking-uslet-en-r3Blbs tn-bloombase-store safe-das-san-benchmarking-uslet-en-r3
Blbs tn-bloombase-store safe-das-san-benchmarking-uslet-en-r3
Bloombase
 
The 10 most promising enterprise security solution providers 2019
The 10 most promising enterprise security solution providers 2019The 10 most promising enterprise security solution providers 2019
The 10 most promising enterprise security solution providers 2019
Insights success media and technology pvt ltd
 
Application Data Security | Seclore
Application Data Security | SecloreApplication Data Security | Seclore
Application Data Security | Seclore
Seclore
 
Laptop management
Laptop managementLaptop management
Laptop management
Killian Delaney
 

More Related Content

What's hot

Safety instrumented functions (sif) safety integrity level (sil) evaluation t...
Safety instrumented functions (sif) safety integrity level (sil) evaluation t...Safety instrumented functions (sif) safety integrity level (sil) evaluation t...
Safety instrumented functions (sif) safety integrity level (sil) evaluation t...
John Kingsley
 
Sil explained in valve actuators
Sil explained in valve actuatorsSil explained in valve actuators
Sil explained in valve actuators
John Kingsley
 
Dedicated Servers Cheap
Dedicated Servers CheapDedicated Servers Cheap
Dedicated Servers Cheap
Medha Hosting
 
Past and future of integrity based attacks in ics environments
Past and future of integrity based attacks in ics environmentsPast and future of integrity based attacks in ics environments
Past and future of integrity based attacks in ics environments
Joe Slowik
 
ESET_ENDPOINT_PROTECTION_ADVANCED_DATASHEET
ESET_ENDPOINT_PROTECTION_ADVANCED_DATASHEETESET_ENDPOINT_PROTECTION_ADVANCED_DATASHEET
ESET_ENDPOINT_PROTECTION_ADVANCED_DATASHEET
ESET Belgique & Luxembourg
 
Cyber consequences, operational dependencies, and full scope security
Cyber consequences, operational dependencies, and full scope securityCyber consequences, operational dependencies, and full scope security
Cyber consequences, operational dependencies, and full scope security
Joe Slowik
 

What's hot (6)

Safety instrumented functions (sif) safety integrity level (sil) evaluation t...
Safety instrumented functions (sif) safety integrity level (sil) evaluation t...Safety instrumented functions (sif) safety integrity level (sil) evaluation t...
Safety instrumented functions (sif) safety integrity level (sil) evaluation t...
 
Sil explained in valve actuators
Sil explained in valve actuatorsSil explained in valve actuators
Sil explained in valve actuators
 
Dedicated Servers Cheap
Dedicated Servers CheapDedicated Servers Cheap
Dedicated Servers Cheap
 
Past and future of integrity based attacks in ics environments
Past and future of integrity based attacks in ics environmentsPast and future of integrity based attacks in ics environments
Past and future of integrity based attacks in ics environments
 
ESET_ENDPOINT_PROTECTION_ADVANCED_DATASHEET
ESET_ENDPOINT_PROTECTION_ADVANCED_DATASHEETESET_ENDPOINT_PROTECTION_ADVANCED_DATASHEET
ESET_ENDPOINT_PROTECTION_ADVANCED_DATASHEET
 
Cyber consequences, operational dependencies, and full scope security
Cyber consequences, operational dependencies, and full scope securityCyber consequences, operational dependencies, and full scope security
Cyber consequences, operational dependencies, and full scope security
 

Similar to SPYRUS® Enterprise Management System

10 Risky Employee Practices - Security solutions
10 Risky Employee Practices - Security solutions10 Risky Employee Practices - Security solutions
10 Risky Employee Practices - Security solutions
Fuji Xerox Singapore
 
SpectorSoft Spector 360 資料移失防護及網路活動監控軟體產品介紹及應用分析
SpectorSoft Spector 360 資料移失防護及網路活動監控軟體產品介紹及應用分析SpectorSoft Spector 360 資料移失防護及網路活動監控軟體產品介紹及應用分析
SpectorSoft Spector 360 資料移失防護及網路活動監控軟體產品介紹及應用分析
Cheer Chain Enterprise Co., Ltd.
 
Strategies for Data Leakage Prevention
Strategies for Data Leakage PreventionStrategies for Data Leakage Prevention
Strategies for Data Leakage Prevention
IRJET Journal
 
Benefits of automating data protection | Seclore
Benefits of automating data protection | SecloreBenefits of automating data protection | Seclore
Benefits of automating data protection | Seclore
Seclore
 
Accelerite Sentient Executive Briefing
Accelerite Sentient Executive BriefingAccelerite Sentient Executive Briefing
Accelerite Sentient Executive Briefing
Accelerite
 
seqrite-hawkkeye-datasheet.pdf
seqrite-hawkkeye-datasheet.pdfseqrite-hawkkeye-datasheet.pdf
seqrite-hawkkeye-datasheet.pdf
seqriteseo
 
Cloud backup-for-endpoint-devices
Cloud backup-for-endpoint-devicesCloud backup-for-endpoint-devices
Cloud backup-for-endpoint-devices
Icomm Technologies
 
SAP Application Access with Instasafe Zero Trust
SAP Application Access with Instasafe Zero TrustSAP Application Access with Instasafe Zero Trust
SAP Application Access with Instasafe Zero Trust
InstaSafe Technologies
 
4 Reasons Why Automation Is a Crucial Aspect of Data-Centric Security
4 Reasons Why Automation Is a Crucial Aspect of Data-Centric Security4 Reasons Why Automation Is a Crucial Aspect of Data-Centric Security
4 Reasons Why Automation Is a Crucial Aspect of Data-Centric Security
Seclore
 
Intelligence Driven Identity and Access Management
Intelligence Driven Identity and Access ManagementIntelligence Driven Identity and Access Management
Intelligence Driven Identity and Access Management
EMC
 
Infowatch endpoint security
Infowatch endpoint securityInfowatch endpoint security
Infowatch endpoint security
hassan latifi
 
The VMware Mobile Secure Workplace
The VMware Mobile Secure WorkplaceThe VMware Mobile Secure Workplace
The VMware Mobile Secure Workplace
VMware
 
Blbs tn-bloombase-store safe-das-san-benchmarking-uslet-en-r3
Blbs tn-bloombase-store safe-das-san-benchmarking-uslet-en-r3Blbs tn-bloombase-store safe-das-san-benchmarking-uslet-en-r3
Blbs tn-bloombase-store safe-das-san-benchmarking-uslet-en-r3
Bloombase
 
The 10 most promising enterprise security solution providers 2019
The 10 most promising enterprise security solution providers 2019The 10 most promising enterprise security solution providers 2019
The 10 most promising enterprise security solution providers 2019
Insights success media and technology pvt ltd
 
Application Data Security | Seclore
Application Data Security | SecloreApplication Data Security | Seclore
Application Data Security | Seclore
Seclore
 
Laptop management
Laptop managementLaptop management
Laptop management
Killian Delaney
 
ITAMSoft-Datasheet-2015
ITAMSoft-Datasheet-2015ITAMSoft-Datasheet-2015
ITAMSoft-Datasheet-2015
Harry J.G. Lieferink
 
18 Tips of IRM - Making IRM Work for You
18 Tips of IRM - Making IRM Work for You18 Tips of IRM - Making IRM Work for You
18 Tips of IRM - Making IRM Work for You
Secure Islands - Data Security Policy
 
Trusteer Apex Provides Automatic and Accurate Malware Protection
Trusteer Apex Provides Automatic and Accurate Malware ProtectionTrusteer Apex Provides Automatic and Accurate Malware Protection
Trusteer Apex Provides Automatic and Accurate Malware Protection
IBM Security
 
APAC Partner Update: SolarWinds Security
APAC Partner Update: SolarWinds SecurityAPAC Partner Update: SolarWinds Security
APAC Partner Update: SolarWinds Security
SolarWinds
 

Similar to SPYRUS® Enterprise Management System (20)

10 Risky Employee Practices - Security solutions
10 Risky Employee Practices - Security solutions10 Risky Employee Practices - Security solutions
10 Risky Employee Practices - Security solutions
 
SpectorSoft Spector 360 資料移失防護及網路活動監控軟體產品介紹及應用分析
SpectorSoft Spector 360 資料移失防護及網路活動監控軟體產品介紹及應用分析SpectorSoft Spector 360 資料移失防護及網路活動監控軟體產品介紹及應用分析
SpectorSoft Spector 360 資料移失防護及網路活動監控軟體產品介紹及應用分析
 
Strategies for Data Leakage Prevention
Strategies for Data Leakage PreventionStrategies for Data Leakage Prevention
Strategies for Data Leakage Prevention
 
Benefits of automating data protection | Seclore
Benefits of automating data protection | SecloreBenefits of automating data protection | Seclore
Benefits of automating data protection | Seclore
 
Accelerite Sentient Executive Briefing
Accelerite Sentient Executive BriefingAccelerite Sentient Executive Briefing
Accelerite Sentient Executive Briefing
 
seqrite-hawkkeye-datasheet.pdf
seqrite-hawkkeye-datasheet.pdfseqrite-hawkkeye-datasheet.pdf
seqrite-hawkkeye-datasheet.pdf
 
Cloud backup-for-endpoint-devices
Cloud backup-for-endpoint-devicesCloud backup-for-endpoint-devices
Cloud backup-for-endpoint-devices
 
SAP Application Access with Instasafe Zero Trust
SAP Application Access with Instasafe Zero TrustSAP Application Access with Instasafe Zero Trust
SAP Application Access with Instasafe Zero Trust
 
4 Reasons Why Automation Is a Crucial Aspect of Data-Centric Security
4 Reasons Why Automation Is a Crucial Aspect of Data-Centric Security4 Reasons Why Automation Is a Crucial Aspect of Data-Centric Security
4 Reasons Why Automation Is a Crucial Aspect of Data-Centric Security
 
Intelligence Driven Identity and Access Management
Intelligence Driven Identity and Access ManagementIntelligence Driven Identity and Access Management
Intelligence Driven Identity and Access Management
 
Infowatch endpoint security
Infowatch endpoint securityInfowatch endpoint security
Infowatch endpoint security
 
The VMware Mobile Secure Workplace
The VMware Mobile Secure WorkplaceThe VMware Mobile Secure Workplace
The VMware Mobile Secure Workplace
 
Blbs tn-bloombase-store safe-das-san-benchmarking-uslet-en-r3
Blbs tn-bloombase-store safe-das-san-benchmarking-uslet-en-r3Blbs tn-bloombase-store safe-das-san-benchmarking-uslet-en-r3
Blbs tn-bloombase-store safe-das-san-benchmarking-uslet-en-r3
 
The 10 most promising enterprise security solution providers 2019
The 10 most promising enterprise security solution providers 2019The 10 most promising enterprise security solution providers 2019
The 10 most promising enterprise security solution providers 2019
 
Application Data Security | Seclore
Application Data Security | SecloreApplication Data Security | Seclore
Application Data Security | Seclore
 
Laptop management
Laptop managementLaptop management
Laptop management
 
ITAMSoft-Datasheet-2015
ITAMSoft-Datasheet-2015ITAMSoft-Datasheet-2015
ITAMSoft-Datasheet-2015
 
18 Tips of IRM - Making IRM Work for You
18 Tips of IRM - Making IRM Work for You18 Tips of IRM - Making IRM Work for You
18 Tips of IRM - Making IRM Work for You
 
Trusteer Apex Provides Automatic and Accurate Malware Protection
Trusteer Apex Provides Automatic and Accurate Malware ProtectionTrusteer Apex Provides Automatic and Accurate Malware Protection
Trusteer Apex Provides Automatic and Accurate Malware Protection
 
APAC Partner Update: SolarWinds Security
APAC Partner Update: SolarWinds SecurityAPAC Partner Update: SolarWinds Security
APAC Partner Update: SolarWinds Security
 

Recently uploaded

HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAUHCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU
panagenda
 
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slack
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with SlackLet's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slack
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slack
shyamraj55
 
Presentation of the OECD Artificial Intelligence Review of Germany
Presentation of the OECD Artificial Intelligence Review of GermanyPresentation of the OECD Artificial Intelligence Review of Germany
Presentation of the OECD Artificial Intelligence Review of Germany
innovationoecd
 
Climate Impact of Software Testing at Nordic Testing Days
Climate Impact of Software Testing at Nordic Testing DaysClimate Impact of Software Testing at Nordic Testing Days
Climate Impact of Software Testing at Nordic Testing Days
Kari Kakkonen
 
Mariano G Tinti - Decoding SpaceX
Mariano G Tinti - Decoding SpaceXMariano G Tinti - Decoding SpaceX
Mariano G Tinti - Decoding SpaceX
Mariano Tinti
 
Artificial Intelligence for XMLDevelopment
Artificial Intelligence for XMLDevelopmentArtificial Intelligence for XMLDevelopment
Artificial Intelligence for XMLDevelopment
Octavian Nadolu
 
GraphSummit Singapore | Neo4j Product Vision & Roadmap - Q2 2024
GraphSummit Singapore | Neo4j Product Vision & Roadmap - Q2 2024GraphSummit Singapore | Neo4j Product Vision & Roadmap - Q2 2024
GraphSummit Singapore | Neo4j Product Vision & Roadmap - Q2 2024
Neo4j
 
Communications Mining Series - Zero to Hero - Session 1
Communications Mining Series - Zero to Hero - Session 1Communications Mining Series - Zero to Hero - Session 1
Communications Mining Series - Zero to Hero - Session 1
DianaGray10
 
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...
Neo4j
 
UiPath Test Automation using UiPath Test Suite series, part 5
UiPath Test Automation using UiPath Test Suite series, part 5UiPath Test Automation using UiPath Test Suite series, part 5
UiPath Test Automation using UiPath Test Suite series, part 5
DianaGray10
 
GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...
GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...
GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...
Neo4j
 
Essentials of Automations: The Art of Triggers and Actions in FME
Essentials of Automations: The Art of Triggers and Actions in FMEEssentials of Automations: The Art of Triggers and Actions in FME
Essentials of Automations: The Art of Triggers and Actions in FME
Safe Software
 
Removing Uninteresting Bytes in Software Fuzzing
Removing Uninteresting Bytes in Software FuzzingRemoving Uninteresting Bytes in Software Fuzzing
Removing Uninteresting Bytes in Software Fuzzing
Aftab Hussain
 
“I’m still / I’m still / Chaining from the Block”
“I’m still / I’m still / Chaining from the Block”“I’m still / I’m still / Chaining from the Block”
“I’m still / I’m still / Chaining from the Block”
Claudio Di Ciccio
 
GraphRAG for Life Science to increase LLM accuracy
GraphRAG for Life Science to increase LLM accuracyGraphRAG for Life Science to increase LLM accuracy
GraphRAG for Life Science to increase LLM accuracy
Tomaz Bratanic
 
Best 20 SEO Techniques To Improve Website Visibility In SERP
Best 20 SEO Techniques To Improve Website Visibility In SERPBest 20 SEO Techniques To Improve Website Visibility In SERP
Best 20 SEO Techniques To Improve Website Visibility In SERP
Pixlogix Infotech
 
GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024
GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024
GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024
Neo4j
 
20240609 QFM020 Irresponsible AI Reading List May 2024
20240609 QFM020 Irresponsible AI Reading List May 202420240609 QFM020 Irresponsible AI Reading List May 2024
20240609 QFM020 Irresponsible AI Reading List May 2024
Matthew Sinclair
 
Infrastructure Challenges in Scaling RAG with Custom AI models
Infrastructure Challenges in Scaling RAG with Custom AI modelsInfrastructure Challenges in Scaling RAG with Custom AI models
Infrastructure Challenges in Scaling RAG with Custom AI models
Zilliz
 
Building Production Ready Search Pipelines with Spark and Milvus
Building Production Ready Search Pipelines with Spark and MilvusBuilding Production Ready Search Pipelines with Spark and Milvus
Building Production Ready Search Pipelines with Spark and Milvus
Zilliz
 

Recently uploaded (20)

HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAUHCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU
 
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slack
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with SlackLet's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slack
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slack
 
Presentation of the OECD Artificial Intelligence Review of Germany
Presentation of the OECD Artificial Intelligence Review of GermanyPresentation of the OECD Artificial Intelligence Review of Germany
Presentation of the OECD Artificial Intelligence Review of Germany
 
Climate Impact of Software Testing at Nordic Testing Days
Climate Impact of Software Testing at Nordic Testing DaysClimate Impact of Software Testing at Nordic Testing Days
Climate Impact of Software Testing at Nordic Testing Days
 
Mariano G Tinti - Decoding SpaceX
Mariano G Tinti - Decoding SpaceXMariano G Tinti - Decoding SpaceX
Mariano G Tinti - Decoding SpaceX
 
Artificial Intelligence for XMLDevelopment
Artificial Intelligence for XMLDevelopmentArtificial Intelligence for XMLDevelopment
Artificial Intelligence for XMLDevelopment
 
GraphSummit Singapore | Neo4j Product Vision & Roadmap - Q2 2024
GraphSummit Singapore | Neo4j Product Vision & Roadmap - Q2 2024GraphSummit Singapore | Neo4j Product Vision & Roadmap - Q2 2024
GraphSummit Singapore | Neo4j Product Vision & Roadmap - Q2 2024
 
Communications Mining Series - Zero to Hero - Session 1
Communications Mining Series - Zero to Hero - Session 1Communications Mining Series - Zero to Hero - Session 1
Communications Mining Series - Zero to Hero - Session 1
 
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...
 
UiPath Test Automation using UiPath Test Suite series, part 5
UiPath Test Automation using UiPath Test Suite series, part 5UiPath Test Automation using UiPath Test Suite series, part 5
UiPath Test Automation using UiPath Test Suite series, part 5
 
GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...
GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...
GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...
 
Essentials of Automations: The Art of Triggers and Actions in FME
Essentials of Automations: The Art of Triggers and Actions in FMEEssentials of Automations: The Art of Triggers and Actions in FME
Essentials of Automations: The Art of Triggers and Actions in FME
 
Removing Uninteresting Bytes in Software Fuzzing
Removing Uninteresting Bytes in Software FuzzingRemoving Uninteresting Bytes in Software Fuzzing
Removing Uninteresting Bytes in Software Fuzzing
 
“I’m still / I’m still / Chaining from the Block”
“I’m still / I’m still / Chaining from the Block”“I’m still / I’m still / Chaining from the Block”
“I’m still / I’m still / Chaining from the Block”
 
GraphRAG for Life Science to increase LLM accuracy
GraphRAG for Life Science to increase LLM accuracyGraphRAG for Life Science to increase LLM accuracy
GraphRAG for Life Science to increase LLM accuracy
 
Best 20 SEO Techniques To Improve Website Visibility In SERP
Best 20 SEO Techniques To Improve Website Visibility In SERPBest 20 SEO Techniques To Improve Website Visibility In SERP
Best 20 SEO Techniques To Improve Website Visibility In SERP
 
GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024
GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024
GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024
 
20240609 QFM020 Irresponsible AI Reading List May 2024
20240609 QFM020 Irresponsible AI Reading List May 202420240609 QFM020 Irresponsible AI Reading List May 2024
20240609 QFM020 Irresponsible AI Reading List May 2024
 
Infrastructure Challenges in Scaling RAG with Custom AI models
Infrastructure Challenges in Scaling RAG with Custom AI modelsInfrastructure Challenges in Scaling RAG with Custom AI models
Infrastructure Challenges in Scaling RAG with Custom AI models
 
Building Production Ready Search Pipelines with Spark and Milvus
Building Production Ready Search Pipelines with Spark and MilvusBuilding Production Ready Search Pipelines with Spark and Milvus
Building Production Ready Search Pipelines with Spark and Milvus
 

SPYRUS® Enterprise Management System

  • 1. SPYRUS,  Inc.    Proprietary   Commercial-­‐in-­‐Confidence                                 SPYRUS®  Enterprise  Management  System   White  Paper    
  • 2. January  2016     SPYRUS  Enterprise  Management  System   DOCUMENT  NO:  412-­‐420001-­‐02     SPYRUS,  Inc.  Proprietary   Page  i     Commercial-­‐In-­‐Confidence                                 ©  Copyright  2012–2016  by  SPYRUS,  Inc.  All  rights  reserved.   Document  No:  412-­‐420001-­‐02   This  document  (and  the  software  described  in  it)  is  furnished  under  license  and  may  be  used  or  copied   only  in  accordance  with  the  terms  and  conditions  of  such  license.  This  document  is  provided  for   informational  purposes  only  and  is  subject  to  change  without  notice.  SPYRUS,  Inc.  assumes  no   responsibility  or  liability  for  any  errors  or  inaccuracies  that  may  appear  in  this  document.  Except  as   permitted  by  such  license,  no  part  of  this  publication  may  be  reproduced,  stored  in  a  retrieval  system,   or  transmitted,  in  any  form  or  by  any  means,  without  the  prior  written  permission  of  SPYRUS,  Inc.   Patents   This  product  is  protected  under  one  or  more  of  the  U.S.  patents  found  at  the  following  address:     www.spyrus.com/company/patent-­‐markings.html   Trademarks   SPYRUS,  the  SPYRUS  logos,    SPYRUS  Enterprise  Management  System  (SEMS),  Portable  Workplace,   Secure  Portable  Workplace  ,  WorkSafe,  WorkSafePro,  are  either  registered  trademarks  or  trademarks   of  SPYRUS  in  the  United  States  and/or  other  countries.    
  • 3. January  2016     SPYRUS  Enterprise  Management  System   DOCUMENT  NO:  412-­‐420001-­‐02     SPYRUS,  Inc.  Proprietary   Page  ii     Commercial-­‐In-­‐Confidence   Contents   What Does SEMS Do?..................................................................................................................................   Why use SEMS? ...........................................................................................................................................   Centralized Device Management..............................................................................................................3   Device and User Activity Auditing.............................................................................................................4   Policy and Privilege Enforcement .............................................................................................................4   Cost Effectiveness and Reliability.............................................................................................................4   Data Access Control and Security ............................................................................................................5   What is SEMS? .............................................................................................................................................   System Architecture..................................................................................................................................6   SEMS  Management  Console  ............................................................................................  7   SEMS  Server  .....................................................................................................................  7   SEMS  Security  Module  Service  .........................................................................................  8   SEMS  Database  ................................................................................................................  9   SEMS  Clients  ....................................................................................................................  9   Conclusion....................................................................................................................................................              
  • 4.   Trusted  Security  To  the  Edge   SPYRUS,  Inc.  Proprietary   1     Commercial-­‐In-­‐Confidence       The  SPYRUS  Enterprise  Management  System  (“SEMS™”)  provides  a  very  strong   security  and  productivity  solution  for  any  organization  deploying  SPYRUS   encrypting  storage  devices  and/or  our  Microsoft  certified  bootable  Windows  To  Go   Drives.    While  SPYRUS  drives  provide  the  strongest  Data-­‐at-­‐Rest  protection  when   used  by  the  mobile  workforce,  organizations  are  faced  with  another  challenge  that   is  the  management,  audit  and  policy  enforcement  of  these  high  capacity,  small  form  factor  devices.    SEMS   solves  that  problem.   SEMS  was  designed  to  operate  on  a  Windows  server  ecosystem,  on  premise,  or  on  Microsoft  Azure.  It  has   the  ability  to  scale  from  proof  of  concept  with  a  small  number  of  devices,  to  deployments  with  tens  of   thousands  of  devices  under  management  anywhere  on  the  globe.     SEMS  enables  an  organization  to  manage  their  data  assets  wherever  they  are  used.    It  provides  a  central,   web-­‐based,  easy  to  use  management  interface  for  controlling  and  monitoring  SPYRUS  secure  hardware.   Robust  role  management  for  SEMS  administrators,  permits  separation  of  responsibilities  and   enforcement  of  enterprise  security  policies.    Recovery  is  easily  facilitated  to  protect  against  data  loss  and   employee  downtime.    A  full  set  of  Audit  features  allows  usage  to  be  tracked  and  an  in-­‐built  reporting   mechanism  allows  custom  reports  to  be  produced.    It  provides  full  transparency  of  all  system  and  device   operations.    When  things  go  wrong,  the  system  provides  the  ultimate  assurance  that  your  assets  don’t  fall   into  the  wrong  hands.      When  things  go  really  wrong,  a  remote  device  kill  operation  renders  the  data  on   the  device  unusable.   SEMS  maintains  audit  records  of  management  activities  performed  on  the  SEMS  Management  Console   and  activities  on  managed  SPYRUS  endpoint  devices.    It  enables  central  administration  and  controls   device  behavior  while  transparently  enforcing  policies  set  by  the  organization.  SEMS  has  a  web  based   management  console  to  provide  operational  views  through  which  administrator  can  maintain  control  over   all  deployed  devices.    SPYRUS  has  achieved  this  balance  to  give  the  productivity  promised  by  mobility,  but   with  the  security  supplied  by  SPYRUS.       What  Does   SEMS  Do?  
  • 5.   Trusted  Security  To  the  Edge   SPYRUS,  Inc.  Proprietary   2     Commercial-­‐In-­‐Confidence       This  whitepaper  provides  an  overview  of  the  SPYRUS  Enterprise  Management   System  for  remote  security  device  management  and  how  it  addresses  the  concerns   of  IT  and  organizational  mangers  to  provide  effective  and  reliable  protection  for   remotely-­‐distributed  sensitive  stored  data.    The  global  competitive  environment   has  resulted  in  increased  velocity  of  all  phases  of  organization  operations.    This   creates  the  need  to  operate  outside  of  the  office,  and  make  data   mobile  and  almost  instantly  accessible  at  the  point  of  need.     Enterprises  need  to  interact  directly  with  their  customers,   partners,  and  employees  whenever  and  wherever  they  are.     This  trend  has  transformed  the  way  enterprises  deal  with   distributed  data  availability  and  data  security.    Mobility  is  being   embraced  by  end  users  and  business  leaders  alike,  and  IT   departments  are  left  with  the  balancing  act  of  securing  sensitive   or  confidential  enterprise  data  and  ensuring  productivity.     Enterprises  gain  a  competitive  advantage  by  immediate  access   to  the  information  and  applications  necessary  to  act  quickly.       The  need  to  make  sensitive  or  confidential  data  conveniently   transportable  and  available  for  distribution,  has  led  to   widespread  use  of  USB  flash  drives  and  new  security  product  form  factors,  to  physically  move  data  from   data  centers  to  desktop,  laptop,  tablet  computers  and  smartphones,  whether  in  the  office,  the  field,  or  at   home.    Such  mobility  obviously  exposes  this  data  to  physical  loss  through  device  loss  or  theft,  or  electronic   loss  through  malicious  cyberattacks,  even  under  restricted  access  rules  governed  by  other  hardware  and   software  solutions.       There  is  little  need  to  emphasize  or  justify  the  importance  of  protecting  such  data  from  compromise.     International  cyberattacks  and  cybercrimes,  funded  by  hostile  or  IP-­‐hungry  nation-­‐states,  increase  yearly   and  cost  a  law-­‐abiding  nation’s  economy  billions  of  dollars  and  hundreds  of  thousands  of  jobs.      The   impact  of  data  theft  and  loss  of  the  technology  and  know-­‐how  that  fuels  competitive  advantages,  will  be   felt  for  years  to  come  and  again  emphasizes  the  need  for  protecting  and  securing  sensitive  information   against  compromise  and  vulnerabilities,  especially  when  such  data  appears  in  mobile  devices.       Why  use   SEMS?  
  • 6.   Trusted  Security  To  the  Edge   SPYRUS,  Inc.  Proprietary   3     Commercial-­‐In-­‐Confidence       SPYRUS  Enterprise  Management  System  addresses  an  organization’s  security  concerns  about  data   mobility.     Centralized  Device  Management   With  ever-­‐increasing  storage  capacities,  the  consequences  of  losing  a  mobile  storage  device  containing   sensitive  information,  passwords,  or  cryptographic  keys  can  be  extremely  destructive  to  the  data  owner.     Polices  for  the  encryption  of  sensitive  unclassified  data  while  at-­‐rest  on  mobile  computing  devices  and   removable  storage  media  provide  one  important  step  toward  achieving  higher  assurance  security  for  data   stored  in  a  portable  USB  drive  media.    For  endpoint  protection,  SPYRUS  encrypting  and  bootable  USB   drives  provide  what  is  technically  provable  as  the  strongest  commercially  available  cryptographic  security   for  stored  data.     However,  such  policies  do  not  protect  against  a  rogue  employee  storing  large  amounts  of  valuable  data  on   a  device  and  walking  out  the  door  with  it.    With  millions  of  vetted  personnel  having  access  to  sensitive  and   unclassified  data  over  hundreds  of  networks,  current  events  demonstrate  that  there  are  high  probabilities   of  individual  compromise  for  personal,  financial,  or  political  gain.    The  key  is  to  choose  a  solution  that   meets  corporate  data  governance  and  compliance  needs  as  well  as  end  user  expectations.     The  SPYRUS  SEMS  remote  device  management  system  addresses  this  example  by  selectively  enforcing  a   policy  of  operation  which  precludes  off-­‐line  device  operation,  and  together  with  a  command  to  either   disable  or  “kill”  a  device,  can  render  the  data  absolutely  inaccessible  by  such  a  rogue  employee  as  soon  as   use  of  the  device  is  attempted.    Even  loyal  employees  sometimes  forget  about  security  and  carelessly   leave  their  devices  or  device  passwords  exposed  and  unattended.    SEMS  addresses  this  issue  by  disabling   the  device  and  only  allowing  re-­‐enabling  using  strong  authentication  protocols  and  change  password   protocols  between  the  legitimate  device  holder  and  the  organizational  administrator.       A  suite  of  screens,  allows  passwords  and  BitLocker  recovery  keys  to  be  securely  recovered,  monitoring  of   status  and  device  usage,  and  issuing  customized  policies  to  individual  devices,  groups  of  devices,  or  users,   according  to  organizational  criteria.  Password  policies  mandate  characteristics  and  duration  of  passwords.   Expiry  policies  can  be  set  to  disable  or  destroy  devices  within  a  set  period.  An  offline  policy  defines  how   many  times  a  device  can  be  used  before  re-­‐establishing  a  connection  with  SEMS  or  risk  being  disabled   when  the  offline  logon  count  threshold  is  exceeded.  Devices  can  be  managed  and  audited  regardless  of   location,  and  the  organization’s  security  policies  enforced  whether  or  not  a  device  is  connected  to  a   network.  
  • 7.   Trusted  Security  To  the  Edge   SPYRUS,  Inc.  Proprietary   4     Commercial-­‐In-­‐Confidence   Device  and  User  Activity  Auditing   For  corporate  security,  it  is  also  important  to  audit  a  user’s  actions  as  well  as  controlling  access  to  the  use   of  the  device.  SPYRUS  encrypting  storage  drives  also  contain  the  facility  for  capturing  the  metadata  for  all   file  transfers  as  well  as  off-­‐line  user  activity.    By  capturing  log-­‐on  and  log-­‐off  activities,  device  disable,   enable  and  password  and  BitLocker  recovery  actions,  and  storing  them  within  the  SEMS  database,  the   organization  can  use  their  own  SIEM  (System  Information  and  Event  Management)  software  to  permit   event  monitoring  and  notification  at  the  user  and  device  levels,  and  to  detect  suspect  operational   behaviors  and  take  corrective  actions,  including  destroying  a  device  in  the  hands  of  the  user.  Audited   transactions  can  also  be  searched  and  reports  created  using  the  SEMS  Management  Console.  SEMS   Management  Console  user  activities  are  monitored,  including  security  configuration  events  such  as,   adding  console  users,  assigning  or  removing  them  from  groups,  and  changing  passwords.   Policy  and  Privilege  Enforcement     For  large  organizations,  both  global  and  national,  policies  differ  based  on  operational  mission,  local  and   national  regulations,  data  classifications  and  specific  project  needs.    Deploying  devices  with  sensitive  data   requires  that  usage  policies  obey  the  rules  of  data  access  and  usage.  SEMS  management  is  performed   based  upon  “Group”  principles  allowing  groups  to  be  defined  that  represent  geographical,  or   organizational  structures,  allowing  each  organization’s  security  policies  to  be  applied  to  the  appropriate   group  or  groups  of  devices  within  the  SEMS  system,  referred  to  as  SEMS  Groups  or  SEMS  Sub-­‐groups.   The  policies  are  downloaded  and  stored  on  the  device,  and  are  enforced  whether  or  not  a  device  is   connected  to  the  SEMS  network.    The  SEMS  Group  structure  supports  the  ongoing  industry  trend  to   virtualization  of  IT  functions  across  geographic  and  system  boundaries,  such  as  those  proposed  for   Software  Defined  Networks  (SDN),  Network  Function  Virtualization  (NVF)  and  other  emerging  paradigms.   The  SEMS  enterprise  hierarchical  architecture  facilitates  this  national  and  organizational  device  policy   definition  and  control,  so  that  multiple  SEMS  Management  Console  help  desks  can  be  deployed.     Administration  is  controlled  at  Group  level,  whereby  console  users  are  assigned  to  manage  a  specific   group  or  groups  of  devices.  Group  separation  is  supported  in  that  console  users  assigned  to  manage  one   group  cannot  see  and  manage  data  in  another  group  without  the  appropriate  permissions.    Roles  and   privileges  authorize  different  levels  of  device  control,  e.g.,  device  disablement  or  destruction  decisions.       Cost  Effectiveness  and  Reliability   Minimizing  labor  costs  of  operations  is  an  important  SEMS  consideration  to  deploy  scalable  device   management  systems.    System  administrators  primarily  operate  in  a  demand-­‐based  environment  to  take   actions  for  control  of  USB  device  usage  based  on  user-­‐driven  operational  help  requests,  threat   circumstances,  or  organization-­‐driven  policy  changes.    The  comprehensiveness  of  SEMS  Management   Console  controls  provides  real-­‐time  responsiveness  to  users  or  to  monitored  alarm  events  without  reliance   on  other  IT  staff  or  vendor  support.    User-­‐based  device  initialization  and  registration  procedures  permit   large-­‐scale  deployments  without  overloading  of  IT  staff  and  console  users.         To  minimize  an  organization’s  total  life-­‐cycle  costs  of  remote  management,  SPYRUS  has  built  SEMS  in   conformance  to  the  scalable  Microsoft  IT  Ecosystem,  employing  Windows  IIS  and  SQL  servers  and  domain  
  • 8.   Trusted  Security  To  the  Edge   SPYRUS,  Inc.  Proprietary   5     Commercial-­‐In-­‐Confidence   controller  distributed  architecture,  and  using  the  supporting  Microsoft  IT  configuration  software,  so  that   the  SEMS  system  can  be  globally  installed,  deployed,  supported  and  maintained  as  a  centralized  or  cloud-­‐ based  configuration  without  a  dependence  upon  specialized  operating  systems  and  server  components.   This  is  critical  to  offer  reliable,  responsive  and  supportable  global,  national  or  organizational  control  over   corporate  and  personal  IT  information  assets  which  must  be  protected  as  they  travel  all  over  the  world.       Data  Access  Control  and  Security   In  remote  device  management  systems,  where  there  are  one  or  more  administrators  managing  hundreds   or  thousands  of  USB  flash  drive  devices  in  the  hands  of  data  recipients,  global  client-­‐server  architectures   and  networks  are  employed  for  monitoring  and  controlling  the  operation  of  the  secure  devices.   Consequently  the  “security  boundary”  to  defend  against  access  vulnerabilities  increases  dramatically  over   the  entire  network  envelope.    This  requires  that  the  system  that  manages  and  controls  user  access  to  USB   device  data  should  not  itself  be  the  “weakest  link”  and  more  vulnerable  as  a  targeted  attack  point  than  the   device  being  protected.  To  meet  this  need,  SEMS  is  uniquely  developed  upon  international  government-­‐ approved  next-­‐generation  cryptographic  algorithms  such  as  AES  256,  ECDH  P-­‐384,  and  SHA-­‐256  to   protect  data  transfers  among  clients  and  servers.         The  SPYRUS  SEMS  client-­‐server  communications  architecture  employs  an  exclusive  “Defense-­‐in-­‐Depth”   solution.    This  exclusive  layered  architecture  incorporates  a  SEMS  server-­‐based  SPYRUS  Security  Module   Service  for  the  cryptographic  key  management  that  protects  all  sensitive  information  between  client   devices  and  server  elements.    In  addition,  https   protocols  are  employed  in  combination  with  the   hardware-­‐enforced  SPYRUS  SECX  protocol  to  add   session-­‐based  digital  signature  and  content  encryption   to  the  secure  https  tunnel  to  mitigate  man-­‐in-­‐the-­‐
  • 9.   Trusted  Security  To  the  Edge   SPYRUS,  Inc.  Proprietary   6     Commercial-­‐In-­‐Confidence   middle  attacks  against  command  and  control,  password  recovery  and  change  operations  and  device  audit   communications  throughout  the  network.               SEMS  is  a  combination  of  software  and  hardware  services  separated  by  functional   responsibilities.    These  services  communicate  with  each  other  to  collectively   provide  a  robust  device  management  system.    The  architecture  is  designed  to  easily   grow  and  accommodate  new  functions  and  services  rapidly.     System  Architecture     SEMS  has  been  developed  with  a  number  of  key   architectural  forces  in  mind.   • Designed  from  the  ground  up  as  a   distributed  system.     The  SEMS  server  components  can  easily   be  distributed  across  an  enterprise   network.  It’s  designed  as  a  flexible  set  of   distributable  components.   • Uses  HTTPS  and  TCP  channel   authentication  as  transport  mechanisms   for  messages  between  Server  and  Client   components.     This  means  software  components  will   work  behind  firewalls  and  should  be  easily   integrated  into  an  Enterprises  network.   • Designed  with  Security  in  mind.     All  Client/Server  communications  are  performed  using  HTTPS  and  further  authenticated  using   SECX.  The  password  recovery  mechanisms  use  ECC  and  the  Security  Module  Service  to  strongly   protect  passwords.       What  is   SEMS?  
  • 10.   Trusted  Security  To  the  Edge   SPYRUS,  Inc.  Proprietary   7     Commercial-­‐In-­‐Confidence     SEMS  Management  Console     The  SEMS  Management  Console  is  a  web  based  management  interface  that  allows  console  users  to   manage  SEMS  enabled  devices.  From  this  console,  policies  can  be  set  to  allow  devices  to  be   enabled/disabled  or  destroyed,  passwords  and  BitLocker  recovery  keys  retrieved,  and  Audit  log  entries  to   be  viewed.   SEMS  Management  Console  logon  can  be  configured  to  use  either  password  or  Rosetta®  USB/Smart  Card   authentication.     SEMS  Server       The  SEMS  Server  is  a  collection  of  independent  services  working  together  to  provide  a  robust  device   management  system.    It  consists  of  three  core  components:   • SEMS  Service   • SEMS  Audit  Service   • SEMS  Management  Console   These  are  installed  within  a  Windows  Internet  Information  Server  (IIS)  and  are  implemented  using   the  .NET  Framework.    SEMS  client  devices  initially  use  the  SEMS  Service  to  register  with  SEMS  and  obtain   policy  settings.  The  SEMS  Audit  service  records  details  of  the  client  registration  event.  Once  registered,   client  devices  regularly  interrogate  the  SEMS  Service  to  discover  if  outstanding  device  actions  are  pending   (e.g.  disable,  destroy,  policy  update,  etc.).    If  any  actions  are  pending,  these  commands  are  delivered  to   the  device.    All  SEMS  Client  action  events  are  recorded  by  the  SEMS  Audit  service.    SEMS  Registration  is   the  process  by  which  SEMS  Clients  transparently  opt-­‐in  to  be  managed  by  SEMS.  There  are  two  aspects  to   registration:  device  registration  and  user  registration.     A  set  of  registration  policies  are  designed  to  aid  the  SEMS  client  registration  process  where:   • Devices  are  to  be  registered  in  SEMS  Groups  other  than  the  domain  to  which  the  logged  on  user’s   Windows  Logon  Account  belongs,  and/or   • The  communication  network  of  the  device  might  not  have  access  to  a  server  where  the  DNS  name   for  the  SEMS  Server  can  be  resolved.   SEMS  Registration  Policies  work  within  the  Windows  Group  Policy  Management  tool.  As  such,  they  can   readily  be  pushed  out  by  Windows  Domain  or  by  Windows  Organizational  Unit,  as  appropriate  for   enterprise  configuration  and  organizational  device  management  directives.  Alternatively,  SEMS   Registration  Policy  can  be  set  within  the  Local  Policy  of  individual  Windows  To  Go  drive  units.   After  successful  SEMS  registration,  the  SEMS  database  contains  such  details  as  the  SEMS  Group  to  which   registration  was  performed,  the  device  type  and  serial  number,  and  the  Windows  logon  account  name  of  
  • 11.   Trusted  Security  To  the  Edge   SPYRUS,  Inc.  Proprietary   8     Commercial-­‐In-­‐Confidence   the  person  who  registered  the  device.    Only  SEMS  Management  Console  users  who  are  assigned   management  roles  within  the  registered  SEMS  Group  have  visibility  of  the  registered  device  and  its  owner.     The  SEMS  Client  receives  and  enforces,  from  the  SEMS  service,  the  security  policies  of  the  registered   SEMS  Group,  or  SEMS  Sub-­‐group.       Devices  that  are  to  be  managed  by  SEMS  can  reside  on  networks  that  are  external  to  the  SEMS  server’s   network.  In  these  instances,  the  SEMS  service  can  be  configured  to  permit  access  from  specific  networks   in  order  for  those  devices  to  register  with  SEMS.    Here,  Network  IP  Address  filtering  is  implemented  by   adding  a  comma  separated  list  of  the  allowed  external  IP  addresses  and  their  corresponding  subnet  masks   to  the  SEMS  Service’s  configuration.       There  may  be  instances  where  a  fixed  IP  address,  or  even  an  IP  address  range  may  not  be  possible  to   predict.  In  particular,  where  users  of  Windows  To  Go  drive  units  are  allowed  to  operate  offsite  in  a  home   office  environment.  Or  possibly,  an  alternative  to  configuring  numerous  different  IP  filters  might  be   sought.    In  these  instances,  pre-­‐registration  of  SEMS  Client  devices  can  simplify  what  might  otherwise  be   a  prohibitive  registration  process.    Here,  the  device  registration  component  of  SEMS  Registration  is   achieved  by  pre-­‐populating  the  SEMS  database  with  details  of  those  SEMS  Client  devices  where  user   registration  is  allowed  to  be  completed  outside  of  the  SEMS  Server’s  domain  network.    Device  pre-­‐ registration  can  be  performed  on  an  individual  basis  at  the  SEMS  Management  Console.  Alternatively,   multiple  device  registration  can  be  achieved  through  the  use  of  a  script  to  import  device  details  directly   into  the  SEMS  Database.   SEMS  Security  Module  Service     SEMS  provides  a  Security  Module  Service  for  access  to  encrypted  data,  primarily  decryption  and   encryption  of  device  authentication  user  passwords  and  BitLocker  recovery  keys  as  well  as  other  system   security  data.  The  service  also  manages  the  SEMS  Site  License.  The  Security  Module  Service  provides  the   option  of  a  Software  Security  Module  or  a  Security  Module  that  uses  the  SPYRUS  Rosetta  USB  HSM.     The  Software  Security  Module  provides  a  fast  and  secure  key  management  infrastructure  and  supports   limited  access  through  the  use  of  managed  service  account  (see  below).  The  Software  Security  Module  is   intended  for  SEMS  product  trials  or  installations  where  a  hardware  security  module  is  not  necessary  or  not   supported.    When  used  with  a  Rosetta  HSM,  the  Security  Module  Services  can  only  access  keys  when  the   HSM  is  present  and  unlocked.    Without  the  Rosetta  HSM,  the  keys  required  for  password  recovery  cannot   be  recovered,  thus  making  password  recovery  impossible.      Communication  with  the  Security  Module   Service  can  be  configured  to  require  authentication.    A  local  or  managed  Windows  service  account  can   specifically  be  created  for  this  purpose,  and  then  configured  for  use  in  communications  between  the   Security  Module  Service  and  the  SEMS  Service  and  the  SEMS  Management  Console.    Configuring  the   Software  Security  Module  with  a  managed  service  account  provides  the  best  isolation  of  the  SEMS  service   from  other  services  running  on  the  same  machine.             For  disaster  recovery,  the  Security  Module  Service  provides  a  backup  and  restore  mechanism.    During   initial  configuration  of  the  Security  Module  Service,  a  backup  of  the  HSM  is  created  and  stored  off-­‐line  in  a  
  • 12.   Trusted  Security  To  the  Edge   SPYRUS,  Inc.  Proprietary   9     Commercial-­‐In-­‐Confidence   secure  location.    For  additional  security,  SPYRUS  recommends  using  the  SPYRUS  PocketVault®  P3X   encrypted  USB  3.0  drive  be  used  for  all  backups.       SEMS  Database     SEMS  utilizes  three  database  components.  The  first,  the  enterprise  database,  stores  status  and  security   information  regarding  devices,  users,  groups  and  device  actions.  It  is  the  main  data  repository  for  the   management  of  devices  and  users  in  the  SEMS  system.  It  is  constantly  in  a  state  of  update  and  change  as   events  occur  in  the  SEMS  system.  Key  data  elements  are  encrypted  and  require  the  decryption  services  of   the  SEMS  Security  Module  service.  The  second  is  the  audit  database,  which  records  all  audit  events  on  the   system,  i.e.  device  and  SEMS  Management  Console  activities.  The  database  has  permissions  for  read  and   write  only,  i.e.  modify  permissions  to  the  stored  audit  data  are  denied.  The  final  database  is  the  security   database,  where  all  console  user  and  role  information  is  stored.  It  is  used  in  authenticating  SEMS   Management  Console  users  and  determining  their  roles  within  the  system.   SEMS  Clients       To  operate  with  SEMS,  SPYRUS  portable  USB  devices  require  SEMS  Client  software  to  be  installed  and   configured.  For  SPYRUS  Windows  To  Go  drive  units,  this  is  the  SEMSforWTG  software  module.  All   PocketVault  P-­‐384  devices  are  supplied  with  an  in-­‐built  SEMS  Opt-­‐in  option.  SEMS  Client  software  is   compatible  with  32-­‐bit  and  64-­‐bit  Windows  8,  8.1  and  10  Operating  Systems.   SEMS  enabled  devices  include:   • WorkSafe™,   • WorkSafe  Pro™,   • Secure  Portable  Workplace™,   • Portable  Workplace™,   • PocketVault  P-­‐384.   The  communications  between  the  client  and  the   server  employs  a  “Defense-­‐in-­‐Depth”  layered   architecture  that  includes  authentication,  robust  key   establishment,  rekeying  interval,  and  security   wrappers  for  critical  communication.    The  additional  layers  of  protection  are  implemented  to  protect   against  failures  in  traditional  HTTPS  security.            
  • 13.   Trusted  Security  To  the  Edge   SPYRUS,  Inc.  Proprietary   10     Commercial-­‐In-­‐Confidence       The  SPYRUS  Enterprise  Management  System  provides  a  fully  featured  and   scalable  system  for  device  management.  It  can  be  scaled  for  global  operations,  can   be  operated  from  the  Cloud  or  on  site,  can  be  structured  to  meet  organizational   boundaries  and  roles,  can  be  integrated  with  Active  Directory  or  run   independently,  and  can  be  implemented  in  a  robust  high  availability  environment.   It  provides  the  tools  necessary  for  large  or  small  organizations  to  manage  their  SPYRUS  encryption   devices  and  provides  the  assurance  that  whatever  happens,  the  data  on  these  devices  will  be  protected.       The  benefits  to  the  organization  that  select  SEMS  to  manage  devices  includes:     1) providing  administration  separation  of  roles  and  duties  and  control  over  the  devices  to  meet   corporate  security  policies;     2) easy  registration  and  deployment  of  devices  on  a  global  basis;     3) leverages  and  uses  existing  Microsoft  ecosystem  investments;     4) configurable  policies  to  protect  data  access,  usage,  encryption,  password  rules,  and  more  for  a   centralized  managed  console;     5) managing  on-­‐line,  off-­‐line,  and  expiration  usage;  and   6) allows  users  to  easily  reset  passwords  without  destructing  the  data  stored  on  the  device  from   remote  locations.   SPYRUS  invites  you  to  visit  www.spyrus.com/sems  and  listen  to  the  video  or  request  a  demonstration  of   the  SEMS  system  in  action  on  Azure  at  http://www.spyrus.com/more-­‐info/.         Conclusion