A Bull Evidian White Paper Evidian Data Privacy By Dominique Castan January 2007 Version 01 Summary WiseGuard Mobile Protect WiseGuard File Encryption WiseGuard Mobile Protect WiseGuard File Encryption
Welcome message from author
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
A Bull Evidian White Paper
Ev id ian Data Pr ivacy
By Dominique Castan January 2007
Version 01
Summary
WiseGuard Mobile Protect
WiseGuard File Encryption
WiseGuard Mobile Protect WiseGuard File Encryption
© 2007 Evidian
© 2007 NEC
The information contained in this document represents the view of Evidian on the issues discussed at the date of publication. Because Evidian must respond to changing market conditions, it should not be interpreted as a
commitment on the part of Evidian, and Evidian cannot guarantee the accuracy of any information presented after the date of publication.
This is for informational purposes only. EVIDIAN MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS DOCUMENT.
We acknowledge the rights of the proprietors of trademarks mentioned in this book.
39 A2 86LT Rev00 3
Evidian Data Privacy
Contents
Introduction ........................................... 4
WiseGuard Mobile Protect ............................... 5 Protect your workstation ................................6
Media Key authentication method ........................6 Password authentication method .........................7 Lock your workstations .................................8 Prevent theft of workstations and devices ..............8
Protect sensitive information ...........................8 File encryption ........................................8
Administration ..........................................9 Centralized mode .......................................9 Standalone mode .......................................10
Support tools ..........................................11 Media key backup ......................................11 Workstation backup ....................................11 File recovery .........................................11
Advantages .............................................11
WiseGuard File Encryption ............................. 12 Encryption .............................................12
Automatic encryption ..................................13 Autopilot encryption ..................................13 Share keys with colleagues ............................13 Self-decryption for external work teams ...............14
Administration of keys .................................15 Role-based management .................................15 Permissions ...........................................15 Distribution and recovery of keys .....................15 Validity of keys ......................................16
Advantages .............................................16
39 A2 86LT Rev00 4
Evidian Data Privacy
Introduction
As workforces get increasingly mobile and data-transfer technologies make corporate data ever more accessible, the risk of data loss or theft and of illegal access to sensitive information exists:
When a person copies files containing your product specifications, financial transactions or price lists to a simple USB key
When a sales manager downloads from his or her hotel the latest presentation of your company strategy
When a sub-contractor obtains from a web meeting the latest R&D plans for a sensitive project
When a doctor copies a patient’s healthcare information to his or her mobile workstation via a Wi-Fi connection.
In all cases, the real cost is the value of the lost information. This cost can be very high if this sensitive data ends up with a competitor.
To increase the productivity of its workforce, a company must make information easier to share and transfer between employees (e.g. sales managers, R&D, engineers, marketing people), and between employees and external partners (e.g. consultants, suppliers, resellers).
However, the resulting productivity gains and cost savings should not be obtained to the detriment of security.
Evidian’s Data Privacy solution enables enterprises to attain both their security and mobility targets with two complementary modules:
WiseGuard Mobile Protect: this module secures both fixed and mobile workstations. It controls access to workstations thanks to a removable device containing a security key. Moreover, Mobile Protect encrypts sensitive information on a workstation and prevents data theft.
WiseGuard File Encryption: for securing sensitive information as part of collaborative work. This module allows employees to encrypt sensitive data shared or transferred between members of a project, workgroup, or business process.
WiseGuard Mobile Protect and WiseGuard File Encryption are software-only solutions. They can be purchased independently or as a supplement to other WiseGuard modules such as SSOWatch, Advanced Login, and Mobile E-SSO.
The purpose of this document is to show how the Evidian Data Privacy solutions secure desktops and mobile workstations while increasing the security of data shared or transferred as part of a company’s collaborative work.
39 A2 86LT Rev00 5
Evidian Data Privacy
WiseGuard Mobile Protect
WiseGuard Mobile Protect secures both fixed and mobile workstations.
WiseGuard Mobile Protect (see Figure 1) is a software-only solution for Windows XP and Windows 2000 workstations. No additional hardware is required. WiseGuard Mobile Protect can be combined with other WiseGuard components such as SSOWatch, Advanced Login, and Mobile E-SSO.
Figure 1. WiseGuard Mobile Protect overview
WiseGuard Mobile Protect controls access to workstations thanks to a removable device containing a security key. Moreover, Mobile Protect encrypts sensitive information on the workstation and prevents data theft.
Removable media
PC lock
Encryption of sensitive
files
Preventing data from being copied to
unregistered removable media
Administration - Configuring PCs via a network- Managing keys on a server
Strong authentication
PC
39 A2 86LT Rev00 6
Evidian Data Privacy
Protect your workstation WiseGuard Mobile Protect secures a workstation against unauthorized access.
To access the workstation and then be able to read encrypted files or encrypt new files, an employee must unlock the workstation with a Mobile Protect key stored on a removable device, or with a Mobile Protect password.
Media Key authentication method
The security key is generated during the WiseGuard Mobile Protect installation process and is stored on removable media such as a USB key, PC-CARD, removable hard disk, or DVD-RAM.
The Media Key authentication procedure is as follows:
Step 1: the employee must press Control + Alt + End
Step 2: the employee must insert the removable device containing the security key used to lock the workstation.
Step 3: the employee must enter the standard Windows credential in the Windows login field (e.g. password, PIN code, certificates included in a smart card).
At the end of the authentication procedure, the employee can work and activate all other Mobile Protect features.
39 A2 86LT Rev00 7
Evidian Data Privacy
Password authentication method
The employee can also unlock the workstation with a Mobile Protect password. This Mobile Protect password is generated during the installation phase.
The password authentication procedure is as follows:
Step 1: the employee must press CTL + ALT + End
Step 2: the employee must enter the Mobile Protect key used to lock the workstation.
Step 3: the employee must enter the standard Windows credential in the Windows login field (e.g. password, PIN code, certificates included in a smart card).
At the end of the authentication procedure, the employee can work and activate all other Mobile protect features.
Media key authentication and password authentication methods cannot be used at the same time. The selected authentication method is taken into account during the WiseGuard Mobile Protect installation process.
39 A2 86LT Rev00 8
Evidian Data Privacy
Lock your workstations
When the employee steps away, the workstation can be locked by removing the media key from the workstation, or through time-out. In this case, no operation can be performed on the workstation.
Depending on the configuration, the workstation can be unlocked by inserting the media key or by entering the WiseGuard Mobile Protect password.
Prevent theft of workstations and devices
To prevent theft of workstations, WiseGuard Mobile Protect allows you to register the workstations connected to a LAN. If a workstation is taken away, users are unable to logon on.
To prevent theft of removable media, WiseGuard Mobile Protect allows you to register your Mobile disks, PC cards, USB keys, Compact Flash cards, and DVD-RAMs. Thus, users are unable to write on unregistered media.
Protect sensitive information To reinforce security, it is always advisable to combine control of unauthorized access with encryption of sensitive files or folders.
File encryption
The encryption and decryption functions can be used only when authentication has been successfully completed, and the removable Mobile Protect media key is loaded on the workstation (or the Mobile Protect password is entered).
fd@34iwJlIbisai9sao%%dsiaI003JKlw#Uqn7-@&$opzb<sxc5
fd@34iwJlIbisai9sao%%dsiaI003JKlw#Uqn7-@&$opzb<sxc5
39 A2 86LT Rev00 9
Evidian Data Privacy
WiseGuard Mobile Protect allows you to encrypt and decrypt files or folders stored on the workstation. It is not necessary to encrypt the entire drive but only the necessary sensitive data.
If a mobile hard disk, PC card, USB key, Compact Flash card, or DVD-RAM has been registered, the user can also encrypt or decrypt files and folders stored on the media.
fdhjmswsao%%dsiaI@&%ML7µ£+
fdhjmswsao%%dsiaI@&%ML7µ£+
Employees can send encrypted files to colleagues. If said colleagues do not have WiseGuard Mobile Protect installed on their workstations, they can still read the encrypted files thanks to a Mobile Protect self-decryption runtime.
Administration The administration of WiseGuard Mobile Protect can be deployed in:
Centralized mode: administration is performed on a central server by central IT managers.
Standalone mode: administration is performed locally by the end-user.
Centralized mode
In centralized mode, WiseGuard Mobile Protect offers administration functions on a centralized administration server. This administration server is not dedicated to WiseGuard Mobile Protect and can be shared with any other applications.
Central IT managers (see Figure 2) define a unified encryption policy. Then they apply this policy to a list of workstations connected to a LAN. Thus, the security information managed on the centralized server is automatically downloaded and installed on a set of workstations.
39 A2 86LT Rev00 10
Evidian Data Privacy
Figure 2. Centralized mode of Mobile Protect administration
To prevent a workstation from being stolen with its data, IT managers can define a list of workstations that must always be connected to the LAN.
WiseGuard Mobile Protect allows central IT managers to upload key information, for monitoring encryption status. In addition, the IT managers have the possibility to recover encryption keys lost by employees.
On workstations, after media key re-authentication, an employee can create a new encryption key or disable an existing key. Through configuration, this action can be uploaded to be approved by IT managers.
Standalone mode
In standalone mode, WiseGuard Mobile Protect offers local administration functions on employee workstations. The employee configures the media key (and password information) during installation.
When an encryption key is lost, it can be renewed on the workstation.
A.D.
Directory
A.D.
Directory
User workstations
Administrator workstation
Mobile ProtectServer
39 A2 86LT Rev00 11
Evidian Data Privacy
Support tools End-users can use several Mobile Protect support tools.
Media key backup
In centralized administration mode, an end-user can back up the workstation media key on a shared folder of the Mobile Protect administration server.
In standalone administration mode, the end-user can back up the workstation media key on removable media.
Workstation backup
A backup and restore tool allows end-users to back up and restore their workstation drives and folders.
File recovery
In case of failure during an encryption or decryption process, the damaged files or folders can be recovered using a file recovery tool.
Advantages WiseGuard Mobile Protect is more effective than rival solutions because its security mechanisms are not implemented in the BIOS.
Moreover, its recovery functions are more user-friendly since you do not need to encrypt the entire hard disk in order to secure the most sensitive data.
39 A2 86LT Rev00 12
Evidian Data Privacy
WiseGuard File Encryption
WiseGuard File Encryption secures sensitive information as part of collaborative work.
WiseGuard File Encryption allows employees to encrypt sensitive data shared or transferred between members of a project, workgroup or business process.
WiseGuard File Encryption is a software-only solution for Windows XP and 2000 workstations. No additional hardware is required. WiseGuard File Encryption can be combined with other WiseGuard components such as SSOWatch, Advanced Login and Mobile E-SSO.
Encryption WiseGuard File Encryption allows end-users to import the encryption keys managed by administrative authorities. Then, WiseGuard File Encryption facilitates encryption and decryption operations.
All the encryption and decryption operations are performed using right-click menus (see Figure 3).
Figure 3. Easy encryption and decryption operations using a right-click menu
Several files or folders can be selected. After one or more files or folders are selected, the encryption operations are listed in the right-click menu. Thus, the end-user can select the key used, and perform encryption or decryption operations.
39 A2 86LT Rev00 13
Evidian Data Privacy
Automatic encryption
Thanks to WiseGuard File Encryption, end-users can define auto-encryption-folders. A dedicated encryption key is associated with an auto-encryption-folder.
When one or more files are dragged or copied into an auto-encryption folder, these files are automatically encrypted. A key icon is displayed on such auto-encryption folders.
The solution allows the definition of multiple auto-encryption folders. Thus, if an employee must transfer documents to several work teams, the end-user can associate one dedicated key with one dedicated work team.
When a file is dragged or copied into a removable storage device, the file is automatically encrypted. This feature is useful in that it prevents theft of data on removable storage media.
Autopilot encryption
An autopilot encryption function is available to encrypt files under save-as operations, for example when the user opens a Microsoft Word document.
Thus, a File Encryption mechanism checks the auto-encryption-folders, and periodically encrypts all unencrypted files detected.
Share keys with colleagues
Once an employee has encrypted a sensitive file, the end-user can send this file to a colleague (e.g. by e-mail, Skype, Microsoft Live Messenger). To decrypt the received file, the colleague must share a secret key with the sender (see Figure 4).
Employee Employee
2.
Employee Employee
2.
Figure 4. Sharing a key with a colleague
To increase security when an employee is working with several work teams, he or she should share different secret keys with each work team. Thus, the employee secures the transferred information and prevents sensitive data from being forwarded to the wrong persons.
39 A2 86LT Rev00 14
Evidian Data Privacy
For example, for the “sales” organization the sales manager defines a dedicated “sales” auto-encryption folder with a dedicated “sales” key.
For an “affiliate” company, the sales manager defines a dedicated “affiliate” folder with a dedicated “affiliate” key.
Thus, if the sales manager mistakenly sends a “sales” encrypted file containing the discount strategy to a colleague in the “affiliate” company, the “affiliate” company colleague cannot decrypt this file.
Self-decryption for external work teams
When employees must send encrypted files to partners outside the company:
It is not necessary to share a key with an external partner, but only to communicate a security password associated with the encrypted file.
It is not necessary to install File Encryption on external workstations.
With the right-click menu, the employees must only select a dedicated key, create a self-decryption file, send the document to the external partner, and communicate a security password (see Figure 5).
Employee PartnerProvide the password by telephone
Send files by email, etc
Employee PartnerProvide the password by telephone
Send files by email, etc
Figure 5. Sharing self-decryption files with an external partner
The partner reads his or her mail, saves the self-encryption file on his or her workstation and obtains the security password from the employee. The external partner double-clicks on the self-encryption file and then enters the security password.
To reinforce security, the employee can protect a self-encryption file further by configuring automatic deletion if a certain number of wrong passwords are entered.
39 A2 86LT Rev00 15
Evidian Data Privacy
Administration of keys WiseGuard File Encryption offers administration functions used to manage the secret keys.
Role-based management
WiseGuard File Encryption provides two administration roles, the “Executive managers” and the “Leaders”. Each role is associated with key creation, distribution, and renewal permissions.
Leaders define the “Staff members” who can import keys, encrypt and decrypt files.
Permissions
Administrator and end-user permissions are defined as follows:
W iseGuard File Encryption Executive managers Leaders Staff membersCreate keys Yes - -
Distribute keys Yes Yes -Renew keys Yes - -
Define the members - Yes -Import keys Yes Yes Yes
Encrypt files Yes Yes YesDecrypt files Yes Yes Yes
Figure 6. Permissions for administrators and end-users
Distribution and recovery of keys
The Executive Managers are in charge of creating and distributing keys.
The Executive Managers can create three types of keys:
“Executive Manager keys”
When files are encrypted with Executive manager keys, only Executive Managers can decrypt these files.
“Leader keys”
The Executive Managers distribute Leader keys to Leaders.
When files are encrypted with Leader keys, only Executive Managers and Leaders can decrypt these files.
39 A2 86LT Rev00 16
Evidian Data Privacy
“Division keys”
The Executive Managers distribute Division keys to Leaders.
The Leaders distribute the Division keys to the staff members under their responsibility.
When files are encrypted with Division keys, all Staff members, Leaders and Executive Managers can decrypt these files.
Validity of keys
To limit the use of keys, Executive Managers can require the keys to be renewed. Thus, Executive Managers can define a validity period for each key (e.g. the key is effective until 06/18/2007).
At the end of the validity period, decryption becomes impossible. The Executive Manager must renew the key, and then re-distribute the new key.
To enhance security, when a user leaves the organization or company, the Executive Manager can renew the key shared with this user’s colleagues.
Advantages WiseGuard Encryption enables companies and organizations to include information security in their collaborative work strategy.
In addition, thanks to other WiseGuard solutions, companies and organizations can combine and unify the security strategy of their collaborative work policy with their IT security strategy.
For more information, please visit our website http://www.evidian.com/
Email: mailto:[email protected]
Related Documents
