Providing Secure Encryption

Technology To The NHS

A Best Practices Model To Assure Effective Deployment
 www.mcafee.com

Table of Contents
1. Context ................................................................................................................... 3
2 Training................................................................................................................... 4
3. Consulting............................................................................................................... 5
4. Commercial Model.................................................................................................. 6
5 Best Practices Model – Implementation Overview................................................. 8
5.1 Phase 1 - Device Encryption .................................................................................. 9
5.2 Phase 2 – Device Control ..................................................................................... 10
5.2.1 Installing McAfee Device Control (DLP)................................................................ 11
5.2.2 Upgrading Port Control to Device Control............................................................. 16
5.3 Phase 3 – Content Encryption .............................................................................. 17

2
NHS V6 31 July 08
 www.mcafee.com

1 Context

Advanced McAfee encryption technology for protecting data and devices has been sold through Trustmarque to
NHS Connecting for Health on behalf of the English NHS. It is the NHS intention to deploy this technology across
the NHS Trusts over the course of 2008 and 20099, as a matter of priority.

McAfee and Trustmarque wish to assure the NHS Trusts of the highest quality rollout and deployment programme
to ensure a minimum of disruption to end users and maximise effective security protection. Many projects to
implement this technology will be simultaneously in progress across the Trusts. We believe the projects will be
implemented most effectively and smoothly through a carefully planned Best Practices model which places special
emphasis on practical training and implementation support to enable each Trust to plan and deploy with minimum
risk.

McAfee and Trustmarque have worked together to enable the best practices for implementation to be shared and
used by the highest level of accredited partners. Training modules and expert implementation services are
available to Trusts. We believe most Trusts will benefit from procuring accredited and qualified consulting
assistance to help them ensure a high quality on the project implementation. The programme also includes live
technical support, on site consulting services and quality assurance validation prior to going into production.

Our Policy Guidelines - Making Encryption Work

1. Minimise risk and ensure proof of concept 'pilot' project familiarity before going into production.

2. Minimise any end user 'down time' and maximise user familiarity with simple encryption principles.

3. Minimise technology risk through 3 stage introduction of encryption technology:

3.1 1st Phase: Endpoint Encryption for Devices

3.2 2nd Phase: Device Control.

3.3 3rd Phase: Endpoint Encryption for File/Folders

McAfee has always advocated a phased approach for the deployment of encryption products. This has
proved successful - with fast results, lower technical overhead and much improved customer results.

4. Ensure online and onsite technical support and quality assurance, as required.

5. Enable simple point of contact and 'Helpdesk' support for first line resolution of technical issues.

3
NHS V6 31 July 08
 www.mcafee.com
2 Training

McAfee has designed training courses for both the implementation and support of Endpoint Encryption.
There are four different training courses available.

Endpoint Encryption Masterclass

1 Day Instructor-Led Training
Designed specifically for the NHS, this course is intended for Endpoint Encryption Administrators and
Support Engineers who already have expertise in implementing and installing Endpoint Encryption. It
will provide upgrade training on the new functionality of Endpoint Encryption. A key focus of this
course is troubleshooting and recovery for Endpoint Encryption.
This course is scheduled to be available at each regional SHA.

ePO and Device Control for Endpoint Encryption

1 Day Instructor-Led Training
Designed specifically for the NHS, this course is intended for Endpoint Encryption Administrators, ePO
Administrators, Data Loss Prevention Administrators and Support Engineers. The integration of these
three products will provide significantly enhanced functionality for Endpoint Encryption and advanced
management and reporting capabilities. The integration of these products will require some upgrade
training for both implementation and support. This course is strongly recommended for both
Administrators and Support Engineers.
This course is scheduled to be available at each regional SHA.

Endpoint Encryption Introduction Training

Internet-Delivered. Training
An introductory course that provides an overview and understanding of how to use and support Endpoint
Encryption. It is most suitable for members of the IT team and super users.

Endpoint Encryption Administrator Training

4 Day Instructor Led Training
This course is designed for members of the project team and Endpoint Encryption Administrators. The
course provides a level of accreditation and competency for both IT staff participating in a deployment
project or partner consulting staff who will be working on delivery projects. This course is a requirement
for McAfee Partners and strongly recommended for NHS Endpoint Encryption Administrators.
This course is regularly scheduled in Chesterfield and Slough and subject to demand can be scheduled in
other centres.

Training can be booked by email to NHStraining@mcafee.com or by telephoning 01753 217472.

4
NHS V6 31 July 08
 www.mcafee.com
3. Consulting

Many qualified Partners will be assisting Trusts in planning and deploying their encryption project. Projects which
are delivered by these Partners will follow the Best Practices methodology and implementation model. At an
overview level, this methodology follows the steps below:-

Planning & Pilot Pilot Test Preparing for Production Production

Analysis & Production Deploy + Managed
Acceptance Test Operations

It is expected that most Trusts will procure specific consulting help to assist them in (or take accountability for)
deploying McAfee encryption using the established Best Practices model.

Partner consulting resources are available for on-site project work on the priced day rate basis and are also
available to assist with appropriate training. These highly qualified resources may be ordered through Trustmarque
on a standard day rate.

Technical design support, deployment problem resolution, course scheduling and overall programme logistics will
be handled through a centralised Services Desk.

Following successful implementation and deployment into production, Trusts may choose to opt for ongoing
managed services to run the encryption implementation on a day-to-day basis against a declared and agreed
service level. These managed services will be made available through qualified partners and can be discussed
further on request.

5
NHS V6 31 July 08
 www.mcafee.com

4. Commercial Model

How to order Implementation Services for McAfee

McAfee and Trustmarque are partnering together in order to ensure the operational success of this programme.
McAfee has established a Project Services Centre which includes the highest level of technical expertise and will
perform the following functions:-

 Help Desk
 All technical updates and communications
 Technical Support for ongoing projects
 Training information and scheduling
 Technical Design Authority
 Post production Healthcheck audits
 Repository of Best Technical Practices
The following transaction chain will occur:-

When a Trust wishes to procure best practices implementation services, they may place an order through
Trustmarque. From this order, a specialist partner is selected through the Project Services Centre and work may
then be scheduled. All technical information regarding best practices and highest level of technical expertise
access is managed through the Project Services Centre. The Trust may be assured the partners selected are of
the highest accreditation and that they have centralised access to expertise to resolve any technical issues
encountered in the implementation project. McAfee/Trustmarque recommends using only the partners who are
accredited in this programme but respect the fact that this is an open commercial choice of the Trust.

Selection + Partner A
scheduling
of work MFE SB

T Delivery
R order
U placed
Order S
Processed T
NHS TRUSTS M Partner B
A
R
Q MFE SB
U
E

Partner C
- ORDER FLOW MFE SB

MFE SB - Accredited + Qualified

7/28/2008

Multiple, carefully selected Partners with existing McAfee Accreditation and experience are enrolled in the
programme and will be delivering on site consultancy. These Partners have been accredited and fully committed to
following the Best Practices program in order to deliver a complete implementation. McAfee and Trustmarque will
ensure quality assurance tests and validation exist prior to production 'go live' and will have a right of review on
Partner delivery work. The review of technical implementation work completed by accredited partners can occur
where a Trust wishes to assure that the highest standards of implementation best practices have been followed

6
NHS V6 31 July 08
 www.mcafee.com
and that the final implementation can be certified for production.

Significant expertise exists to help ensure enough resource to scale out and deliver the implementation of these
projects on time and to budget. Leveraging this partner resource effectively will enable NHS Trusts to meet their
targets on encryption and will ensure a quality standard is achieved. Our partners are committed to this model and
all understand it will enable:-

 Coordinated scheduling of work

 Consistent quality standards of work delivered
 On time results
 Competitive pricing
 Effective training

7
NHS V6 31 July 08
 www.mcafee.com

5 Best Practices Model – Implementation Overview

In this section a brief overview of the proposed best practices model for implementation is given
together with any issues to be considered. A three phased approach to encryption projects is proposed
and each phase is considered separately. Further information and detail on each phase can be supplied
as each Trust commences its’ project planning and engages with the Best Practices programme

Phase 1 – Device Encryption

Phase 2 – Device Control

Phase 3 – Content Encryption

8
NHS V6 31 July 08
 www.mcafee.com

5.1 Phase 1 - Device Encryption

Description of Technology

McAfee Device Encryption is a sector level encryption solution that can be deployed with limited impact to the
user and Microsoft Windows build. The Microsoft Windows machine is protected against authorised access as
it has a pre-boot authentication client which allows only authorised users access to the Microsoft Windows
environment. After the user has authenticated, the operating system will behave in the same fashion as before,
with decryption/encryption taking place on-the-fly and transparent to the end user.

The benefit of this solution is that it does not typically require any testing of applications and understanding of
business work processes in order to implement a full disk encryption solution. It also means that risk
compliance with policy guidelines managing encryption can be achieved quickly across the installed base
estate.

Implementation of McAfee Device Encryption

McAfee recommends the first phase of a complete encryption project should start with a focus on device
encryption. There are two specific points in the approach and delivery of successful device encryption across
the installed base of laptops and personal computers which should be considered:

 Scoping and Assessment. Preliminary preparation and planning work must be done to understand risk
levels and appropriate encryption policy with the user community. This scoping exercise normally
involves approximately 1 day of consultations and also an assessment of the devices installed in the
estate to be encrypted.

 Implementation of the McAfee Management Center and Deployment of McAfee Device Encryption.
The McAfee Management Center is designed to install, manage and deploy all McAfee products
including McAfee Device Encryption, McAfee Content Encryption and McAfee Port Control. The
McAfee Management Centre manages machine and user policies for the deployment of McAfee
Device Encryption. This is a full disk (sector level) encryption solution for Windows notebooks and
desktops.

Issues to be considered

The deployment of full disk encryption will satisfy most of the requirements regarding securing the movement
of data held on notebooks (laptops, tablets etc) for the NHS. McAfee considers that starting encryption
projects with device encryption is the most effective and simple introduction for encryption technology. The
following benefits can be achieved:-

 NHS IT support staff become familiar with the administration of the McAfee Management Center

 NHS IT staff becomes familiar with the deployment and methodology of McAfee install packages which
are the same for all of the McAfee products.

 NHS users become familiar with the McAfee Pre-Boot client (PBOS)

The rollout of full disk encryption reduces the level of encryption project complexity in the NHS to ensure a
successful implementation with a minimal impact on the productivity of the end user. This then allows users to
become accustomed to basic encryption and prepares the way to move to a full file and folder content
encryption implementation. The main issues to be considered are similar to the introduction of any new
technology: education, training and new processes to be followed.

Testing of full disk encryption can be expedited relatively quickly by performing a pilot on a representative
selection of all PC platforms within the Trusts estate. This can be planned up front with the implementation
partner.
9
NHS V6 31 July 08
 www.mcafee.com

5.2 Phase 2 – Device Control

Additional functionality with Device Control over Port Control

Device Control (DLP) is tested for use on Windows Vista (32-bit only) operating systems, Port Control will not
install in a vista environment and there are no plans to develop Port Control to operate with windows vista or
beyond.

Device Control (DLP) works with everything Port Control did and more. With two device types, covering more
options than the port control product.

 Plug and Play device — a device that can be added to the managed computer without any configuration
or manual installation of DLLs and drivers. Plug and play devices include most Windows devices. Plug
and play device definitions allow you to manage and control most available devices; for example,
Bluetooth, Wi-Fi, and PCMCIA.

 Removable Storage device — Any external device containing a file system that appears on the managed
computer as a drive; for example, PDA’s, Flash disks, Cameras, Ipods/Phones and Sat Nav units.

In addition to white and black listings for device types and device type management both Port Control and Device
Control (DLP) can block specific device types using USB Vendor ID or Product ID. Device control can manage
devices using a range of unique device identifiers down to the serial number of a specific device.

See Table Below:

10
NHS V6 31 July 08
 www.mcafee.com

5.2.1 Installing McAfee Device Control (DLP)

Description of Technology

Device Control has rules that allow you to monitor and control external devices and their use in the distribution
of sensitive information. Devices attached to enterprise managed computers — such as smart phones,
removable storage devices, Bluetooth devices, MP3 players, or plug and play devices— can be monitored or
blocked. Use device definitions to control specific devices by fine-tuning the device properties such as the
device class, device PID/VID, or USB class code. Device properties serve as filter criteria for controlling
devices, providing the advantage of using portable devices while maintaining the company policy about
sensitive information. You can create different sets of rules for the enterprise workforce based on roles and
needs. For example while the majority of workers are not allowed to copy enterprise data to removable storage
devices, the IT team can use these devices, and are only monitored by the system. This kind of scenario can
be implemented by using the properties of the specific device with a suitable reaction rule.

Implementation of McAfee Device Control under ePolicy Orchestrator

Installing ePolicy Orchestrator 4.0.

 Install and configure SQL 2005

 Run EPO 4.0 installer
 Complete installer Wizard
 Discover Machines within the domain
 Deploy agents

Installing Device Control (DLP) in ePolicy Orchestrator 4.0.

 On the ePO console, go to Configuration.

 Click Extensions, and then click Install Extension.
 Browse to and select the Management Console zip file.
 Click Install Extension again, Browse to and select the Help zip file

Load policy into ePolicy Orchestrator 4.0.

The first time you open DLP Policy Manager, a wizard runs for first-time initialization.

11
NHS V6 31 July 08
 www.mcafee.com
 In ePolicy Orchestrator 4.0 — click Systems, and then click the DLP Policy tab.
 The First Time Initialization wizard appears.
 Configure the DLP Event Collector and the Evidence Storage Paths
 Configure the Policy Manager web server path
 Configure the Manual Tagging authorization list.

NOTE: McAfee recommends creating a role-based group in Active Directory, such as DLP

 Manual Tagging Users and using the group when configuring Access Control.
 Type the domain groups and/or users who have rights to use the Manual Tagging feature.
 Validate Entries to confirm your settings.
 Type and confirm a new password for the agent override key
 Configure the White list
 Customize the agent pop-up service if desired,

Applying the policy

You are automatically prompted after the initialization to apply the default policy.
The Applying to ePO window appears.

All ePolicy Orchestrator and Device Control (DLP) Agents are deployed to the clients from the ePolicy
Orchestrator in addition components for Policy Auditor, Endpoint encryption for PC and Files and folders, NAC,
Virus Scan and other 3rd party applications can also be delivered and in most cases managed by ePolicy
Orchestrator.

Issues to be considered

Hardware should always meet or exceed the minimum specification for both servers and agents, Where newly
purchased servers have been utilised for the current Endpoint Encryption their specifications should meet the
minimum requirements. Where older or shared servers have been utilised McAfee can advise on their suitability
and scalability for you specific environment.

Hardware requirements

The following hardware is recommended for running McAfee ePolicy Orchestrator with Host Data Loss Prevention
software:

Servers
 CPU: Intel Pentium IV 2.8GHz or higher.
12
NHS V6 31 July 08
 www.mcafee.com
 RAM: 1GB minimum (2GB recommended).
 Hard Disk: 80GB minimum.

Agent Workstations
 CPU: Pentium III 1GHz or higher.
 RAM: 256MB minimum (512MB recommended).
 Hard Disk: 200MB minimum free disk space.
 100Mbit LAN serving all workstations and the DLP DB server.

Network
 Agents must be able to access port 43000 on the server running the Event Collector Service.
 Administrators running the Event Monitor must be able to access TCP port 43000 on the server running
the Event Collector Service.

The following operating system software is supported:

Servers
 Windows 2000 Server SP4
 Windows 2003 Server Standard (SE) SP1or later
 Windows 2003 Enterprise (EE) SP1 or later

SQL Server
One of the following:
 Microsoft SQL Server 2005 Standard
 Microsoft SQL Server 2005 Express with
 Advanced Services (SQLEXPR_ADV.exe)
Microsoft MSXML 6 6.0.3883.0 or higher

NOTE: MSXML 6 is included in Microsoft SQL

Server 2005 Standard.

Agent Workstations
• Windows 2000 Professional SP4 or higher
• Windows XP Professional SP1 or higher (32bit only)
• Windows Vista (32-bit only)

13
NHS V6 31 July 08
 www.mcafee.com
Reporting Options

About Reporting
Port Control audits blocked and allowed events to the normal Windows event logs.
In the figure above, Event ID 1 indicates a blocked device where as Event ID 0 indicates the device was allowed.
You can view or export the audit log using the normal Event Viewer functions and commands. With Port control
there is are centralised reporting options.

McAfee Device control under EPO offers two reporting options to review events, DLP Reports
And RSS feeds. In addition, you can view information on product properties on the ePO
Dashboard.

DLP Reports
DLP Reports is a web-based application for generating online reports which can then be exported to standard
formats. The application provides the DLP administrator with time-based reports that can be used to summarize
information security events. These summaries can be used for executive-level reports, or can provide insight into
trends in user behavior.
DLP Reports uses Microsoft SQL Server Reporting Services (SSRS) to create reports. For this reason, McAfee
recommends using Microsoft Internet Explorer 6.0 SP1 or Internet Explorer 7.0, with scripting enabled, for viewing
reports, as the complete set of features for working with reports may not be available using other browsers.

RSS feeds
You can monitor DLP events without being logged in to ePolicy Orchestrator. You can set up any RSS reader that
supports authentication to get feeds from the DLP Monitor. You can use DLP Monitor filters to filter results. In
ePolicy Orchestrator 4, RSS feeds can be viewed using RSS Dashboard elements. When you add a new monitor
to a dashboard, a new category is available – DLP RSS Feeds. There are four monitor options:

 Filtered by a DLP Monitor filter

 Latest administrative events
 Latest events
 Latest non-administrative events

For each option, you can configure the number of RSS events to display in the monitor. You must create a named
filter in DLP Monitor before using the “Filtered by...” option.

14
NHS V6 31 July 08
 www.mcafee.com

McAfee ePolicy Orchestrator functionality

With ePolicy Orchestrator all changes are managed centrally allowing updates to be received while on the
business network by the user without any intervention. From the Administrators perspective once the ePO server
is in place and the ePO agent has been deployed additional agents can be deployed directly from the ePO
management console. Future requirements and product version updates for McAfee Virus Scan, Full DLP, and
NAC, Policy Auditor or even 3rd party partner products can be deployed and managed in a fraction of the time
traditionally required for new software deployment.

All ePolicy Orchestrator and Device Control (DLP) Agents are deployed to the clients from the ePolicy
Orchestrator in addition components for Policy Auditor, Endpoint encryption for PC and Files and folders, NAC,
Virus Scan and other 3rd party applications can also be delivered and in most cases managed by ePolicy
Orchestrator.

15
NHS V6 31 July 08
 www.mcafee.com

5.2.2 Upgrading Port Control to Device Control

Migration from Port Control to Device control will be centrally managed by the Administrator and transparent to
the user. The user will notice differences in the communication of the agent software although the level of
interaction with the user can be set by the administrator. For example the Agent can be placed in several modes
of operation Monitor, Notify Admin, Notify User, Block or Read Only.

ePolicy Orchestrator allows for more flexible control of devices than Port control with the added advantage of
offline policy override using a challenge response method. In the event a policy has to be overridden a timed
override code can be provided to the user regardless of the machine location by the administrator or helpdesk.
Override codes require business justification forms that can be tracked for reporting purposes.

Uninstalling Port Control Administration Module

Although not absolutely necessary the removal of the Port Control Administration options from the Endpoint
Encryption Manager can be achieved by running the Endpoint Encryption Manager installer and deselecting the
port control components. The same result can be achieved for remote administration console installs if required

Uninstalling the Port Control Client

To manually remove Port Control:

 Start a command prompt

 Navigate to the directory you installed SafeBoot Port Control 2 to
(normally c:\program files\SafeBoot Port Control or c:Program files\McAfee)
 Use the command: SBPCSetup.exe –Uninstall

Automated removal of port control

Removal of port control and deployment of Device Control (DLP) using ePolicy Orchestrator can be achieved
once the ePO agents are in place.

An example of this would be

 Define default policy for device control from within ePolicy Orchestrator.
 Deploy the Port control removal Agent from ePolicy Orchestrator.
 Deploy the Device Control Agent (DLP) from within ePolicy Orchestrator.
 Update policies within ePolicy Orchestrator.

In the above example would be transparent to the user with the exception of a reboot requirement to
complete the installation.

16
NHS V6 31 July 08
 www.mcafee.com

5.3 Phase 3 – Content Encryption

Description of Technology

McAfee Content Encryption is a file and folder encryption product which requires a consultative approach in
order to define an encryption policy that does not disrupt the business workflow. The deployment of any file
and folder encryption solution requires an excellent understanding of the user workflow processes and in
particular, how data is shared within an organisation and distributed to third parties.

Implementation and Deployment of McAfee Content Encryption

A typical client engagement for file and folder encryption would adhere to the following sequential pattern of
activities:

 Introduction to the concepts of McAfee Content Encryption in a Microsoft Windows environment, this
could take the form of a workshop.

 Discovery phase of how the adoption of file and folder encryption could secure confidential data
without disruption to user workflow processes. This activity is usually undertaken by the IT Security
department who may interview and should gather information from the internal business units about
how user data is created and shared in the organisation.

 Creation of a McAfee encryption policy for files and folders based on the information gathered during
the "discovery" activity and is implemented as part of a pilot for selected profile of ’friendly users’.

 Analysis of the pilot is undertaken to highlight policy gaps or revisions to the file and folder encryption
policy.

 Pilot is expanded to include nominated representatives of all business units who will be impacted by
the adoption of the file and folder encryption policy.

 Pilot for file and folder encryption becomes the design template for the production encryption policy.
Controlled deployment into production is phased in.

Issues to be considered

The implementation of any vendor file and folder encryption could be potentially very disruptive without proper
planning and consultation with end users in the business units identified as requiring file and folder encryption.
It is strongly recommended that consultation with identified business units should occur to ascertain the impact
of a file and folder encryption solution; not to do so could easily result in a poorly implemented solution which
could have serious business impacts. A poorly implemented solution can not only cause considerable user
disruption but will also undermine acceptance and understanding of the essential need for IT security.

A typical deployment of file and folder encryption tends to be of a specifically targeted nature; for example an
organisation may choose to encrypt removable devices only.

There are 2 critical factors which will be essential to a successful NHS deployment of file and folder encryption:

 The pilot stage of the project will enable the identification of user workflow patterns and any
“unknowns” will become visible to NHS in-house IT support teams.

 A phased deployment starting first with a pilot for selected profiles of ‘friendly users’ will facilitate a
more successful implementation when moving to a live production environment.

17
NHS V6 31 July 08
 www.mcafee.com

© 2007 McAfee, Inc. No part of this document may be reproduced without the expressed written
permission of McAfee, Inc. The information in this document is provided only for educational purposes
and for the convenience of McAfee’s customers. The information contained herein is subject to change
McAfee, Inc. without notice, and is provided “as is” without guarantee or warranty as to the accuracy or applicability
3965 Freedom Circle of the information to any specific situation or circumstance. McAfee, Avert, and Avert Labs are
Santa Clara, CA 95054, trademarks or registered trademarks of McAfee, Inc. in the United States and other countries. All other
888.847.8766 names and brands may be the property of others.
www.mcafee.com

18
NHS V6 31 July 08