You are on page 1of 39

SAFEND Data Protection Suite™

Reviewer’s Guide

Version 3.4

Reviewer’s Guide
SAFEND DATA PROTECTION SUITE™

Important Notice
This guide is delivered subject to the following conditions and restrictions:  This guide contains proprietary information belonging to Safend Ltd. Such information is supplied solely for the purpose of assisting explicitly and properly authorized Safend Data Protection Suite users, reviewers and evaluators.  No part of its contents may be used for any other purpose, disclosed to any person or firm or reproduced by any means, electronic or mechanical, without the expressed prior written permission of Safend Ltd.  The text and graphics are for the purpose of illustration and reference only. The specifications on which they are based are subject to change without notice.  The software described in this guide is furnished under a license. The software may be used or copied only in accordance with the terms of that agreement.  Information in this guide is subject to change without notice. Corporate and individual names and data used in examples herein are fictitious unless otherwise noted.  The information in this document is provided in good faith but without any representation or warranty whatsoever, whether it is accurate, or complete or otherwise and with the expressed understanding that Safend Ltd. shall have no liability whatsoever to other parties in any way arising from or relating to the information or its use. Copyright 2005-2010 Safend Ltd. All rights reserved. Other company and brand products and service names are trademarks or registered trademarks of their respective holders.

- Page 2 -

Reviewer’s Guide
SAFEND DATA PROTECTION SUITE™

About This Guide
This Reviewer’s Guide presents an overview of Safend Data Protection Suite 3.4. It provides an explanation of how it works and enables you to understand how to use Safend Data Protection Suite, in order to guard your network endpoints.

Reviewer’s Contact Information
Presale contact: Tomer Greenbaum Pre-sales and Projects Team Leader +972-3-644-2662 Ext 201 projects@safend.com Marketing contact: Yael Gelberger Marcom Manager Safend yael.gleberger@safend.com Support contact: Web: www.safend.com/189-en/Safend.aspx Email: support@safend.com Phone: 1-888-225-9193

- Page 3 -

...........................................Reviewer’s Guide SAFEND DATA PROTECTION SUITE™ Table of Contents About Safend ...................................................................................................... 21 Configuring Data Classifications ..................... 13 Safend Data Protection Suite Management Features ........................................................................................................................................................................................... 12 Safend Reporter: Reporting and Analysis ..................................... 20 How Do You Define a Policy?................................................................................................................... 11 Safend Discoverer: Endpoint Data Discovery ............................................................. 37 Safend Data Protection Suite Implementation Workflow ....................................................... 32 Safend Discoverer: Endpoint Data Discovery ........................................................ 20 Safend Encryptor: Hard Disk Encryption Policy ............................................................................ 6 The Safend Data Protection Suite Solution ... 8 Safend Encryptor: Hard Disk Encryption .......................................... 17 Safend Policy Definition...................... 36 Safend Policy Enforcement – Safend Data Protection Suite Client ............................................. 27 Safend Inspector: Content Inspection & Filtering .............................................................................. 20 What Does a Policy Define? .................................................................................................................................... 7 Why Safend? ........................... 35 Safend Auditor ...........................................................Port & Device Control and Removable Storage Encryption .......................................................................................................... 8 Data Classification ...... 5 The Problem ................................... 17 System Architecture ...........Page 4 - .... 7 Features List ............................................................................................... 14 Product Walkthrough ........................ Safend Inspector: Content Inspection & Filtering ............................................................... Error! Bookmark not defined........................................................... 38 ... 8 Safend Protector ................................................................. 27 Safend Protector: Port & Device Control and Removable Storage Encryption policy ....

by encrypting any data stored on internal hard disks. The combination of the Safend Data Protection Suite license-activated components. such as a whitelisted storage device.Page 5 - . Safend Data Protection Suite Safend Data Protection Suite is centrally managed using a single management server. provides a comprehensive endpoint protection solution. or even a machine’s LAN connection. thus protecting an organization’s sensitive data residing on PCs.   Safend Encryptor ensures that mobile users’ data is secure. Inspector. Encryptor. . data-centric security policy on data transferred via these endpoint channels.  Safend Inspector provides an additional protection layer for data transferred over approved data transfer channels.  Safend Auditor provides organizations with the visibility needed to assess and manage vulnerabilities in an enterprise’s PCs and laptop environment. detecting and restricting data transfers from the endpoint. single management console and single. Safend Protector applies customized. It helps identify gaps in data protection and compliance initiatives. an approved WiFi connection. by identifying and logging all devices that are or have been locally connected.  Safend Discoverer allows security administrators to locate sensitive data stored on organizational endpoints. before the Safend Data Protection Agent has been deployed to these endpoints. without disrupting legitimate business processes and disturbing end user productivity. available through channel partners worldwide. wireless ports and devices.  Safend Reporter provides security and IT personnel with built-in reports that provide visibility into an organization’s security status and operational needs. and provides insight into what policies should be implemented. laptops and detachable devices.Reviewer’s Guide SAFEND DATA PROTECTION SUITE™ About Safend Safend software solutions protect an organization’s confidential information from loss and theft by monitoring. It enforces an accurate. It can also mandate the encryption of all data transferred to removable storage devices and CD/DVD media. Discoverer. are deployed by multi-national enterprises. lightweight agent. highly-granular security policies over all ports: physical ports. Safend's solutions. using other components of the Safend Data Protection Suite. Auditor and Reporter. government agencies and small to large scale companies across the globe. It also allows encrypting both detachable devices and internal hard disks. Safend Protector.

Industry statistics consistently show that the most significant security threat to the enterprise comes from within. ahead of Malware. a very real threat. financial information and social security numbers. Spyware and other threats. data loss through endpoints is now a leading endpoint security concern. require organizations to maintain ongoing visibility into endpoint activity. without impacting employee productivity and system performance. often balking at and circumventing imposed security measures. It is simply too easy for sensitive data to walk out the door on an iPod or be uploaded to the Web. mistakenly sent to unauthorized email recipients. With over 60% of corporate data residing on endpoints. or stolen with the laptop it is stored on. Regulatory security initiatives such as Sarbanes Oxley (SOX).Page 6 - . Despite the clear and present danger of data leakage and loss. According to Forrester. interfaces (physical and wireless). As a result. organizations are expected to demonstrate a comprehensive data protection strategy and understanding of all data transfer activities. HIPAA. and users with access to sensitive data have made data leakage via endpoints. An inevitable fact of life is that laptops are sometimes lost or stolen. . PCI. Many end users view external devices and outbound communications as personal. to sensitive customer data like health records. FISMA. implementing effective endpoint data protection remains an uphill battle for most organizations. gateway solutions and written security policies alone cannot mitigate the risk. today’s data protection solutions need to be transparent without compromising the data security of an organization. Organizations depend on the security of their data. An effective endpoint security program must address the entire range of risks in order to properly protect an organization’s data. enforceable. Securing endpoints. Growing numbers of laptops. tamper-proof security.Reviewer’s Guide SAFEND DATA PROTECTION SUITE™ The Problem Business survival and success is built on data security. removable storage devices. demands a highly flexible solution that takes into account the dynamics of real-world work environments. All possible endpoint data leakage avenues must be managed with powerful. Endpoint data can exit organizational boundaries in any number of ways: it can be carried away on an unencrypted storage device. In today’s sensitive regulatory climate. from intellectual property such as business plans and trade secrets. and the UK Data Protection Act (DPA). both accidental and malicious. and view encryption of any kind as a headache.

Featuring easy deployment. Sensitive data transfers can be controlled at different logical levels: redundant physical and wireless ports can be blocked. lightweight agent. wireless and removable storage interfaces. with a single management server and a single. delivering comprehensive visibility. even when it is not connected to the network. Best-of-breed port and device control. complete data protection and total control over all available avenues to sensitive data. Why Safend?  Control all your data protection measures with a single management server.    Operationally friendly deployment and management. Safend Data Protection Suite’s control is built from the ground up to enforce a comprehensive security policy which is appropriate for all organizational security needs. devices and wireless networks can be approved or denied by their types and specific characteristics. storage device’s functionality can be partially or completely disabled. single management console and a single lightweight agent. Safend Data Protection Suite’s advanced reporting capabilities provide ongoing insight into the organization’s security status.Page 7 - .Reviewer’s Guide SAFEND DATA PROTECTION SUITE™ The Safend Data Protection Suite Solution Safend Data Protection Suite provides complete endpoint data protection in a single product. and maximum transparency for end users. external hard drives and CD/DVD. can security administrators effectively monitor and enforce a security policy that is in-line with real world usage. and restricts unapproved data transfer from any computer in the enterprise. Each computer is protected 100% of the time. Safend Data Protection Suite detects. Safend Data Protection Suite provides comprehensive endpoint data security without sacrificing productivity. Only with detailed visibility of endpoint activity. Safend Data Protection Suite also ensures that mobile users and data are secure by encrypting any data written to removable media such as USB flash drives. Safend Data Protection Suite monitors real-time traffic and applies granular security policies over all physical. With Safend Data Protection Suite. logs. easy to manage hard disk encryption. Safend Data Protection Suite guards the data stored on hard drives with its innovative. . Hard disk encryption is completely transparent and does not change end user experience and common IT procedures.   Comprehensive and enforceable removable media encryption. Full control over sensitive data both inside and outside the organizational network. security administrators can rapidly query all organizational endpoints while locating and documenting all devices that are or have ever been locally connected. Safend Data Protection Suite eliminates data leakage from endpoints. and the data which exits the organizational boundaries through approved data transfer channels can be controlled according to its actual content. seamless maintenance for administrators. ongoing and historical.

Unique to the Safend Data Protection Suite solution is the ability to restrict the usage of encrypted storage devices to company computers by use of encryption.Port & Device Control and Removable Storage Encryption Safend Protector. according to the computer on which they are located.  Storage Control – Special control over external and internal storage devices. the user who is logged in and/or the type of port.Specific. license activated components. models and even distinct devices (by serial number).g. . It includes several. Safend controls: USB. etc. divided according to the different components: Safend Protector . Parallel. including Removable media. Serial. protects endpoints by applying customized. blocks or restricts the usage of any or all computer ports in your organization. It can also mandate the encryption of all data transferred to removable storage devices and CD/DVD media.Reviewer’s Guide SAFEND DATA PROTECTION SUITE™ Suite Components Safend Data Protection Suite provides complete endpoint data protection with a single software product.. highly-granular security policies over all ports: physical ports. External Hard Drives. Each component within the Safend Data Protection Suite can be implemented stand alone or in combination and compliments your existing security infrastructure. A policy can block usage of device types. 3G.  Removable Media Encryption .  Offline Usage of Encrypted Devices .  Device Control – Highly granular identification and approval of devices. including a comprehensive list of device types and robust white listing of device models and even distinct devices (by serial number). Secure Digital. pre-approved users can access encrypted devices outside the protected organization on unprotected machines using an access password. Modem (e. FireWire. PCMCIA. dialup. Floppy and Tape drives. a license-activated component of the Safend Data Protection Suite. IrDA and Bluetooth ports. or enforce encryption (see below).Page 8 - . The following are the main features of the product.  Port Control – intelligently allows. CD/DVD media.). This extends the security borders of organizations and prevents rogue employees from deliberately leaking data through removable storage devices and media. restrict usage for read only. wireless ports and devices. WiFi.

providing a comprehensive log of each file transfer to/from this device. administrators can audit users' actions even on non-company computers. and blocking dangerous or inappropriate content from being used inside the organization. Configuring Safend Data Protection Suite Clients to block access to WiFi. in order to comply with the organization's security guidelines.  Inbound File-Type Control – This feature provides an additional layer of granularity and security by inspecting files for their type as they are transferred from external storage devices.Safend Data Protection Suite provides administrators with improved visibility on the usage of encrypted devices outside the organization.Reviewer’s Guide SAFEND DATA PROTECTION SUITE™  Track Offline Usage of Encrypted Devices .  U3 and autorun control . in order to validate legitimate use of corporate data.  Block USB and PS/2 Hardware Key-Loggers . enables users to employ the various networking protocols only when they are disconnected from the network.Page 9 - .  Granular WiFi control . SSID. With this unique feature. Bluetooth. every offline access to an encrypted device is tracked. Administrators can predefine password parameters such as minimal password length and the types of characters it contains.  Configurable Password Policy – Administrators can define the security criteria for the device access password. With this powerful log. and protects against dangerous autolaunch programs by blocking autorun.  Block Hybrid Network Bridging . or the security level of the network.Turns U3 USB drives into regular USB drives while attached to organizational endpoints. .by MAC address. This avoids the creation and potential abuse of a hybrid network bridge. while the main wired TCP/IP network interface is connected to a network. which are devices that can tap and record every keystroke in your endpoints.Safend Data Protection Suite allows administrators to control and prevent simultaneous use of various networking protocols that can lead to inadvertent or intentional hybrid network bridging (such as WiFi bridging and 3G card bridging). Modems or IrDA links.block or detect the widest variety of USB and PS/2 hardware keyloggers in the industry.

in the case of loss or theft.Safend’s encryption concept utilizes Total Data Encryption technology.Comprehensive logs are provided for all activities. . No dedicated password recovery procedure is required. a license-activated component of the Safend Data Protection Suite. Using this technology.  Encryption Technology .Safend Encryptor incorporates a fully automated key management solution.  User Authentication . it is crucial for organizations to secure the data stored on the hard drives of PCs and laptops.  Transparent to Help Desk .). with minimal performance impact on the endpoint and utilizes the industry standard AES algorithm with 256 bit key length.Page 10 - . All encryption keys are centrally generated and securely stored on the management server before encryption is initialized. biometric.Reviewer’s Guide SAFEND DATA PROTECTION SUITE™ Safend Encryptor: Hard Disk Encryption As incidents of stolen and lost computers continue to make the headlines.  Data Recovery . etc. USB token. Safend Encryptor.  Key Management .Encryption of data on internal hard drives is controlled by policy. including multi-factor devices that change the Windows GINA or use a custom one. encrypts the data stored on PCs and laptops and the result is that sensitive data cannot be read by any unauthorized user.  Enforced by Policy . and cannot be bypassed by the end user. Safend Encryptor encrypts only files which may contain sensitive data while avoiding encryption of the operating system and program files.Transparently uses the generic AD domain password reset process.Offers an intuitive.  Transparent to End Users – Transparently uses Windows login to access the encrypted data and therefore does not require any enduser training. easy to implement recovery process in case of malfunction. Encryption keys are generated using a FIPS approved PRNG. The encryption is performed in real time.  Full Audit Trail .Safend Encryptor transparently supports any multifactor authentication device supported by Windows (smart card.

prevents the user from extracting the information from the endpoint. enforces the appropriate security policy. Web (using Windows Internet Explorer).  Applying Security Actions . Safend Inspector can enforce the following security actions: Block . external storage devices.Page 11 - . and asks them if they are sure they want to continue.Safend Inspector controls data transferred over the following channels: Email (using Microsoft Outlook). .Security policies are highly granular. It enforces an accurate. and network printers. a license-activated component of the Safend Data Protection Suite. and can include specific exemptions for different protected channels.Whenever a user attempts to extract data from the endpoint. Ask User . a home network or used offline. Encrypt . Security administrators can control additional channels using Application Data Access Control.ensures that the data is encrypted when it is extracted from the endpoint (This security action can be enforced only on external storage devices).  Permanent Protection . This protection is activated whether the machine is connected to the organization’s network.warns the user of their problematic action. except for company issued hardware encrypted devices. which controls the access of predefined applications to sensitive data.Reviewer’s Guide SAFEND DATA PROTECTION SUITE™ Safend Inspector: Content Inspection & Filtering Safend Inspector. provides an additional protection layer for data transferred over approved data transfer channels. local printers.  Channel-Specific Exemptions . a security policy can be set to prevent users from downloading confidential data to all external storage devices. Safend Inspector monitors the action and. if necessary. data-centric security policy on data transferred from the endpoint without disrupting legitimate business processes and disturbing end user productivity.According to the security policy. For example.  Multiple Channels Control .

the Safend Data Protection Agent scans and classifies all data files on the machine. a log record is sent to the Management Server. The patterns are defined using Regular Expressions (. When a discovery policy is applied on an endpoint.the administrator can limit the amount of data sent from a single endpoint in order to balance allocation of network and storage resources.Safend Data Protection Suite provides multiple data identification techniques which can be used individually or in combination to create an effective data classification scheme: Keyword Lists – keyword lists are used to identify data transfer incidents which contain specific keywords or keyword sequences. When a classified file is discovered. such as an email address. The Safend Inspector and Safend Discoverer components of the Safend Data Protection Suite both utilize the mechanism.  Policy-Based Endpoint Discovery .Reviewer’s Guide SAFEND DATA PROTECTION SUITE™ Safend Discoverer: Endpoint Data Discovery Safend Discoverer. which its features described below:  Multiple Classification Techniques .  Limit Logs From a Single Endpoint .net). Textual Pattern Recognition – Textual pattern recognition is used to identify incidents which contain a pre-defined textual pattern. a phone number. by using dictionaries with different importance levels assigned to different phrases. allows security administrators to locate sensitive data stored on organizational endpoints. . The discovery policy also specifies the type of log record that will be sent to the management server when sensitive data is discovered. A sophisticated “weight” mechanism facilitates the identification of logical content. a license-activated component of the Safend Data Protection Suite.Page 12 - . This policy indicates which data classifications should be searched for on the organizational endpoints. a serial number or a credit card. Safend Inspector & Discoverer: Data Classification An effective data-centric security policy requires reliably identifying the data which the policy aims to protect.the endpoint discovery process is triggered by applying a discovery policy on the protected endpoint.

and credit card numbers. File Properties – Multiple meta-data parameters can be used to identify sensitive content.  Built-in Classifications . Data Fingerprinting – Data fingerprinting is used to identify known content.the reports can either be viewed from within the Safend Data Protection Suite Management Console or be exported to one of several popular formats for viewing and analysis outside of the Management Console. Personally Identifiable Information (PII). and more.  Deep Content Inspection – files are analyzed in depth.  Drill down reports . File Types – Individual file types are recognized according to a full analysis of the file format. a license-activated component of the Safend Data Protection Suite.  Reports Export . . such as Patient Health Information (PHI). and are used to ensure that the content was not falsely matched. file size.Safend Data Protection Suite includes out-of-the-box. including data stored inside compressed folders and embedded objects. Safend Reporter: Reporting and Analysis Safend Reporter.Reviewer’s Guide SAFEND DATA PROTECTION SUITE™ Mathematical Verifiers – Mathematical Verifiers are applied to content which matches a pre-defined pattern (such as a credit card number or an ID number). The information is provided in a clear. including full or partial file name. easy to understand format for the benefit of non-technical viewers.the Safend Reporter interface allows a step-by-step drill down into different aspects of the report.Page 13 - . policy distribution and overall visibility of endpoint activity within the organization. even if the data has been partially modified. includes several built-in reports that are designed to accommodate the security and operational needs of the organization and its security and IT personnel.  Security Reports – the security reports allow easy detection of specific employees and departments that frequently disregard internal security policies. and enables a quick and intuitive transition from a high-level view to specific detailed information.  Administrative Reports – the administrative reports assist in the deployment. such as executives within the organization. pre-configured classifications which identify common types of sensitive data.

This incident information contains all incident data (subject to activating the appropriate monitoring level). and allows security administrators to analyze easily the incident and understand why it was triggered.Data-related security incidents are recorded and sent to the Management Server. The Management Console provides unified management of policies.the reports can be scheduled and sent periodically by email to pre-defined recipients in order to ensure continuous tracking of the organization’s data security status and compliance with internal security policies.  Logs Data View – Data-related security incidents are filtered.  Flexible Monitoring Level . without having to wait for the log sending interval to complete. viewed and analyzed from the Management Console. The appropriate monitoring level can be set according to the available storage resources and the expected volume of information. what policy they are using. . collect all the logs that were accumulated by the Clients on endpoints immediately.Reviewer’s Guide SAFEND DATA PROTECTION SUITE™  Report Scheduling . Safend Data Protection Suite Management Features  Safend Data Protection Suite Management Server .A single Management Server can be used to manage tens of thousands of endpoints. both immediately and over time. the incident including all transferred text. or the full incident. In addition.enables you to view and analyze the logs collected from all the endpoints in your organization. logs and Clients. The management console supports one-click deployment from the server website. The new policy becomes effective immediately on all connected Clients. including a hidden copy (shadow) of the data. and can be accessed through the Safend Data Protection Suite Management Console.  Client Management . which can be installed and run from any computer on your network.All Safend management tools are combined into a single Management Console. when they were last updated and more.allows you to browse the status of your machines and check whether they are protected by the latest version of the Client.  Extensive Logging .Page 14 - . The administrator can set the record level to be kept: log record only.  Immediate Updates – Enables you to push a new policy to Clients without having to wait for the policy update interval to complete.  Safend Data Protection Suite Management Console .

a customizable message is displayed to the end user. by choosing it from a list of options or inserting free text..  Rich End User Interaction . Safend Data Protection Suite Management Server also features manual as well as scheduled backups for its keys. This database is automatically installed with the Management Server and is fully maintained by the application. dramatically improving the incident management process. When a policy violation is detected. This is a highly effective method of deterring users from committing potentially harmful actions. For example. Safend Data Protection Suite provides security administrators with the tools necessary for ensuring end user education and involvement in the data protection process. The information provided by the end users is sent to the Management Server together with the incident record. g.Proper end user information security education is a vital component in a successful security program. configuration and logs (logs backup only available for Internal Database).Reviewer’s Guide SAFEND DATA PROTECTION SUITE™  Active Directory Synchronization . . No user maintenance is required. and avoid sending logs for incidents which the user aborted.Page 15 - . without disrupting legitimate business procedures. end user decisions can change the monitoring action applied to a specific incident. it is possible for alerts from different computers/users to be sent to different email addresses. The tree is continuously synchronized with your Active Directory to ensure it remains current at all times.  Monitoring Actions Based on End User Decisions – subject to the security policy configuration. Administrators can set the destinations for sending alerts on a per-policy basis.  Built-In Real-Time Alerts – Enable you to issue alerts of your choice (e. through the organizational tree.  Database Management – Administrators can set the amount of days for logs to be stored. e-mail. This message can be configured to require end users to enter the justification for their action. For example. These backups can be used when recovering from hardware failures as well as when upgrading hardware platforms.Allows you to look at Logs and manage Clients from your native organizational units view. SNMP and more) to desired destinations. as well as set a quota for the database files. the administrator can set the policy to send logs only for data transfer incidents which the user was warned about but decided to commit anyway.  Internal Database – Safend Data Protection Suite includes a built-in MySQL database in order to simplify the installation of small/medium systems.

Day-to-day maintenance of this database is still handled by Safend Data Protection Suite including indexing. after which the original policy enforcement is resumed. and more specifically Active Directory GPO. the user doesn’t see the product icon and no end user messages are shown. All user actions (such as accessing storage devices or sending a classified email) are allowed and monitored for the duration of the suspension. and key/configuration backup. even when the endpoint does not have any Internet connection.Page 16 - . Safend Data Protection Suite Management Server can connect to an existing Microsoft SQL (MSSQL) database instead of creating its internal database.  Stealth Mode – Safend Data Protection Suite Agent can be configured to be invisible on endpoints. When installed. purging.  Suspend Client – enables you to suspend Client operations temporarily. This provides higher system scalability and leverages existing infrastructures and know-how.Reviewer’s Guide SAFEND DATA PROTECTION SUITE™  External Database . featuring silent as well as manual installation. without having to uninstall it. Microsoft SMS and IBM Tivoli. In this mode.  MSI-Based Client Deployment – The client installation is packaged in an MSI file. . The client can be deployed with any 3rd party tool for MSI deployment. in this case it is the administrator's responsibility to backup log data.Customers with existing database infrastructures may prefer to use these for storing the Safend Data Protection Suite configuration and log information instead of using the built-in internal database provided with the Management Server installation package. However.

Page 17 - .Reviewer’s Guide SAFEND DATA PROTECTION SUITE™ Product Walkthrough System Architecture The system architecture is presented in the following figure: .

collect logs from Clients. Safend Auditor Although not an integral part of Safend Data Protection Suite. Safend Data Protection Suite Client This protects and monitors the endpoints in your organization and alerts/reports about user activity. The Management Console supports one-click deployment from the server website. The Client communicates with a Safend Data Protection Suite Management Server using SSL. LDAP compliant protocols are used to synchronize with the existing organizational objects stored in Active Directory. connecting to an external database provides better performance and scalability. Administrators may opt to use an internal MySQL database supplied in the Management Server installation package or to connect to existing MSSQL database infrastructures.Page 18 - .Reviewer’s Guide SAFEND DATA PROTECTION SUITE™ The system comprises the following components: Component Safend Data Protection Suite Management Server(s) Description Safend Data Protection Suite Management Server(s) store policies and other definitions. devices and networks are (or were previously) in use by your organization's users. The Management Console can be installed and run from any computer on your network and uses SSL when communicating with the Management Server. Even though using the internal database is simpler and maintenance free. The Management Server(s) distributes policies directly to Clients (via SSL). Safend Data Protection Suite Management Console This enables you to manage Clients. Controlling Clients is performed via WMI. Internal/External Database Standard databases are used for storing system configuration. You use the output of a Safend Auditor scan to select the devices and . The Management Server(s) uses either an internal/external database for its repository (see below). view logs. policies and log data. define policies and administer the system. enable Client management and distribute policies to Clients. The Management Server(s) use IIS to communicate with Clients and Management Consoles (over SSL). Safend Auditor is a light-weight client-less tool that goes hand in hand with Safend Data Protection Suite and completes it by providing you with a full view of what ports.

so that they seamlessly share the load of traffic from the endpoints.Reviewer’s Guide SAFEND DATA PROTECTION SUITE™ Component Description networks whose usage you want to approve.Page 19 - . Safend Data Protection Suite Management Server Cluster A server cluster enables the installation of several Safend Data Protection Suite Management Servers connected to a single external database. . as well as provide redundancy and high availability.

Data Control Discovery Policy defines the parameters for the data discovery process. wireless ports.Reviewer’s Guide SAFEND DATA PROTECTION SUITE™ Safend Policy Definition What Does a Policy Define? Using the Safend Data Protection Suite. Data Control Security Policy specifies your organization’s policy regarding sensitive data transferred out of the protected machine using endpoint or network data transfer channels. Each type of policy configures a different component of the Safend Data Protection Suite: Hard Disk Encryption Security Policy defines whether or not the data on your internal Hard disks will be encrypted. You can define one policy for your entire organization. which locates and maps sensitive data stored on the organizational endpoints. .Page 20 - . you may wish to adjust your policies. or define different policies for different organizational object defined in your Active Directory. Policies need to be defined once and then updated on an as-needed basis when the need arises in your organization. It also specifies whether the data on removable storage devices and CD/DVD media will be encrypted. How Do You Define a Policy? Safend Data Protection Suite Policies are defined in the Safend Data Protection Suite Management Console. the administrator can create different types of policies. After analyzing the logs. devices and WiFi networks. Port & Device Control Security Policy specifies your organization’s policy regarding the usage of physical ports. Once you have defined and distributed a policy to the Safend Data Protection Suite Clients you can view activity logs from each client through the Logs World in the Safend Data Protection Suite Management Console.

dialup.. according to the computer on which they are located. Serial. IrDA and Bluetooth ports.Reviewer’s Guide SAFEND DATA PROTECTION SUITE™ Safend Protector: Port & Device Control and Removable Storage Encryption policy Port Control Safend Data Protection Suite can intelligently allow. Safend controls: USB. . as if its wires were cut. Secure Digital. the user who is logged in and/or the type of port.g. 3G. etc. An indication that a port is blocked is given when the computer boots or when a policy is applied that disables a previously allowed port. FireWire. Modem (e.Page 21 - . A blocked port is unavailable. Parallel. block or restrict the usage of any or all computer ports in your organization.). WiFi. PCMCIA.

network adapters.Page 22 - . The device types that are available for selection are built into Safend Data Protection Suite. Safend Data Protection Suite provides another level of granularity by enabling you to define which devices can access a port.  Models: This option refers to the model of a specific device type. PCMCIA. For USB. If you would like to allow a device that is not of one of the types listed here.  Distinct Devices: This option refers to a list of distinct devices each with their own unique serial number. you can use the Models or the Distinct Devices option. as follows. human interface devices (such as a mouse) or imaging devices. such as all HP printers or all M-Systems disk-on-keys.  Devices Types: This option enables you to restrict access to a port according to the type of device that is connected to it.Reviewer’s Guide SAFEND DATA PROTECTION SUITE™ Device Control In addition to controlling port access. described below. . Examples of device types are printing devices. device models and/or distinct devices can access a port. FireWire ports you can define which device types. For example: the CEO's PDA may be allowed and all other PDAs may be blocked. meaning each is an actual specific device.

Like non-storage devices. . Storage Control Storage control provides an additional level of detail in which to specify the security requirements of your organization. allow read-only access or encrypt the device. removable storage devices can also be white listed according to the device module or the specific device serial number.Page 23 - . You can block storage devices completely. With Safend Data Protection Suite you can block or detect the widest variety of USB and PS/2 hardware keyloggers in the industry.Reviewer’s Guide SAFEND DATA PROTECTION SUITE™ Protection against Hardware Key Loggers Hardware Key Loggers are devices that can be placed by a hostile entity between a keyboard and its host computer in order to tap and record keyboard input and steal vital information. especially identity and password. This can apply to all storage devices regardless of the port to which they are connected.

.g. Non work-related content (e. it is recommended to use the Port and Device Control Security Policy only for files read from the device. or even to send a hidden copy of the file to the Management Server. When plugging in the device outside the organization. End-users are able to read and write to storage devices just as they would do normally. Unique to the Safend Data Protection Suite solution is the ability to restrict the usage of encrypted devices to company computers. multiple benefits can be achieved:  An additional protection layer for preventing data leakage (see comment above)   Prevention of viruses/malware introduced via external storage devices Prevention of inappropriate content introduced via external storage devices.Page 24 - .. and use the Data Control Security Policy to control files written to the device according to their classification. if you are using the complete Safend Data Protection Suite.. media encryption is completely transparent and encrypted devices can be read and used interchangeably on any computer in the organization. which is required for accessing the device on non-company computers. File type control and logging is enabled both for files written to external storage devices and files read from them. If allowed.Reviewer’s Guide SAFEND DATA PROTECTION SUITE™ Safend Removable Storage Encryption Safend Media Encryption allows administrators to mandate the encryption of all the data being transferred off organization endpoints to approved storage devices.g. However. individual users are able to set their own device password. such as USB flash drives. Examples of such content: Unlicensed software. With File Type Control a highly reliable classification of files is performed by inspecting the file header contents rather than using file extensions. providing the ability to allow or block specific file transfers as well as to generate logs and alerts. The Safend Data Protection Suite administrator can choose whether or not to allow specific users passwordprotected access to the data on non-authorized computers. Unlicensed content (e. By inspecting both the files downloaded to external storage devices and those uploaded to the protected endpoint. as well as CD/DVD media and external hard drives. However. music and movies). a utility residing on the device is used to validate this password and provide access to encrypted information. thus preventing users from easily bypassing the protection by renaming file extensions. personal pictures). using the 256-bit AES encryption algorithm. the data on it will not be accessible. This provides organizations with comprehensive protection from both accidental data loss and deliberate leakage of corporate assets. File Control File Control includes an additional layer of granularity and security by monitoring and controlling file transfers to/from external storage devices. This extends the security borders of organizations and prevents rogue employees from deliberately leaking data through these high-capacity devices. including Safend Inspector for Data Control. Within the organization. memory sticks and SD cards. Definitions are set at the level of file type. when the same device is plugged into a computer that is not part of the organization.

Page 25 - .Reviewer’s Guide SAFEND DATA PROTECTION SUITE™ The file control aspect of the policy will apply to approve storage devices which were configured to apply file type control in the Devices tab of the policy: For these devices. the relevant file type control configurations will apply: .

Reviewer’s Guide SAFEND DATA PROTECTION SUITE™ WiFi Control WiFi control ensures that users only connect to approved networks. SSID of the network. .Page 26 - . You can specify which networks or ad hoc links are allowed access by the MAC address of the access points. authentication method and encryption methods to define approved links.

Leveraging this unique encryption technology.Page 27 - . Encryption of data on internal hard drives is controlled by policy and enforced by the Safend Client on the endpoint. set the Internal Hard Disk Encryption to Encrypt and associate the policy with the appropriate machines. and is Common Criteria Certified (Evaluation Assurance Level 2 for Sensitive Data Protection). . Safend Encryptor utilizes industry standard AES-256 encryption. This innovative concept minimizes the risk of operating system failure. and poses negligible performance impact on user productivity. while avoiding unnecessary encryption of the operating system and program files.Reviewer’s Guide SAFEND DATA PROTECTION SUITE™ Safend Encryptor: Hard Disk Encryption Policy Safend Encryptor enforces an enterprise wide policy which protects the data stored on PC and laptop hard drives. Safend Encryptor provides a genuinely transparent Hard Disk Encryption solution. so that sensitive data cannot be read by unauthorized users in the case of loss or theft. and FIPS 140-2 Certified. described below. The encryption process is completely transparent to both end users and security administrators. Safend Encryptor Encryption Flow: Here is a description of the Safend Encryptor encryption flow: 1. Safend Encryptor utilizes Total Data Encryption technology that encrypts all data files. groups or OU’s. Create a new Hard Disk Encryption Security Policy. by using the existing Windows login interface for user authentication. Applying Hard Disk Encryption using Safend Encryptor is performed with a few simple steps.

Security administrators can view the current encryption status of the organizational endpoints. and the user can continue working normally. 3. 6. The user can shut down or restart the endpoint during the encryption process.Page 28 - . and secure data will not be compromised in case the computer is lost or stolen. User authentication – ensures that the currently logged on user is a valid domain user. The encryption status and progress is continuously updated on the Management Server. and can be viewed in the Clients World. Key Management and Distribution The system encryption mechanism and Key Management is presented in the following figure: Safend Management Server L SS m Co m un i ca n tio Co SSL mmu nicatio SSL Encrypted Log n Machine Encryption Keys Safend Management Console One Time Access Key. by running the Encryption Status Report. This process runs in the background. Machine registration – makes sure that the machine is listed only once in the domain computer list. Secret n tio i ca Endpoint Computer L SS Co m m un All Safend Administrator’s actions are audited and logged File Key is Encrypted with Machine Encryption Key and Protected with User Credentials and Recovery Secrets Document Encrypted with File Encryption Key Document . Once the policy is updated on the Client. This phase is comprised of two steps: a. The Safend Server creates encryption keys and securely distributes them to the Client.Reviewer’s Guide SAFEND DATA PROTECTION SUITE™ 2. b. The machine is now protected. 4. and therefore does not require any user action. which will be able to access the encrypted data. encryption will resume the next time the computer is powered on. The encryption process begins automatically. Click OK. This will apply the encryption policy to all computers associated with the security policy the next time the Client will communicate with the Management Server. 5. either through the Clients World or with the Safend Reporter. the system automatically conducts machine and user authentication.

Reviewer’s Guide SAFEND DATA PROTECTION SUITE™ Preparations before Encrypting Hard Disks Before implementing hard disk encryption using Safend Encryptor. All encryption keys are centrally generated and securely stored on the Management Server before encryption is initialized.create a backup server’s private and public keys in order to be able to re-install the server in case of a hardware or software failure.Page 29 - . 2. while enabling swift data recovery in all failure scenarios: 1. Backup Server Secrets . . it is recommended to follow several steps to ensure smooth and easy product implementation. Backup Server Configuration (Scheduled Backup) – define a scheduled backup for the server configuration file.

Safend Data Protection Suite includes out-of-the-box. right click the classification you want to modify and click Customize: Alternatively. preconfigured classifications identifying common types of sensitive data such as Patient Health Information (PHI). organizations can configure their own custom classifications from scratch. and credit card numbers.Reviewer’s Guide SAFEND DATA PROTECTION SUITE™ Safend Inspector & Discoverer : Configuring Data Classifications An effective data-centric security policy requires reliably identifying the data which the policy aims to protect. or customize them according to their requirements. . Data classification is a set of definitions which is used by the system to automatically identify data.Page 30 - . Organizations can use these classifications as is. To customize a built in classification. Safend Inspector and Safend Discoverer components both utilize the Data Classification Mechanism. Personally Identifiable Information (PII).

Reviewer’s Guide SAFEND DATA PROTECTION SUITE™ Data classification consists of one or more classification rules and the Boolean relationship between them (and.Page 31 - . Each type of classification rule uses a different method of identifying the data: Together. . these rules can be used to create highly accurate data classifications. which will be used to locate and control sensitive data within your organization. not): The administrator can add additional rules to the classification. or.

allows you to define what will happen when the user attempts to transfer classified data using the specified channels. Each data control policy defines how the Safend Data Protection Suite reacts to a specific Data Classification.Page 32 - . an approved WiFi connection.Reviewer’s Guide SAFEND DATA PROTECTION SUITE™ Safend Inspector: Content Inspection & Filtering Safend Inspector provides an additional protection layer for data transferred over approved data transfer channels. . Channels Where this Data is Restricted. The bottom part of the tab. It enforces an accurate. The first section. Data to Control. such as a white-listed storage device. data-centric security policy on data transferred via these endpoint channels. A Data Control Security Policy defines how the Safend Data Protection Suite reacts when classified data is transferred through controlled channels. allows you to select the classification to which the policy will refer. without disrupting legitimate business processes and disturbing end user productivity. or even a machine’s LAN connection. This tab is divided into two sections.

  Local Printers: controls data printed to local printers. etc. Network Printers: controls printing data using a network printer. The information which is provided by the end users is sent to the Management Server together with the incident record. You can also configure what kind of event will be sent to the server following the user action. In addition. only if the device is encrypted (Only for external storage). This message can be configured to require end users to enter the justification for their action. you can configure the message which will be displayed to the end user following their actions. and what information will be included in it (monitoring level).Reviewer’s Guide SAFEND DATA PROTECTION SUITE™ Safend Data Protection Suite controls data transferred over the following channels:   Email: controls outgoing email using Microsoft Outlook.Page 33 - .  Ask User: Prompts the user with an "are you sure?" question. Web: controls web posts using Windows Internet Explorer. Channel Configuration For each channel. SD cards. Encrypt: Allows the data transfer action. and allows the action to be performed only if the user selected "yes".  External Storage: controls data transfer to external storage devices (DOK. dramatically improving the incident management process: . You can decide if the action will generate a log or an alert (monitoring action). external HD. and each application group can be added to any policy and controlled as a data transfer channel. Applications are divided into application groups.). Block: Stops the action the user is trying to perform. This is a highly effective method of deterring users from committing potentially harmful actions. you can define what happens when the user attempts to transfer classified data out of the machine (Security Action):    Allow: Allows the action to be performed. by choosing it from a list of options or inserting free text. without disrupting legitimate business procedures.  Application Data Access Control: controls pre-defined application access to confidential data via direct file access or the clipboard.

In this window.Reviewer’s Guide SAFEND DATA PROTECTION SUITE™ Finally. To define the channel specific exemption. or prevent users from downloading confidential data to all external storage devices except for the CEO’s hardware encrypted device. you can configure exemptions for each channel. you may want to apply the data control policy to all emails except for those sent only to recipients in your company.Page 34 - . . mark the channel and click Edit Channel. you can configure the data destinations you wish to exempt from inspection. For example. Different parameters are used to define exemptions for the different channels.

When a Discovery policy is applied on the endpoint. This policy indicates which data classifications. the Safend Data Protection Suite Agent scans and classifies all data files on the machine.Reviewer’s Guide SAFEND DATA PROTECTION SUITE™ Safend Discoverer: Endpoint Data Discovery Understanding where sensitive data is located is the foundation of any data protection project. should be searched for on the organizational endpoints. The Discovery Policy also specifies the type of log record that will be sent to the Management Server when sensitive date is discovered. with minimal affect on endpoint performance. The endpoint discovery process is triggered by applying a Discovery Policy on the protected endpoint. a log record is sent to the Management Server. . This process helps identify gaps in data protection and compliance initiatives and provides insight into what policies should be implemented using other components of the Safend Data Protection Suite. The discovery process runs in the background. When a classified file is discovered. Safend Data Protection Suite allows security administrators to locate sensitive data stored on organizational endpoints.Page 35 - . The status of the discovery process conducted on each endpoint is displayed in the Clients World.

Organizations can use the output of a Safend Auditor scan to select the devices and networks whose usage they want to approve. .Page 36 - . devices and networks are (or were previously) in use by your organization's users.Reviewer’s Guide SAFEND DATA PROTECTION SUITE™ Safend Auditor Safend Auditor is a tool that goes hand in hand with Safend Data Protection Suite and complements its capabilities by providing you with the visibility needed to identify and manage endpoint vulnerabilities: a full view of what ports.

Page 37 - . Safend Data Protection Suite Clients can be silently installed on all endpoints.Reviewer’s Guide SAFEND DATA PROTECTION SUITE™ Safend Policy Enforcement – Safend Data Protection Suite Client Safend Data Protection Suite Client is a lightweight software package that transparently runs on endpoint computers. It has a minimal footprint (in terms of file size. A log entry may be created to record this event. When a violation of a Safend Data Protection Suite policy occurs or during certain usage activities. the Client immediately starts protecting the computer. Once policies have been distributed. you may install the Client in Stealth Mode. . according to the preferences you defined in your policy. at the kernel level. multi-tiered anti-tampering features to guarantee permanent control over endpoints. and enforces protection policies on each machine on which it is applied. CPU and memory resources) and includes redundant. If you wish. hiding both Safend tray icon and messages and making Safend Data Protection Suite Client invisible to the user at the endpoint. a message is displayed on the endpoint computer.

In this stage. In this stage. In this stage you define how data is protected in your organization: which machines and removable storage devices are encrypted.  Step 4 (optional): Scan Computers and Detect Port/Device Usage.Page 38 - . In this stage. . Use Safend Auditor to detect the ports that have been used in your organization and the devices and WiFi networks that are.  Step 9: Analyze Initial Logs.Reviewer’s Guide SAFEND DATA PROTECTION SUITE™ Safend Data Protection Suite Implementation Workflow The following is an overview of the workflow for implementing and using Safend Data Protection Suite. you review the logs received from the endpoints and determine which user activity is an appropriate business process which should be allowed by policy and which is a potentially harmful action which should be blocked. Step 5: Define Safend Data Protection Suite 1st Policies. or were connected to these ports.  Step 1: Install the Safend Data Protection Suite Management Server and Console.  Step 11: Endpoints are Protected by Safend Data Protection Suite Policies: In this stage.   Step 6: Install Safend Data Protection Suite Client on Endpoints. This policy will allow you to learn how devices and data are used in your organization for legitimate business processes before enforcing a more restrictive policy. which monitors end user activities. Step 8: Discover Sensitive Data. are created and sent to the Management Server. is it recommended to create a permissive policy for the entire organization. you create and associate a discovery policy to organizational endpoints to determine which endpoints store sensitive data. devices and WiFi networks are used and which data can be transferred out of protected endpoints.   Step 2 (optional): Install Additional Management Consoles. Step 3: Define General Safend Data Protection Suite Administration Settings.  Step 10: Create and distribute enforcement policies. how ports. as well as tampering attempts. Logs about attempts to violate these policies. all security policies are enforced on the endpoints.

Page 39 - . View the log entries generated by Safend Data Protection Suite Clients. using Safend Reporter. .Reviewer’s Guide SAFEND DATA PROTECTION SUITE™  Step 12: Monitoring Logs and Alerts. Analyze these logs and maintain ongoing visibility into the organization’s security status.