1CREDANT Confidential. 1

NLIT 2009

22

CREDANT Company Overview

2007 Data Security Leadership Quadrant

2007 & 2008: #1 Fastest GrowingPrivate (Security) Company

Testergebnis: 8.6 Very Good

Founded - September 17, 2001To enable customers to manage security of data on

any device – PDA, PC, MAC, USB

Product Line - CREDANT Mobile Guardian (CMG)Data-centric, policy based, centrally managed data

protection solution that "Protects What Matters"- your

critical information

US-Based CompanyCode developed in Addison TX.

Cisco Systems & Intel Capital are key investors

AccomplishmentsMore than 775 customers, 7 million endpoints

Solution recognized by leading industry experts

INC 500 Fastest Growing Security Company 2007 &

2008

CREDANT Confidential. Subject to NDA

3

Agenda

• The Business Problem• Centralized vs. Decentralized Management• Compliance with Federal Desktop Core

Configuration (FDCC) • Supporting Imaging Across Platforms• Managing Shared PCs• Authentication Support• Roadmap

Encryption Solution Issues

4CREDANT Confidential. Subject to NDA 4

The Business Problem

Employee

ContractorPartner

Research Data

Intellectual Property

Purchasing InformationSocial Security Numbers

SBU or Classified Government Information

Airport

Internet Cafe

Home

Office

Site

Transit

Critical enterprise data resides on numerous endpoint devices — and the storage capacity and criticality of information continues to increase

Test Data

5

The Business Justification – Encryption Cost

• Assume 1000 employees/contractors• Assume 250 use laptops that need protection

The ratio of machines that need protection and that don’t need protection will vary but the business justification is the same

• Cost after discounts = $75/laptop• Internal labor/training costs to implement =

$50/laptop• Total = $125/laptop x 250 laptops = $31,250• Just to be safe – double that to $62,500 to

implement Data-at-Rest encryption solution (DAR)

CREDANT Confidential. Subject to NDA 5

6

The Business Justification – Breach Cost

• Assume 10,000 personnel records lostA 200GB HD can hold 2,000,000 100KB records

• Cost to change each bank/credit card account$15/record = $150,000

• Cost per individual for a year of credit monitoring service

$60/individual = $600,000

• TOTAL = $750,000• Does not include any legal fees, or the cost of security

implemented after the fact

• DoE data breaches carry risk that cannot be monetized

6

88

Management Choices

Automatically detect users added to

Enterprise directory and create

encryption keys and policies. Detect

media devices automatically.Encrypt and enforce encryption policies.

Manage keys for hardware-based

encryption. Control data usage outside

the enterprise.Manage and Audit – show device

state at time of loss. Adapt to

changing regulations. Securely

Automate key escrow.Operate and Support – reduce

administrative costs. Centralize key

escrow and access control (forensics).

Detect

Encrypt &

Enforce

Manage &

Audit

Operate &

Support

ReduceRisk

EnsureOperationalEfficiency

GainWorkforce

Productivity

A centrally managed solution integrates with the Enterprise directory, providing enforcement of encryption policies and reducing management

effort and cost.

CREDANT Confidential. Subject to NDA

Centralized Management

9

FDCC Compliance

• Users cannot have administrative rights on the PCImpacts removable media support most

• User cannot mount volumes• Users cannot install software

• Users file system rights should be restrictedIncompatible with some encryption solutionsPagefile must still be encrypted

• Solution must be able to run outside of user privileges

• Ports and protocols are managed/restrictedEncryption solutions must have flexible network settings

• Automated Patching and Scanning Systems deployedEncryption solution must not prevent malware detection remediation

• IDS solutions are likely in useMust be compatible with deployed IDS(s)

10

Imaging is Now the Standard Way to Deploy

This can be problematic if the DAR solution encrypts or generates keys for the image at install time

All devices may end up with same key• Changing the key requires decryption/re-encrypt

Encrypted images cannot be changed• The encrypted volume is not editable

Can add considerable time to imaging process• Requires unecessary encryption of an empty drive

Some solutions do not support standard imaging processes• Especially true if images are deployed to hard drives with

different geometries

11

Shared PCs

Multiple Users per Device Create Management and Security Issues

Will users share boot passwords?• If not, then pre-boot accounts must be managed for each user

Does data access need to be controlled across users?• Does User A need to be prevented from seeing User B’s data• All users of the device may end up with same key• Pooled-devices may need to be wiped/re-imaged between

users

Is Audit required to track system access?• Can you show who used which PC and when?

12

Authentication Support

Many organizations have multiple authentication types• UID/Password• Tokens• Smartcards (HSPD-12m PIV) • Mixed-mode authentication

Are these supported by the DAR solution?• What does it take to get a new authentication type supported?• Do code updates may require decryption/re-encryption?• What tools need to be used to upgrade?

Can users switch between authentication types?• eg: UID/Password or CryptoCard and still access data on the PC• Temporary access while a token/smartcard is being re-issued

Does data access need to be controlled across users?• Does User A need to be prevented from seeing User B’s data?• Can this be tied to the encryption solution?

All users of the device may end up with same key• Pooled-devices may need to be wiped/re-imaged between users

13CREDANT Confidential. Subject to NDA 13CREDANT Confidential

Roadmap

Full Disk

Encryption • No User Data Privacy

• Patch management issues

• System compatibility problems

• Operational & performance issues

• Dead-end Technology

Now there’s a Better Way:

Full Data Encryption

technology to solve

current and future problems

Intelligent Encryption benefits:

• User Cannot Choose – All Data Protected

• User Encrypted Data Privacy

• Single Console for all Management

• Broad ALL mobile platforms

• PC, USB Media, Handhelds

• Avoid compatibility & operational impacts

• Single agent can grow with future needs

In the past there were

two options in data

protection…

File/Folder

Encryption • User Chooses Files

to encrypt

14CREDANT Confidential. Subject to NDA 14

Management Across Platforms

Full Compliance Reporting Low Operational Impact

Transparent to End-users

All Solutions Managed within One

Console

15

Contact Information:Eric HayDirector, Federal Field EngineeringOfc: 703.532.2720

ehay@credant.com

Comments/Questions/Discussion

Reduce the Risk of Data Compromise!