THE PROBLEM: CHOOSING BETWEEN SECURITY AND MOBILITY€¦ · LEVEL OF CONTROL OVER ENTERPRISE...
Transcript of THE PROBLEM: CHOOSING BETWEEN SECURITY AND MOBILITY€¦ · LEVEL OF CONTROL OVER ENTERPRISE...
THE PROBLEM: CHOOSING BETWEEN SECURITY AND MOBILITY
WORKING WITHOUT MOBILITY MAY MEAN: MOBILITY WITHOUT SECURITY MAY MEAN:
• Increased costs
• Less collaboration
• Reduced efficiency & productivity
• Difficulty with recruiting and retention
• Weakened policy and compliance enforcement
• Threat of lost or stolen data
• Risk of physical hacking of devices
• Cost to remediate damage of breach
43% 37% 32%
have trouble securing and monitoring devices
enforce different security protocols at different locations
lack control – or even knowledge of – device location
ORGANIZATIONS FACE MANY SECURITY THREATS:
Remote Monitoring (Surveillance & Exploitation)
Keylogging and Persistent Firmware Threat
Air-Gap Jumping & Data Exfiltration
Insider Threat & User Negligence
Removable Media & Data Port Exploitation
Wireless Spoofing & Man-in-the-Middle
Lost & Stolen DevicesPrivileged Escalation Attacks
ENHANCED
SECURITY
DYNAMIC COMMAND
AND CONTROL
UNMATCHED
ASSET MANAGEMENT
DISTRICT DEFEND ADDRESSES THE ROOT CAUSE OF SECURITY GAPS AND
DELIVERS ENDPOINT HARDENING ACROSS COMPLEX MISSION NEEDS
• Configures endpoint security settings based on organizational policies, user role, location, and time-bound permissions
• Automatically powers off devices outside approved spaces and enforces data-at-rest encryption
• Executes remote data wipes if devices are stolen or left outside secure spaces
• Provides pre-boot validation of device presence and configuration within approved spaces
• Controls the security configurations of all enterprise devices, across all approved locations via a single management interface
• Enables the establishment of numerous user groups, which can each maintain unique security rules
• Supports access control decision frameworks for applications, VDI environments, and network resources
• Eliminates reliance on end-user compliance and manual system administration
• Provides real-time situational awareness of when devices leave authorized facilities and the duration of absence
• Ensures end-users maintain positive control of assigned devices
• Provides critical counterintelligence data on device movement/behavior for external analysis and trends
• Delivers endpoint device/server usage data, inventory management, and secure supply chain
Eliminates
Human
Error
Prevents
Advanced
Attacks
Allows
Enterprise
Mobility
Enforces
Data
Encryption
SEAMLESSLY SECURES ENTERPRISE MOBILE DEVICES ANYTIME, ANYWHERE, EVEN WHEN POWERED OFF
DISTRICT DEFEND ENABLES ORGANIZATIONS TO TAKE AN UNPRECEDENTED
LEVEL OF CONTROL OVER ENTERPRISE MOBILITY DEVICES
• COMMERCIAL SOLUTIONS FOR CLASSIFIED (CSFC) INTEGRATION: Help organizations automatically enforce data-at-rest encryption and manage mobile access data-in-transit protections
• DEVICE WIPE & DATA SECURITY: Dump sensitive cryptographic material and wipe the hard drive to minimize risk of lost or stolen devices and ensure compromised devices are not re-introduced to enterprise resources
• ENTERPRISE ASSET & INVENTORY MANAGEMENT: Integrated RFID capabilities provide situational awareness of an organization’s threat posture and increases inventory management effectiveness
• CONTEXTUAL SECURITY: Use user/device behaviors, environmental factors, and threat vectors to inform automated endpoint protection decisions
• PRE-BOOT SECURITY: Provide assurances the device is secure and in approved locations before the hard drive is decrypted and capable of accessing data on enterprise networks
• FIRMWARE-LEVEL HARDWARE MANAGEMENT:Quickly adapt to attacks, vulnerabilities, and policy changes by powering off devices of concern – ensuring unnecessary hardware is disabled at the lowest possible level
• GEOFENCING BOUNDARY ENFORCEMENT: Ensure enterprise devices can only be powered on in approved locations (network connectivity and/or RFID) and immediately power off devices removed from controlled areas
• ENTERPRISE INTEGRATION: Fully integrates into existing ecosystems, allowing organizations to get rapid results and return on investment
CSFC Wireless
Infrastructure
Asset Management
and Tracking
Endpoint Command
& Control
Secure VDI/
Zero-Trust Endpoint
CONTEXTUAL SECURITY TRIGGERS
Counterintelligence/
Insider Threats
Dynamic Access
Control Source
Environment RFID
User BehaviorNetwork
• Device Shutdown & Data Wipe• Firmware-Based Hardware Controls• CSFC Data-at-Rest Enforcement• Adaptive Threat Response• Secure Network Management• Anti-Tampering Mechanisms• Multi-Domain Access Controls
DISTRICT DEFEND PROVIDES THE FOUNDATION FOR SECURE END-TO-END
ENTERPRISE MOBILITY
PHYSICAL ATTACKS
CYBER EXPLOITS
HUMAN ERROR
INSIDER THREATS
THREATS DISTRICT SOLUTIONS
DISTRICT CAPABILITIES
Device Power On
Wifi Enabled
Wireless LAN
Personal File Access
USB Access
Wiper Timer
Camera Enabled
Microphone Enabled
Enable Disable
Security that automatically knows where devices are located, and how to adapt security controls
DYNAMICALLY UPDATES SECURITY PROTOCOLSAs your device moves from location to location or to different
“Districts”, it automatically updates security protocols and data access even when powered off.
ZONE-BASED SECURITY ALLOWS USERS TO BE TRULY MOBILE, USING ONE
DEVICE ANYWHERE WITHOUT SACRIFICING DATA INTEGRITY
SEAMLESS MANAGEMENT For the administrator, managing all
devices’ security configurations is as simple as flipping a switch.
6
DISTRICT ASSET TRACKING AND MANAGEMENT ADDRESSES KEY SECURITY VULNERABILITIES TO SAFEGUARD ENDPOINTS, DATA, & INFRASTRUCTURE:
BENEFITS OF PASSIVE RFID ASSET TRACKING: BENEFITS OF CONTEXT-BASED MANAGEMENT:
✓ Situational awareness of all devices’ current location, regardless of power state
✓ Collect information on device movement and user behaviors for counterintelligence audits/analytics
✓ Support CSfC-Approved Capability Packages and Location-Based security
✓ Automated device wipe of lost or stolen devices to ensure exploited devices are not re-introduced into the environment
✓ Ensure Wi-Fi is disabled if devices are in unapproved locations and enabled only in approved locations
✓ Control boot management and ensure memory is cleared when devices is taken outside
8
Networking PASSIVE RFID
CONTEXTUAL TRIGGERS WILL EXPAND TO PROVIDE ADDITIONAL FLEXIBILITY AND ENHANCED SECURITY PROTECTIONS ACROSS EVOLVING USER SCENARIOS
Benefits of Multiple Contextual Triggers:
• Significantly complicates an attacker’s approach to replicate contextual triggers that enable “privileged” device behavior
• Provides protections against lost or stolen devices, as well as, prevents re-introduction of compromised devices into enterprise networks and resources
• Delivers flexibility to support a variety of work environments and user bases with divers mission needs
• Allows for the use of one or many contextual triggers based on organizational security requirements
8
Passive RFIDENVIRONMENTALNETWORKING USER BEHAVIOR TAILORED SCRIPTS
Establishes virtual RF curtains that serve as organizationally-defined boundaries for end user device usage and configuration settings. Provides the ability to track assets and communicate policies even when devices are powered off.
Uses the end user devices’ connection status to enterprise networks to determine policy configurations. Supports either binary or multi-network configurations and allows requirements for always connected or “time to live” after disconnect.
Allows organizations to create a baseline of expected conditions (e.g., should only see certain Wi-Fi SSIDs or should always see certain RF beacons). Automatically enforces organizationally-defined actions if the device falls outside the baseline.
Enables organizations to establish a whitelist of expected behaviors or a blacklist of impermissible behaviors. When a user’s actions do not align with the baseline established then organizationally-defined actions will automatically be enforced.
Organizations’ needs and threats/ vulnerabilities both constantly evolve and demand new security triggers and corresponding actions. Customized scripts allow organizations to create their own library of policies that can be integrated and enforced.
“DATA-FULL” ACCESS (I.E., DATA ON DEVICE)
CURRENT WEAKNESSES:• Data security highly relies on the Operating System
and end user• Difficult to implement data wipes and often relies
instead on data delete
DISTRICT ENHANCEMENTS:
• Automates policy enforcement at firmware level• Utilizes pre-boot data wipe with built-in wipe
timers to establish “time to live” rules• Enforces Data-at-Rest CSfC protections to ensure
the device is considered “black” when removed
DISTRICT DEFEND SUPPORTS AND HARDENS A VARIETY OF END-POINT DATA
ACCESS METHODOLOGIES
VIRTUAL DESKTOP/ZERO CLIENT
CURRENT WEAKNESSES:• Lack secure, hardware-based key/certificate
storage (i.e., TPM 2.0)• Not configured to support multiple IPSec tunnels• Lack robust mobile device options
DISTRICT ENHANCEMENTS:
• Provides the hardware-level security protections to safeguard keys/certificates
• Prevents re-introduction of compromised devices into environment
• Supports establishment of CSfC IPSec tunnels
9
District continues to evolve to support both data on device and virtual desktop approaches, as well as, providing a combination approach on a common platform
To see District Defend in action, we will show you an example of how some customers have deployed District.
11
• Power On• USB Off• Front Camera Off
• Wireless LAN Off• Speakers Off• Microphone Off
• Docking Off• Wipe Timer Off
ZONE 1: LOBBY & EXTERIOR
• Power On• USB On• Front Camera On
• Wireless LAN Off• Speakers On• Microphone On
• Docking Off• Wipe Timer Off
ZONE 2: HALLWAY AND OPEN CONFERENCE ROOMS
• Power On• USB Off• Front Camera Off
• Wireless LAN On• Speakers On• Microphone Off
• Docking On• Wipe Timer Off
ZONE 3: TYPICAL USER WORKSPACE
• Power On• USB On• Front Camera On
• Wireless LAN Off• Speakers On• Microphone On
• Docking Off• Wipe Timer Off
ZONE 2: HALLWAY AND OPEN CONFERENCE ROOMS
• Power On• USB Off• Front Camera Off
• Wireless LAN Off• Speakers Off• Microphone Off
• Docking On• Wipe Timer Off
ZONE 4: SENSITIVE INFORMATION ACCESS POINT
• Power Off• USB Off• Front Camera Off
• Wireless LAN Off• Speakers Off• Microphone Off
• Docking Off• Wipe Timer On
ZONE 1: LOBBY AND EXTERIOR
EXECUTE MISSION OBJECTIVES WITHOUT SACRIFICING DATA SECURITY.
WITH DISTRICT DEFEND SECURE MOBILITY,
YOU’RE FREE TO DO MORE
For further information please contact:
Jeff Van Horn, TriCIS Ltd, [email protected], Mobile: +44 (0) 7761-514-558
WITH DISTRICT DEFEND,
YOU’RE FREE TO BE TRULY MOBILE