Understanding Northwestern University’s with Solutions for ...Symantec and Northwestern University...
Transcript of Understanding Northwestern University’s with Solutions for ...Symantec and Northwestern University...
1
Understanding Northwestern University’s contract with Symantec
Symantec Solutions for Cost Reduction & Optimization
Chris Hagelin and Shane ScholesSymantec Account Manager and Symantec Sales Engineer
Presentation Identifier Goes Here
Agenda
• Symantec Overview
• Agreement Overview
• Symantec Endpoint Encryption
2Presentation Identifier Goes Here
Industry Recognition
Datacenter Optimization 3
• Consumer Endpoint Security (#1 market position1)
• Endpoint Security (#1 market position2, Positioned in Leader’s Quadrant in Gartner Magic Quadrant3)
• Messaging Security (#1 market position4, Positioned in Leader’s Quadrant in Gartner Magic Quadrant leader5)
• Policy & Compliance (#1 market position6)
• Email Archiving (#1market position7, Positioned in Leader’s Quadrant in Gartner Magic Quadrant8, Forrester Wave leader9)
• Data Loss Prevention (#1 market position, Positioned in Leader’s Quadrant in Gartner Magic Quadrant10 and Forrester Wave leader11)
• Security Management (#1 market position12)
• Security Information & Event Management (SIEM) (Positioned in Leader’s Quadrant in Gartner Magic quadrant13)
Security Leadership
Storage and Availability Management Leadership
• Storage Infrastructure Software (#1 market position14)
• Core Storage Management Software (#1 market position15)
• Data Protection (#1 market position 16)
Deliver an increasing number of business services with significantly fewer resources than last year.
Federated vsConsolidated Education
Delivery of Open
Education
Confidential Data
Exposure
Technical ‐data growth,
data duplication
We Understand Your Reality
Datacenter Optimization 4
Compliance
Facilities cost
end-point evolution
Personnel -lack of
resources
Symantec and Northwestern University Partnership
• Working in partnership with Northwestern University to provide a comprehensive and sustainable solution for all aspects of member’s requirement.
• Ensuring successful projects and minimizing risk for all member’s information risk management initiatives.
• Providing support and advice to NU members after deployment to ensure smooth operation and continued protection.
Presentation Identifier Goes Here 5
Symantec is committed to:
Symantec and Northwestern University Partnership
A three‐year Agreement (expires: June 30, 2013)
Symantec Security and End Point Management Solutions
FTE‐based license model
Perpetual and Subscription options
License, Support and Competitive Replacement Models
Delivered thru Software Partner: SHI
Presentation Identifier Goes Here 6
Agreement Outline:
Symantec and Northwestern University
Technology Solutions include:Symantec Protection SuiteAnti‐Virus (SEP)Anti‐spam (SEP)Anti‐spyware (SEP)Network Access Control (SEP)Mail Gateway Security (Brightmail)Back‐up Exec for end‐points
Additional Options Available on ContractEncryptionData Loss PreventionAltiris
Presentation Identifier Goes Here 7
Agreement Outline:
Obtaining the Software
• SEP available for download via NUIT Web site– www.it.northwestern.edu/software/sav/index.html
– www.it.northwestern.edu/software/secure/index.html
• Requests for additional quotes go to [email protected]
Presentation Identifier Goes Here 8
Symantec Endpoint Encryption 7.0
10
Data is Pervasive and Portable:
– Desktops and Laptops
– Computer hard drives
– Removable storage devices, such as CDs and USB drives
Risk for organizations:
– Loss of data and associated expenses
Data at Risk puts your Business at Risk
The Problem with Data
11
Where’s the biggest risk?
Lost or stolen laptops
Data sent to wrong recipient
Lost CD or other removable media
External attacks
Otherincludes paper
Data stolen without authorization
Fifty six data cases were investigated by the Financial Crime Operations team at the
FSA in 2007, according to FOI statistics obtained by Computer Weekly.
Oct 2008 Sarah Hilley
12
What customers are looking for…..
• Centralized Management
• AD Integration/No AD Integration
• Non Intrusive User experience
• Data secured from review by external persons
• The ability to share data with external persons
• Device Control
• Certifications (FIPS, CC….)
• Full/Whole Disk*
• Integration with….
12
TECHNICAL
What they are really looking for….
• The ability to deploy a solution with minimal trouble.
• The ability to say that a lost or stolen system will not be compromised.
• Advice….How other people are deploying.
• Something that will not break another solution they have deployed.
• To know “What is Encryption?” (no joke)
• To do this in this easiest way possible.
13
NON-TECHNICAL
14
Endpoint Encryption Terms
• Full Disk Encryption secures all data stored on a PC’s hard drive
• File‐based Encryption secures individual files on a PC’s hard drive or on removable storage devices such as CD/DVD, USB memory sticks, iPods, portable hard drives, etc.
• Data‐in‐use—data that is currently being accessed and used.
• Data‐in‐motion—data that is being transmitted via IM, email, etc.
• Data‐at‐rest—data that exists on PCs that are in shutdown, sleep, or hibernate mode or that have invoked screensaver passwords
The bottom line is that a significant number of PCs and media devices carrying business data will not be properly encrypted and are fated to cause disasters for companies and
the individuals who are affected. The odds suggest that this will happen to your organization, whether it is small, midsize or large. The rosters of companies listed in
various public sources and blogs touch business entities of all types in countries around the world. Gartner, Nov 2008
15
Symantec Endpoint Encryption
Symantec Endpoint Encryption
Symantec Endpoint EncryptionFull Disk Edition
Symantec Endpoint EncryptionRemovable Storage Edition
Advanced encryption for desktops, laptops and removable storage devices offering scalable security and prevention of
information compromise.
16
• FIPS 140‐2 validated, CC EAL4 pending
• Pre‐boot authentication
• Password recovery
–Self‐Service Authenti‐Check™
–Remote one‐time password recovery
• Advanced enterprise ready capabilities
–Multiple user / administrator accounts
–Software setup and installation tools
–Administrative drive recovery
–Wake on LAN
Endpoint Encryption – Full Disk
Symantec Endpoint EncryptionFull Disk Edition
•OS and system files•Swap / hibernation files•Data / multiple partitions
17
• Full partition or disk encryption– Encrypts boot disk– Encrypts up to 26 partitions on system boot disk
• FIPS 140‐2 validated AES cryptography– 256‐bit key (default) or 128‐bit key for disk encryption
• Excellent performance– Partition or disk level encryption
• Initial encryption after installation
• Runs in low priority background
• Users can continue to use their machine
• Power loss feature always enabled
– Run‐time encryption• Users typically do not notice performance
• 5% to 15% depending on variety of factors
Endpoint Encryption – Full Disk
18
• Encrypts all disk sectors– Includes swap files, hibernation files, temporary files
• Supports standby and hibernation modes– Encrypts hibernation file– Prompts for user credentials when resume from hibernation if pre‐boot
authentication enabled
• Low level encryption driver– Intercepts all Windows calls to read and write files
• Encrypts data from memory and writes to disk• Decrypts data from disk and writes to memory
– Completely transparent to all Windows applications– Completely transparent to Windows operating system– Data stored on disk is always encrypted
• No temporary files with decrypted data
Endpoint Encryption – Full Disk
19
Pre‐boot Authentication
• Hardened pre‐boot operating system
– Small footprint and attack surface
– Adds extra layer of security when enabled
– Users authenticate to pre‐boot logon dialog
• Key management included
– Does not require separate key management infrastructure
– User logon credentials securely stored in PB environment
• Single sign‐on
– Windows Single Sign‐on integration
– Novell Single Sign‐on – Supports version 4.9.1 SP3 or later
– User password changes automatically synchronized
• Recovery
– Recovery keys automatically encrypted and escrowed in server
• Optional per installation by administrator
– Customers can elect to deploy without it
– Windows responsible for user authentication
– Drive fully encrypted even if pre‐boot authentication is disabled
20
Password recovery
• Self‐service recovery for lost or forgotten passwords
– Authenti‐Check™ challenge/response questions and answers
– Administrator or user provisioned questions
– User provisioned responses
– Administrator option to deploy
• Help Desk assisted One‐Time Password
– Challenge/response keys
– Unique to each workstation
– Keys automatically escrowed to server during client check‐in
– Separate administrative role with read‐only access to necessary key information
– Separate application for Help Desk personnel only
– Administrator option to deploy
– Requires user to change password after OTP gives access to machine
– Enables recovery for registered users if machine locked due to missing required reporting period
21
• File level encryption
• FIPS 140‐2 certified algorithms
• 256 bit and 128 bit AES
• File Encryption Key (FEK)
– Unique key per file
• Key protection / user authentication
– Passwords
– Certificates
– Workgroup key
– Administrative data recovery certificate
Endpoint Encryption – Removable Storage
Symantec Endpoint EncryptionRemovable Storage Edition
22
• Transparent end user operation
• Comprehensive encryption support
– Policy based encryption for removable media
– FIPS certified AES 256 bit or 128 bit, CC EAL4 pending
– Encrypt plain text data on devices
• Best‐in‐class storage media support
– Flash drives, Hard drives, SD cards
– CF cards, CDs/DVDs, iPods, etc.
• Portability
– Access utility – Install by policy, read / write encrypted data
– Self‐extracting archives
• Group and Kiosk mode operation
• Centrally managed data recovery
Endpoint Encryption – Removable Storage
23
Key Management
24
• Key considerations:– Data files only– One password per CD/DVD– Up to 12 levels of nested folders– One session per disc– Will not block unencrypted writes from other burning applications
• Leverages SEE policies:– Encryption– Encryption Method– Group Key– Administrative Data Recovery Certificate– Auto‐copying of Access utility
Endpoint Encryption – Removable Storage
25
• Administrative access to encrypted data
– Lost / destroyed password
– User left company
• Recovery Key
– Certificate distributed with software install
– Administrator controls private key
• Requires Certificate Authority but not PKI
Endpoint Encryption – Removable Storage
26
Symantec Endpoint Encryption Management Server
• Application services: deployment, policy management, reporting, database operations, directory
services integration (LDAP)• Web services: IIS enabled client
communications
Client / Server Communications
• SOAP over HTTP• SOAP over HTTPS (optional)
Database• Microsoft SQL Server 2005
(Express Edition with Advanced Services, Standard Edition,
Enterprise Edition) • Familiar, robust, and scalable data
management• Enables fast and comprehensive
reporting
27
Deployment and administration
• Server installation– Standard MSI installer packages
• SEE Management Server (SEEMS)• Microsoft Internet Information Service (IIS)• Microsoft SQL Server 2005 (Express, Standard or Enterprise)• SEE Manager and administrative tools
• Client installation– Standard MSI installer package– Supports Active Directory, eDirectory and non‐domain endpoints– Supports installation through GPO or any enterprise software deployment tool
• E.g. Altiris, Tivoli, SMS, etc.– Silent installation– Automatically launches disk encryption– Automatically reports back to server
• Escrows encrypted recovery keys• Periodically reports state of encryption for all partitions
– Audit trail for validating endpoint state when it goes lost or missing
28
Multiple user and administrator accounts
• Supports multiple users– Over 250+ registered users per endpoint
• Option for automatic user registration– Supports public machines or kiosks– No prompt for user during registration
process
• Clear separation of administrative accounts and roles– Server administration
• Installation, administration, password management
– Endpoint policy administration• Creating and deploying security policies to endpoints
• Leverages Active Directory by using Group Policy Objects
– Assisting users with One‐Time Password access• Help Desk personnel
• Read‐only access to OTP challenge/response keys
– Hands‐on endpoint administration• User lockout recovery, data recovery, decryption
• Over 250+ Client Administrators per endpoint
29
Policy Administrators
Symantec Endpoint Encryption Policy Administrators
•Create Client Setup (.msi) files and deploy to users’ computers•Create and deploy policy updates to clients
•Audit clients with Symantec Endpoint Encryption Client Monitor•Establish Symantec Endpoint Encryption Client Administrators
30
Client AdministratorsSymantec Endpoint Encryption Client Administrators
•Perform administrative tasks on clients•Unregister users
•Extend a scheduled lockout condition•Initiate data recovery operations
•Unlock a machine
31
Client reporting and Auditing
The Group View and global reporting features display comprehensive audit information on the state of endpoint encryption
32
Operating system support
• Support for enterprise Windows 32‐bit and 64‐bit versions– Client
• Microsoft Windows 2000 SP4
• Microsoft Windows XP Professional SP 2 and SP 3, Tablet PC
• Microsoft Windows Vista R1 and SP 1– Business, Ultimate and Enterprise Editions
• Microsoft Windows 7– Professional, Ultimate, or Enterprise; 32‐bit or 64‐bit
– Server• Microsoft Windows Server 2003– All service packs
33
Advanced management tools
• Comprehensive suite of administrative tools– Remote machine access
• Supports Wake On Lan• Pre‐boot authentication suppressed for machine maintenance• Deployed by administrator policy or MSI
– Local machine access• Enables local machine administration while disk remains encrypted
– Data recovery• Enables local data recovery for failed or corrupted disks• Uses escrowed recovery keys if local keys damaged• Includes ability to force disk or partition decryption
– Forensic data recovery• Integration with Guidant Software EnCase forensic data recovery solution
34
Security validations
• FIPS 140‐2 validated cryptographic library– AES encryption algorithm
• Industry and government standard
• Fast symmetrical encryption algorithm
• Primarily used for data encryption and decryption
– SHA‐1 hash algorithm• One‐way hash
• Primarily used for credential and key management
• Securely encrypts user credentials in pre‐boot environment
– Pseudo‐random number generator• Generates unique workstation keys for encryption
• Common Criteria– EAL 1 validated, EAL 4 pending
NU TechTalk – Symantec Series
Symantec Protection Suite ‐ September 28
Data Loss Prevention ‐ October 26
Altiris Overview ‐ November 30
Presentation Identifier Goes Here 35
Upcoming Events – NUIT Tech Talk Symantec Series