Lumension Device Control (formerly sanctuary)

Lumension

Lumension IT Secured Success Optimised

Lumension Device Control (formerly sanctuary)

Enforce Security Policies for Port Protection, Removable Device Usage, and Data Encryption with Lumension Device Control

The stand-alone implementation of Lumension Data Protection solution, enforces organization-wide usage policies for removable devices, removable media, and data (such as read/write, encryption). Using a white list “default deny” approach, administrators can centrally manage your devices and data. Lumension Device Control enables organizations to embrace productivity-enhancing tools while limiting the potential for data leakage and its impact.

Enquire about this product

5 Virusn5 SpywarenX SpamnX Web/IMnX IPS/Patch Mgmtn5 Data/System Mgmtn

How Lumension Patch and Remediation Works

How Lumension Device Control Works

1. Discover: Identify all removable devices that are now or have ever been connected to your endpoints through the use of a “learning” mode that allows you to collect information without disrupting business.

2. Assess: Define rules at both default and machine-specific levels for groups and individual users with regards to device access by class, model and/or specific ID, and uniquely identify and authorize specific media. These permissions can be linked to the user and user group information stored in Microsoft Active Directory or Novell eDirectory.

3. Implement - Enforce device and data usage policies by: file copy limitations (amount per day, time of day) and file type filtering. You can also enforce the encryption of data moved onto removable devices / media and apply permissions to specific and/or groups of endpoints, ports, devices and users (both on- and off-line), including scheduled / temporary access.

4. Monitor - Continuously monitor the effectiveness of device and data usage policies in real time and identify potential security threats by logging all device connections, recording all policy changes and administrator activities, and tracking all file transfers by file name and content type. You can even keep a copy of every file that is transferred to or from a removable device using our patented bi-directional shadowing technology.

5. Report: Create both standard and customized reports on all devices and data activity showing allowed and blocked events, which can be saved into a repository, shared via email, and/or imported into 3rd party applications. Detailed forensic reports and comprehensive auditing capabilities enable you to demonstrate compliance with government statutes (such as SOX, GLBA, HIPAA, HITECH, and others), industry regulations (such as NERC, PCI DSS and others) and especially your internal security policies.

Where Device Control Works

Lumension Device Control supports any ports and devices recognized by Windows, including all Plug-and-Play and user-defined devices.

Lumension Device Control supports any ports and devices recognized by Windows, including all Plug-and-Play and user-defined devices

Key Benefits for Device Control

Device / Port Access Control

Per-Device Permissions - Granular permissions to control access at device class (e.g., all USB flash drives), device group, device model and/or even unique ID levels; for instance, restrict access rights to a specific device of a company-approved model.
Device White list "Default Deny" - Assign permissions for authorized removable devices (such as USB sticks) and media (such as DVDs / CDs) to individual users or user groups; by default, those devices / media / users not explicitly authorized are denied access.
Flexible Policy with Granular Control - Permission settings include read/write, forced encryption, scheduled / temporary access, online / offline, port accessibility, HDD / non-HDD devices and much more; can be set for individual and/or groups of users, machines, ports and devices.
Read-Only Access - Define any device (e.g., a floppy drive, DVD / CD writer, USB external hard drive, and so on) as read-only; other device permissions include: write, and encrypt / decrypt restrictions.
Temporary / Scheduled Access - Grant users temporary access to removable devices / media, which can be used to grant access "in the future" for a limited period. Also, limit device usage during a specific time period; allows for development of sophisticated security policies where certain devices can only be used at certain times (e.g., from 9 A.M. to 5 P.M., Monday to Friday).
Offline Enforcement - Permissions / Restrictions remain effective even when endpoint is offline; these can be the same as when online or different (see Context-Sensitive Permissions).
Uniquely Identify and Authorize Specific Media - Authorize and manage DVD / CD collections, by granting access to specific users or user groups and encrypting removable media with unique IDs.
Context-Sensitive Permissions - Apply different permissions / restrictions depending on network connectivity status. For example, disable Wi-Fi cards when laptops are connected to the network, but enable them when the machine does not have a wired connection to the network.
Offline Updates - Update permissions of remote endpoints that cannot establish a network connection; new permissions are saved to a file that is imported and installed onto the client computer.
Device Management - Detect and manage all devices – including Plug-and-Play and non-standard / user-defined devices – "on the fly" within the system.
File Type Filtering - Restrict and manage the types of files that are moved to and from removable devices (such as USB sticks) and media (such as DVDs / CDs); combine with forced encryption for added protection.
Data Copy Restriction - Restrict the daily amount of data copied to removable devices (such as USB flash drives) and media (such as DVDs / CDs) on a per-user basis; can also limit usage to specific timeframes / days (e.g., only from 0900 to 1700 during weekdays).

256-bit AES Encryption

Policy Controlled Encryption for Removable Storage - Use central security policy to force 256-bit AES encryption of all removable devices (e.g., USB sticks) and media (e.g., DVDs / CDs) across all endpoints on network; options include: centralized (by admin only) vs. decentralized (by end-user), and non-portable (network accessible only) vs. portable (accessible outside network).
Decentralized vs. Centralized Encryption - Require users to encrypt removable devices / media locally, freeing the users to encrypt "on the fly" and not have to wait for admin availability. Alternatively, it can be restricted to a centralized, admin-only process (e.g., limit users to authorized encrypted devices only).
Portable vs. Non-Portable Encryption - Enforce policies which enable users to access encrypted devices outside the organizational network, or limit it to network-attached endpoints only.
PGP PKI Support - Allow use of existing PGP keys to encrypt / access devices and media in managed PGP environments. Enforce policies controlling PGP encrypted devices using Device Control.
Enforce "Strong" Password Requirements - Use existing password length and complexity rules in compliance with Microsoft standards.
Password Lockout / Recovery - Lock users out after five (5) failed attempts; administrators can recover access when passwords are forgotten or user leaves the organization.

Administration

Filename Tracking / Full File Shadowing - Patented bi-directional shadowing technology keeps a copy of all files (i.e., entire file contents) that are read from and/or written to removable devices (e.g., USB memory drives) and media (e.g., DVDs / CDs) on a per user (or user group) basis; can also track just file types & names; all events captured in logs and accessible by admin at any time for compliance auditing / forensics.
Integrated Reporting - Fully flexible, customizable reporting can be saved into a repository, shared via email, and/or imported into 3rd party applications.
Syslog Support - All event, audit and diagnostic logs are compliant with Syslog protocols.
Centralized Management / Administrators’ Roles - Centrally define and manage user, user groups, computers and computer groups access to removable devices / media on the network. Use role-based access control (RBAC) to customize and control access to different components of the Management Console (for example, restrict access to shadowing information to auditors only).

Infrastructure

Tamper-proof Agent - Install agents on every endpoint on the network, which are protected against unauthorized removal – even by authorized (local) administrators. Only (enterprise) Administrators may deactivate this protection.
Directory Synchronization - Assign permissions to individual users or user groups based on their Microsoft® Active Directory or Novell® eDirectory identity, both of which are fully supported.
Flexible / Scalable Architecture - Organization-wide control and enforcement using scalable client-server architecture with a central database that is optimized to reduce its footprint. The system can be installed on a single machine for smaller organizations, and expanded to include multiple servers to support complex networks. Compatible with virtual servers, including VMware® Infrastructure 3 and Windows® 2008 Hyper-V. Endpoints can connect to one or more servers to facilitate load-balancing. One or more separate Management Console(s) provide administrative control from anywhere in the organization.
Windows Infrastructure Support - Install on all currently supported Microsoft 32- and 64-bit platforms, with support for any Windows-recognized ports / devices and multiple end-user languages; for details - view the Requirements tab.