• Print
Details
Category: Solutions

Lumension Data Protection

Prevent Data Loss and Theft by Enforcing Removable Device Usage and Data Encryption Policies

Data Protection Business Drivers and Challenges

In today’s global, 24x7 business environment organizations need real-time access to data - balancing this with the associated risks is key to ensuring data is not lost / stolen and that business productivity is not negatively impacted.

Driving this data protection challenge are many emerging trends:

  • The borderless enterprise - data is less centralized than ever before due to dis-aggregated supply chains, outsourcing, and a mobile workforce.
  • The consumerization of IT - users are increasingly defining the IT environment by bringing their productivity tools (USB sticks, flash drives, etc.) into work.
  • Increased insider risks - over half of all serious data breach incidents are sparked by insiders , and while many of these are innocent mistakes (i.e. losing a USB stick), this new economy has spawned a new insider¹ threat with 53 percent of insiders admitting they would steal sensitive data if they are suddenly fired².
  • Organized cybercrime - the value of information has driven the rapid expansion of sophisticated organized criminal networks, which supply a black market recently estimated at $276M.

The concern over data loss/theft has spawned a myriad of regulations ranging from global and country to industry-specific and local government. All of these regulations add another layer of risk and failure to comply with regulations like SOX, HIPAA and PCI compliance can result in very real economic damage, both directly in cost and indirectly in terms of lost customers and business.

The cost of non-compliance, or lost/stolen information to an organization is dramatic as lost business accounts for 65 percent of breach costs. The average yearly cost of a data breach has now reached $6.75 million³. When data breaches occur, customers lose trust in an organization and brand equity is reduced.

Overview

When developing your data protection posture in this increasingly difficult environment, it is important to balance the rewards of accessible data (and the collaboration / productivity it enables) with the risks (and costs) of losing your data. The primary component of Lumension Data Protection solution comes in two flavors: the stand-alone Lumension Device Control version and the new Lumension Device Control for System Center version. With either, you can:

1. Discover: Unobtrusively survey your entire network to collect information on all devices that are now or have ever been connected to your endpoints; using a “learning” mode allows you to collect the information without disrupting business until you have developed your comprehensive data protection policy.

2. Assess: Use a “whitelisting” approach to set as many overarching rules as possible, with as few exceptions as possible, to define rules at both default and machine-specific levels for groups and individual users; this “whitelisting” approach limits your burden to defining what is allowed instead of trying to keep up with the ever changing list of what is bad.

3. Implement: After getting buy-in from all constituents you can then roll out your new data protection policy enforcement solution; to achieve maximum effectiveness and ensure users are clear on policy, plan to start small, test, monitor and adjust. Enforce USB security and data encryption policies to ensure sensitive information is secured.

4. Monitor: Monitor the effectiveness of device and data management policies in real time and identify potential security threats by logging all device connections, recording all policy changes and administrator activities, and tracking all file transfers by file name and content type. You can even keep a copy of every file that is transferred to or from a removable device using our patented, bi-directional shadowing technology in order to prevent data breaches from impacting your organization.

5. Report: Detailed forensic reports and comprehensive auditing capabilities enable you to demonstrate compliance with internal security policies and external government and industry regulations. Generate a complete audit trail that documents how your device and data management policies prevent unauthorized users and devices from compromising critical business information.

Key Capabilities and Benefits

Solution Capability

Benefit
Endpoint and Device Discovery: Identify all endpoints on the network, all devices ever connected to these endpoints (servers, desktops, laptops, etc.), and support both active device scanners for unmanaged endpoints as well as continuous discovery of device connections via managed endpoints. Ensures Security and Regulation Compliance
  • Allows the organization to identify all endpoints (managed and unmanaged) as well as all devices that are currently or have ever been connected to these endpoints.
  • Understand the breadth of endpoints and devices being used across the organization.
  • Gain insight into the use of removable devices / media and data usage.
  • Lay the foundation for the development of a comprehensive Data Protection posture in compliance with internal security policy and external regulations / standards.
Data Loss Mitigation: Assess device and data usage, including what device, on what machine, by which user, and when; ability to explore by: unique device, device type, device vendor, users and user groups, machines, hours of operation, and more. Secures Data from Data Leakage/Theft
  • Provides the organization with information on usage of all removable devices (e.g., USB memory drives) and media (e.g., CDs/DVDs) by user, machine and time.
  • Prevent malicious and/or unintentional data transfer to removable devices / media.
  • Ensure data is encrypted and secure when on removable devices / media.
Data Protection Security Policy: Define security policy with global and user- and/or machine-specific rules based on specific organizational needs using a “whitelist” approach. Increases Data Security
  • Organizations can implement global data protection policies with the flexibility to make exceptions as needed by defining what devices and media may connect to the network and what users (or user groups) may do with them.
  • Create a whitelist of allowable devices at any level of granularity: at device class (e.g., all UFDs), device group, device model and/or even specific ID levels.
  • Define forced encryption policy for data flows onto removable devices / media.
  • Define data transfer policy elements, including: copy limits, scheduling per user or user group, and file type.
Security Policy Enforcement: Automated enforcement of your data and device usage policies across your entire network, and of your encryption policy for sensitive data flowing onto removable devices / media. Increases Security Compliance
  • Permits organizations to automate the enforcement of their data protection security policy at any level of granularity needed
  • Flexible enforcement by user (or user group), machine (or group), device / media, file type, time of day, and more.
  • Control of data transfers to removable devices / media (inbound / outbound), including port access.
  • Flexible encryption options, using AES-256 standard ciphering.
  • Policies can be updated and enforced whether endpoint is on- or off-line.
Audit and Compliance: Automatic logging of all network events related to your Data Protection policy, including endpoint status, device connection, user activity (such as data transfers), and file tracking (including full content shadowing), providing visibility into policy compliance and violations. All log information is compliant with Syslog protocols. Ensures Audit Readiness
  • Organizations can monitor and report on all relevant network events, and be prepared for compliance audits and/or forensics using standard and customizable reports.
  • Monitor all user activity such as device usage and data transfers.
  • Report on all device / media and data security policy compliance and violations.
  • Use patented bi-directional file shadowing to track all transferred files (or even file content).
  • Easy access to all information needed for compliance audits and forensics.
  • Show potential impact presented by unauthorized devices.
  • Enables integrated event management to lower administrative costs and provide more alerting and reporting options.
Flexible / Scalable / Secure Design: Provide organization-wide control and enforcement using scalable client-server architecture with a central database which facilitates load balancing and distributed control. Install tamper-proof agents on every endpoint on the network, and protect against unauthorized removal. Fully support both Windows Active Directory and Novell eDirectory / NDS structure. Adapts to Your Growing Business
  • Supports any sized organization, from small, local startups to large, global corporations, from hundreds of endpoints to hundreds of thousand endpoints; fast growing organizations can scale installation as needs dictate.
  • Protects endpoints from unintentional and/or malicious tampering; maintains endpoint security posture even in dire events.
  • Leverages existing directory information when enforcing policies; reduces admin workload; reduces setup / startup / ramp up time.
  • Optimized database reduces footprint, increases query speeds and improves maintenance for lower administration costs.
  • Supports virtualized server configurations for server-side cost reduction and “green” initiatives.

Sources:
1. Data Monitor, Mitigating the Risks of Data Loss, August 2007
2. Ponemon Institute, Data Loss Risks During Downsizing, February 23, 2009
3. Ponemon Institute, 2009 Annual Study: Cost of a Data Breach, February 2010