Overview

Ensure authorized transfer of information to portable devices

Preventing the unauthorized transfer of sensitive data to portable media is a critical component of a complete enterprise endpoint data protection strategy. While portable storage devices and media drive productivity in the workplace they also pose numerous risks to critical enterprise data. Organizations need solutions that protect this mobile data while preserving productivity. Achieving this balance requires a comprehensive solution that pushes the data security protection perimeter down to individual endpoints through effective controls and comprehensive activity monitoring.

GuardianEdge Device Control enables organizations to monitor device usage and file transfer activity, control access to ports, devices, and wireless networks, as well as to restrict user’s ability to copy protected information to removable media. When implemented with GuardianEdge Removable Storage Encryption, the combination provides complete protection for enterprise data on PCs from the risks of portable devices and media.

Use GuardianEdge Device Control to:

Restrict the devices that connect to your PCs
Know if unauthorized files are being copied off of your PCs, and prevent it

Use GuardianEdge Device Control and Removable Storage Encryption together to:

Safely and securely share data via portable storage devices
Protect authorized data transferred to portable media when employees take work home
Securely distributed sensitive documents attached to emails

By deploying GuardianEdge Device Control, organizations can:

Restrict Usage to Approved Devices – Allow appropriate connection of devices aligned with policy, and prevent other connections
Prevent Data Loss or Theft – Monitor copying of data to external storage devices, alert on or block inappropriate transfer.
Protect Mobile Data – Through seamless integration with GuardianEdge Removable Storage ensure authorized transfer of sensitive information to removable media is protected through strong encryption

Key Benefits

Protect organizations from the risks associated with the loss or leakage of trade secrets, intellectual property, and private information.
Safeguard critical mobile data by ensuring only the authorized transfer of files to portable devices and portable media
When combined with GuardianEdge Removable Storage Encryption, allow employees to safely take work home, or information to be securely transferred to partners, suppliers, or customers without putting mobile data at risk.
Speed deployment and control operational costs by leveraging existing Microsoft Active Directory and Novell eDirectory infrastructure
Save time and reduce complexity and expenses by managing a complete data protection solution including full disk encryption, removable media encryption, and port and device control through a single management console.

Key Features

Standard and Platform Editions

Platform Edition - Integrates with the GuardianEdge suite of data protection products using Active Directory-based policy services and management
Standard Edition - Supports Novell eDirectory or the GuardianEdge-provided Policy Server for synchronization, policy deployment, auditing, etc.

Wireless Connections

WiFi, Bluetooth, IrDA
WiFi control includes MAC address, SSID and security level of network
Prevents bridging by blocking other ports while connected to the wired corporate LAN

External Ports

Disable or restrict read and write access
USB, FireWire, PCMCIA, Secure Digital (SD), parallel, serial, modem

Internal Ports

Logging and Alert on change
IDE, SCSI, ATA, SATA, PCI and PCI-X

Storage Control

Restrict data transfer activity
Removable storage devices, external hard drives, CD/DVD, floppy, tape

Supported Devices

All devices connected to ports, by type, serial number, manufacturer, etc.
Whitelist of devices approved for use

File Control

Control file types allowed to be read/written to devices
Approximately 200 built-in file types and 15 file categories

CD / DVD Media Whitelists

Allow use or viewing of only approved specific CDs and/or DVDs

Anti-Hardware Keylogger

Blocks USB and PS/2 hardware keyloggers

U3 and Autorun Control

Allows access to U3 drives only as regular USB drives
Protects against auto-launch programs by blocking autorun

Internal / External Database Support

Supports either the internal, provided SQL database or an external SQL compatible database of your choice

Platform Edition - File Shadowing

Log and/or mirror a copy of all files written to removable media to a central file share

Platform Edition - Active Directory Integrated Administration and Management

Tightly integrated with Active Directory, enabling GPO-based policy deployment
Role-based policy administration
Detailed audit records to verify policy enforcement

Platform Edition - GuardianEdge Removable Storage Integration

Closely integrated for complete protection of data on removable storage devices using encryption
Unified reporting provides complete visibility into data transfer activity and security status

OS Support

Microsoft Windows® XP, Windows 2000, Windows XP Tablet PC, Windows 2003 Server, Windows Vista

Why GuardianEdge ?

The industry’s only native Active Directory integration
GuardianEdge’s unique approach to management is based on an MMC snap-in architecture, MSI and EXE files for deployment, as well as Microsoft® Active Directory® GPOs for policy control. This approach leverages the significant investment that organizations have already implemented in Active Directory—a scalable, robust and familiar management environment. It includes existing organizational structures such as groups, OUs and domains, role-based administration, training, replication and failover. The result is the industry’s lowest total cost of ownership, with minimal training requirements for IT staff and fast deployments.
Single console administration for endpoint data protection products
Enterprises also need common administration for data protection solutions. GuardianEdge enables common policy management, reporting, role-based administration, help desk, key management and other administrative actions for GuardianEdge applications (Hard Disk Encryption, Removable Storage Encryption and Device Control) from the same single management console.
Proven ease of operation
GuardianEdge Removable Storage Encryption builds on a 13-year track record of success in creating and managing endpoint data protection solutions. It boasts the highest success rates on deployment, as well as a long list of satisfied blue chip customers. Additionally, service and support for GuardianEdge products—a key component of any enterprise-class solution—meets the highest standards for availability, customer satisfaction and expert assistance.
Non-disruptive user experience
GuardianEdge Device Control delivers full protection with minimal intrusion into users’ daily use of their machines. This best-in-class user experience includes customized error messages on detection of restricted actions, simple deployment, offline help desk capability and background operation.
Simple-to-administer and highly granular data protection policies
Simple selections for industry best practices or customized policies for either whole organizations, groups, individual machines or other organizational units—combined with the capability to simply and easily tailor policies and simply deploy policies with GPO or native mechanisms—make Device Control easy to customize and manage.
Whitelists restrict access to only approved devices
Allows administrators to create whitelists of approved devices and CD/DVDs—either organization-wide (with exceptions if required) or by Active Directory or eDirectory groups and machines.
Administrators can restrict wireless connectivity to authorized networks
Enables organizations to protect data from loss over unsecured networks by limiting access to only approved and secured networks. For instance, allow use on internal company wireless networks while rejecting connections to others.

Device Control Frequently Asked Questions

This page contains answers to the most commonly asked questions about Device Control

Supported Deployment Topologies

Port and Device Control

Access Control Policies

Data Leakage Prevention

Logging and Reporting

Enterprise Manageability

End User Experience

Supported Deployment Topologies

1) What are the differences between the Platform and Standard Editions with respect to deployment topologies supported?

The Platform Edition is intended for customers with clients joined to an Active Directory domain. The Standard Edition is intended for customers with Novell-managed clients and/or clients that are not joined to any directory service.

2) What is the integration between GuardianEdge Device Control Platform Edition and the GuardianEdge Data Protection Platform?

Both products can be managed from the same console providing an administrator a consistent workflow in managing all GuardianEdge products.

Port and Device Control

1) How does GuardianEdge Device Control determine whether to block or allow devices when they are connected?

GuardianEdge Device Control allows administrators to define policies that allow or disallow communications with devices, including:

Physical and wireless ports of a computer – If a port is allowed, then all communications are allowed to and from the port. If a port is blocked, then no traffic is allowed. USB, FireWire, PCMCIA, and wireless ports can be restricted, which means all traffic is forbidden, except that which is expressly allowed.
PDevices that connect to these ports – Devices covered in this class include human interface devices, such as mice and keyboards, printers, mobile phones, and PDAs. These classes of devices can be allowed, disallowed, or restricted. Restricted means that, unless a device is expressly allowed by means of a white list, then the device is disallowed. White lists can be created using either the “make and model” of device or by the device’s unique ID (i.e. serial number).
PStorage devices - Storage devices, such as removable storage devices, external hard drives, and CD/DVD burners are treated as a separate class of devices from the above devices. Storage devices, like the above devices, can be allowed, disallowed, and restricted. Additionally, storage devices can be set to read-only and, therefore, be read from but not written to.
PFile types – If a read or write communication to or from a device passes the above criteria, then file-type controls come into play. File types can be allowed, allowed and shadowed, or disallowed. If allowed and shadowed is selected, then files of that file type are mirrored to one or more repositories.

2) What policies can be set to restrict the ports and devices that are connected to endpoints?

Policies settings include allow, disallow and restrict access. In addition, for storage devices, such as USB flash drives, external hard drives, and CD/DVD burners a read-only policy can also be set.

3) What ports and devices does GuardianEdge Device Control protect?

The physical ports that GuardianEdge Device Control protects include:

USB
FireWire
PCMCIA
S-SATA
IDE
Serial
Parallel
Internal Ports (includes IDE, SCSI, ATA and S-ATA which are used to connect internal hard disk drives, as well as PCI and PCI-X which cater to devices such as modems and network cards)

GuardianEdge Device Control protects the following wireless ports:

WiFi
Bluetooth
IrDA

4) What operating systems does GuardianEdge Device Control support?

The GuardianEdge Device Control Client supports the following operating systems:

Windows Vista Business, Ultimate, or Enterprise Edition
Windows XP, SP2
Windows XP Tablet PC Edition 2005
Windows 2000 Professional Edition, SP4
Windows Server 2003, SP1 and SP2
Windows 2000 Server, SP4
Windows 2000 Advanced Server, SP4

Access Control Policies

1) How do administrators create policies?

Policies are created through a simple to use graphical interface in the administrative console. Policies can be as broad as is required, for example a class of storage media devices prohibited altogether, or much more specific and narrow, for example allowing only certain users to write data to a specified list of USB memory devices. With all policies the options to restrict read and write privileges, in addition to logging, notification, alerts, and data shadowing are supported. The policy specification capabilities in the product make it easy and intuitive to create and deploy policies that are aligned with the roles of users and machines throughout the network environment. In many cases organizations will deploy the product with no policy enforcement to document the port and device usage and associated data transfer acuities. This provides insight into the expected activity on endpoints and provides the starting point for implementing policies to restrict unapproved activity.

2) How do administrators update policy settings to reflect a different level of permissions?

Policies can be updated by editing or replacing in the GuardianEdge Management Console. As with policy creation, editing and updating policies is simple and intuitive. Once changes have been specified the policy is automatically pushed out to the endpoints.

3) Is there a mechanism for administrators to suspend policy controls in situations where a user may have a need to use a port/device and there is no network connectivity?

Yes. GuardianEdge Device Control accommodates urgent situations where an employee needs to gain access to a device and does not have connectivity back to the corporate network (e.g. at a customer or vendor site). To accomplish this, administrators read users a code that the users must then enter on their computers. Suspension can be granted by administrators for 15 minutes, 2 hours, 6 hours, 1 day, and 1 week. The suspension automatically expires, without any further action by administrators.

Data Leakage Prevention

1) Can the transfer of specified types of data be blocked?

Yes. GuardianEdge Device Control can block files by file type.

All data is inspected and mapped to a taxonomy of 14 different classes of data in 140+ file types commonly associated with desktop applications. This inspection capability does not just read file extensions; it reads the file and its meta data to ensure accurate classification. When specifying policies data read and write activity can be restricted based on the type of data. This provides the capability for example to allow users to transfer multimedia files but prevents them from transferring spreadsheets of publishing documents, providing key capabilities to ensure data does not leak off of endpoints

2) Is there detailed auditing of all data transferred off of machines?

Yes. GuardianEdge Device Control provides best-in-class auditing of data transferred from computers. The following is a partial list of the data logged by GuardianEdge Device Control:

Date and time of event
Computer
User
Event (e.g. Allowed, Blocked, Read Only, and 21 other possible values)
Port
Device type
Device description
Device vendor
Device serial number
Operation (e.g. Read, Write)
File type
File extension
File name
File size
Date and time file was created
Date and time file was modified

3) Do end users receive notification when GuardianEdge Device Control blocks devices?

Administrators can control whether GuardianEdge Device Control notifies users when it blocks devices, and control the contents of the message.

4) What is file shadowing and how is it useful for detecting data leakage?

File shadowing mirrors data that was read from and/or written to storage devices to one or more repositories where administrators can inspect the files. This can provide proof that data leakage has occurred, and allows administrators to detect sophisticated users who may change the names of files they are copying to storage devices in order to evade logging (e.g. “2008 Strategic Plan” could be changed to “XYZ Customer Presentation.”

5) Does GuardianEdge Device Control provide alerting?

Yes. GuardianEdge Device Control provides alerting. In the event of violations of policies marked for administrative notification Alerts can be sent by email, SNMP or SMS.

Logging and Reporting

1) What types of data does GuardianEdge Device Control log?

GuardianEdge Device Control provides best-in-class auditing. The following is a partial list of the data logged by GuardianEdge Device Control:

Date and time of event
Computer
User
Policy name
Event (e.g. Allowed, Blocked, Read Only, and 21 other possible values)
Port
Device type
Device description
Device vendor
Device serial number
Operation (e.g. Read, Write)
File type
File extension
File name
File size
Date and time file was created
Date and time file was modified

2) Does GuardianEdge Device Control provide a mechanism to search through logs?

Yes. GuardianEdge Device Control provides powerful filtering capabilities to obtain precisely the log data that you are looking for, and data can be exported to an spreadsheet compatible XML document for further analysis. Filtering capabilities include filtering by domain, OU, user, or computer. Queries can also be generated against logs to zero in on information of interest. The following are some of the items that can be queried against:

Scope of event (e.g. port, device, storage device, or WiFi)
Port (e.g. USB, FireWire, etc.)
Device type (e.g. printers, mobile phones, network adapters, etc.) and vendor ID, model ID, and/or serial number
Storage device/media type (e.g. removable storage devices, external hard drives, CDs/DVDs, etc.) and vendor ID, model ID, and/or serial number
WiFi network and whether encryption was present or not
Tampering events
File name
File type
File extension
File size
File created data and time
File modified date and time

3) What search options are available from the management interface?

A partial list of search options includes the following:

Domain
OU
User
Computer
Scope of event (e.g. port, device, storage device, or WiFi)
Port (e.g. USB, FireWire, etc.)
Device type (e.g. printers, mobile phones, network adapters, etc.) and vendor ID, model ID, and/or serial number
Storage device/media type (e.g. removable storage devices, external hard drives, CDs/DVDs, etc.) and vendor ID, model ID, and/or serial number
WiFi network and whether encryption was present or not
Tampering events
File name
File type
File extension
File size
File created data and time
File modified date and time

4) What type of monitoring data is available?

GuardianEdge Device Control provides the following monitoring data:

Computer name
Whether the computer is protected with GuardianEdge Device Control or not
GuardianEdge Device Control software version
Logged on user
Domain
Effective policy
Last communication with client
Last time logs were received
Last time tampering logs were last received
Whether protection is in force or temporarily suspended
Suspension start time
Suspension duration

5) How do administrators access shadowed data?

Administrators access shadowed data by clicking on a link in the File Logs next to the name of the file. This allows the administrator to first see the file name, file type, date created, and other high-level information about the shadowed data before deciding whether to look at the file contents.

6) What administrative notification is provided for events?

GuardianEdge Device Control provides alerting in the form of email, SNMP and SMS for events.

Enterprise Manageability

1) How is the product deployed and installed?

Administrators deploy GuardianEdge Device Control to endpoints using their existing deployment tools and methodologies. GuardianEdge Removable Storage supports deployment using any standard software deployment tool that can distribute .msi packages. These include third party software deployment tools, such as SMS and Tivoli, and Microsoft GPOs.

2) How are software updates distributed?

Software updates are distributed by deploying the GuardianEdge Device Control software using existing deployment mechanisms. The update should be installed over the existing software.

3) What administrative roles can be created?

GuardianEdge Device Control ships with the following pre-configured administrative roles:

Super Administrator
Policy Administrator
Log Reviewer
Clients Administrator

Additionally, Administrators can define new roles or alter the permissions of the above roles. Permissions that may be granted consist of the following:

Read policies
Write policies
Read logs
Write log queries
Read client monitoring status updates
Grant client suspension passwords
Read global policy settings
Write global policy settings
Read administrative settings
Write administrative settings

4) How is GuardianEdge Device Control integrated into Active Directory?

GuardianEdge Device Control is integrated into Active Directory as follows:

MMC based policies interface. The management console uses a native MMC interface for policy control, providing the capability to manage GuardianEdge Device Control from the same console as is used to manage other Active Directory policies. Administrators familiar with using Active Directory for managing email and systems can be immediately effective with minimal training.
AD hierarchy integration. GuardianEdge Device Control policies can be deployed to all levels of the Active Directory hierarchy, including domains, sites, OUs, and groups. This Active Directory hierarchy is natively available in the management console, and no LDAP synch is required to periodically update it.
AD role based administration. GuardianEdge Device Control policies can be deployed and managed using Active Directory’s powerful role-based administrative capabilities. Administrators can only be allowed to deploy GuardianEdge policies to a specific domain, site, OU, or group.
Uses existing AD infrastructure for policy deployment. GuardianEdge Device Control policies are pushed out to endpoints using companies’ existing domain controller infrastructures.
Filter and monitor using Ad hierarchy. GuardianEdge Device Control logs and monitoring data can be filtered using the current Active Directory hierarchy.

5) Are policies enforced when endpoints are not connected to the corporate network?

Policies are enforced irrespective of whether clients are connected to the network. When GuardianEdge Device Control Clients cannot communicate with the GuardianEdge Device Control Server, their logs and shadowed data are cached until the next time that the clients can communicate with the server.

6) How scalable is GuardianEdge Device Control?

GuardianEdge Device Control is highly scalable. One instance can handle upwards of 100,000 clients.

End User Experience

1) Does the user have the ability to see the policies applied to his/her endpoint?

If the administrator has a policy in effect on the GuardianEdge Device Control Client to make it visible to end users, then the user will be able to see the policy name. In addition, when GuardianEdge Device Control blocks communications, administrators can configure the GuardianEdge Device Control Client to generate messages defined by the administrator based on the type of blocking that occurs.

2) How is the user notified of policy violations?

If enabled by administrators, users are notified through pop-up messages when GuardianEdge Device Control blocks a user activity.

3) Does GuardianEdge Device Control create any application compatibility issues?

We are not aware of any application compatibility issues created by GuardianEdge Device Control.