• Benefit from the “safe harbor” provided by encryption to eliminate the legal liability, customer service costs and brand erosion associated with data breach disclosures when laptops and desktops are lost or stolen
• Safeguard intellectual property by using full disk or multi-partition encryption to protect data
• Leverage Microsoft Active Directory and Novell eDirectory to reduce the cost and complexity of deploying and managing an endpoint data protection solution
• Transparently manage endpoint security policies with system policies and user policies through full integration with Active Directory GPO and native policy deployment
• Allows organizations to implement a Microsoft Single Sign-On and Novell Single Sign-On integrated pre-boot authentication environment to ensure that only authorized users can gain access to data
• When combined with GuardianEdge Advanced Authentication, makes it possible to extend pre-boot environment access control with multi-factor authentication for enhanced access protection
• When combined with GuardianEdge Altiris Connector, administrators can proactively identify and protect systems at risk of data loss and remediate from the same console as they now use for configuration, patch and update management

Key Features

• The industry’s only native Active Directory integration
  The unique GuardianEdge approach to management is based on an MMC snap-in architecture, MSI and EXE files for deployment, as well as Microsoft® Active Directory® GPOs for policy control. This approach leverages the significant investment that organizations have already implemented in Active Directory—a scalable, robust and familiar management environment. It includes existing organizational structures such as groups, OUs and domains, role-based administration, training, replication and failover. The result is the industry’s lowest total cost of ownership, with minimal training requirements for IT staff and fast deployments.
• Manage endpoint data protection for all PCs from the same console
  Not only does GuardianEdge have the only native integration to Active Directory, it also supports Novell eDirectory and non-domain endpoints from the same single console environment. This makes it possible for organizations that primarily use eDirectory as their directory services solution, or who use it in addition to Active Directory, to get the full benefit of GuardianEdge’s integrated data protection platform. In addition, as users increasingly work from home with either a full time or part time connection to the network, and as contractors bring their machines into the network, these PCs not registered with the domain can also be protected and managed from this same single management console.
• Single console administration for endpoint data protection products
  Enterprises also need common administration for data protection solutions. GuardianEdge enables common policy management, reporting, role-based administration, help desk, key management and other administrative actions for GuardianEdge applications (Hard Disk Encryption, Removable Storage Encryption and Device Control) from the same single management console.
• Proven ease of operation
  GuardianEdge Hard Disk Encryption is based on a 13 year track record of success in full disk encryption solutions. It boasts the highest success rates on deployment of any full disk encryption solution, as well as a long list of satisfied blue chip customers. Additionally, service and support for GuardianEdge products—a key component of any enterprise-class solution—meets the highest standards for availability, customer satisfaction and expert assistance.
• Non-disruptive – Transparent to end users
  For successful deployment and operation, a full disk encryption solution must both protect data, and make it possible for workers to productively use their PCs. Key to this balance are minimal user adoptions requirements, and implementations that allow users to continue to use their systems as they have in the past, while providing the protection organizations require for their data.
  • Integrated with Microsoft and Novell Single Sign-on so that users only need to log-in to their systems once, and do so with the same credentials that they use now across the network
  • Simple, and even automatic, user registration processes that are non-intrusive or minimally intrusive into user operation are built in
  • Initial encryption that takes place in the background and works properly even when power is unplugged during initial encryption of hard disks to prevent failures during the initial encryption process
  • On-going encryption occurs on-the-fly and in a background operation mode that has minimal impact on the speed that users perceive when reading and writing of data (typically an overhead of 3% or less) and no impact on their daily tasks
  • Systems management tools can work on PCs protected with hard disk encryption to update configurations, patches and other settings just as they do with unprotected PCs

This page contains answers to the most commonly asked questions about Hard Disk Encryption

Disk Encryption

1. What is a pre-boot operating system, and why is it important?
2. What is A.E.S. Encryption and how is it used?
3. What parts of the disk are encrypted?
4. Can more than one disk partition be encrypted?
5. What happens if a computer is shut down during disk encryption?
6. What type of encryption is used?
7. Is the product certified?
8. What is the impact of disk encryption on performance?
9. What hardware platforms and operating systems are supported?

Enterprise Manageability

1. How does GuardianEdge leverage Active Directory?
2. How does GuardianEdge support Novell eDirectory?
3. How does GuardianEdge support PCs not connected to any network domain (eDirectory or Active Directory)?
4. What administrative roles are included with the solution?
5. How hard is it to provision hard disk encryption to endpoints?
6. How are software updates installed?
7. How are disk encryption policies set and changed?
8. Is GuardianEdge disk encryption able to handle thousands of endpoints?
9. Is GuardianEdge Hard Disk Encryption Integrated with Altiris?

User Authentication

1. How do users authenticate to encrypted endpoints?
2. Is strong multi-factor authentication supported?
3. Do users have to remember multiple passwords?
4. What happens when a user’s Windows password changes?

End User Experience

1. Do users have to stop working while their disk is being encrypted?
2. What happens if power is lost during disk encryption?
3. How easy is it for a user to set up an account?
4. Will users notice changes to system performance because of encryption?
5. Can more than one user log on to an encrypted endpoint?
6. What happens when a user forgets their password or PIN?

Integration with Network Environment

1. Can IT administrators push out patches to encrypted endpoints?
2. Is encryption compatible with anti-virus products?
3. Can the GuardianEdge disk encryption products leverage existing directory services?
4. Does encryption affect compatibility with office productivity applications?
5. What operating systems does GuardianEdge Hard Disk Encryption support?
6. Are 3rd party disk forensics supported?

Key Management

1. Is a PKI infrastructure required to support your product?
2. How are the encryption keys for an encrypted machine protected?
3. Can administrators gain emergency access to encrypted machines?
4. What is the role of the IT help desk in assisting users with key recovery?
5. Is password or access recovery supported even when the endpoint is off the network?

Reporting

1. What information do endpoints report back to the central management console?
2. What reports are provided?
3. How can I get custom and more detailed reports?
4. How can I know if a system has been subject to a “brute force” or other similar attack?
5. Can an endpoint that goes lost or missing be locked out from all user access?
6. Is there an audit trail that shows what users are registered on what endpoints?
7. Is there an audit trail proving that an endpoint is encrypted?

How Does GuardianEdge Compare?

1. How is GuardianEdge’s solution different that Microsoft Vista Bitlocker?
2. What makes GuardianEdge different from other full disk encryption software vendors?

Disk Encryption

---

1) What is a pre-boot operating system, and why is it important?

A pre-boot operating system is a small, fast, secure environment that hosts user authentication for GuardianEdge Hard Disk Encryption endpoints. This pre-boot operating system is hardened to protect against security exploits, with entry points rigidly defined to create a very small attack surface relative to the endpoint’s main operating system. It provides a highly secure environment for user authentication with features like automatic delay after a pre-defined number of incorrect password attempts, and supports user productivity with features like single sign-on to Windows.

2) What is A.E.S. Encryption and how is it used?

During installation of the GuardianEdge Hard Disk Encryption endpoint client, a unique workstation encryption key is created and securely stored on the drive. The GuardianEdge Hard Disk Encryption driver intercepts all drive read and write requests from the operating system, and uses the workstation encryption key in combination with the Advanced Encryption Standard (AES) algorithm to encrypt every block of data when Windows writes a file to the drive, and decrypt every block of data into memory when Windows reads a file from the drive. Data stored on the drive is always encrypted. GuardianEdge Hard Disk Encryption decrypts data into memory – never onto the drive! – As Windows reads a file.

3) What parts of the disk are encrypted?

By default, GuardianEdge Hard Disk Encryption encrypts every sector on the drive or partition; in other words, the entire drive. This includes temporary, swap, and hibernation files written by the operating system.

4) Can more than one disk partition be encrypted?

GuardianEdge Hard Disk Encryption can encrypt up to 26 (twenty-six) partitions on the system boot drive.

5) What happens if a computer is shut down during disk encryption?

The GuardianEdge Hard Disk Encryption driver is built to handle endpoint standby, hibernation, shut down – even power loss – during drive or partition level encryption. Encryption will automatically resume where it left off when you restore power to the machine.

6) What type of encryption is used?

The primary encryption algorithms used are the Advanced Encryption Standard (AES) in Cipher Block Chaining mode with either a 128 or 256-bit key for encrypting data on the drive, SHA-1 for generating secure “hashes” or signatures of data used in key management, and the standard IEEE P-1363 implementation of Elliptic Curve Cryptography for public/private key cryptography used in key management.

7) Is the product certified?

Yes

• GuardianEdge Hard Disk Encryption includes the FIPS 140-2 certified GuardianEdge Encryption Library.
• GuardianEdge Hard Disk Encryption is Common Criteria EAL 1 certified and is in evaluation for EAL 4 certification.

8) What is the impact of disk encryption on performance?

Users typically don’t notice the performance impact of GuardianEdge Hard Disk Encryption, which varies between 5% and 15% depending on the machine configuration and hardware. The GuardianEdge Hard Disk Encryption driver is specifically architected to run at low priority during drive or partition level encryption, so users can continue to work productively on machines that are undergoing encryption for the first time.

9) What hardware platforms and operating systems are supported?

For endpoint encryption, all of Microsoft’s current business-class endpoint operating systems are supported:

• Microsoft Windows 2000 SP 4
• Microsoft Windows XP Professional and Tablet Edition SP 2 and SP 3
• Microsoft Vista Business Edition
• Microsoft Vista Ultimate Edition
• Microsoft Vista Enterprise Edition

The GuardianEdge Management Server supports Microsoft Windows Server 2003 SP1 and SP2.

Enterprise Manageability

---

1) How does GuardianEdge leverage Active Directory?

GuardianEdge Hard Disk Encryption is a component of the GuardianEdge Data Protection Platform. The GuardianEdge Data Protection Platform has the most extensive Active Directory integration of data protection products on the market today. The points of integration into Active Directory include:

• MMC interface - The GuardianEdge Management Console uses a native MMC interface, already familiar to administrators for managing email and systems and allowing them to be immediately effective with minimal training.
• Microsoft GPO policy control - Policies can be deployed to all levels of the Active Directory hierarchy, including domains, sites, OUs, and groups. This Active Directory hierarchy is natively available through GuardianEdge Manager, and no LDAP synch is required to periodically update it.
• Active Directory role based administration - The GuardianEdge Data Platform uses Active Directory’s powerful role-based capabilities. Administrators can be limited to specific functions, such as creating MSI files or viewing monitored data, within the GuardianEdge Management Console. Additionally, administrators can only be allowed to deploy GuardianEdge policies to a specific domain, site, OU, or group.
• Active Directory’s Resultant Set of Policies (RSoP) can be used to determine the winning GuardianEdge policy on an endpoint.
• Structure and policy deployment - GuardianEdge Platform policies use Active Directory’s replication, forest / domain structures and policy deployment mechanisms

2) How does GuardianEdge support Novell eDirectory?

GuardianEdge provides support for Novell eDirectory via an automatic synchronization. The Novell eDirectory full hierarchy and computer objects are imported, and can be managed from the same single management console with Active Directory endpoints and endpoints not part of any network domain. Policy deployment is via GuardianEdge’s native policy control mechanism or via MSI package deployment to the Novell endpoints.

In addition, machines can be moved to Active Directory management from eDirectory management without loss of protection or reporting, and may be simultaneously memebers of both Active directory and eDirectory domains.

3) How does GuardianEdge support PCs not connected to any network domain (eDirectory or Active Directory)?

Non-domain endpoints, such as computers that are connected via VPN from home users and also contractors’ machines that connect to the network are supported from the GuardianEdge Management Console. Once software is deployed to these endpoints, they begin reporting in to the console and are managed in with GuardianEdge’s native policy control and reporting mechanisms.

In addition, these non-domain machines can be moved to Active Directory management without loss of protection or reporting.

4) What administrative roles are includes with the solution?

For Active Directory:

Four administrative roles are included, three for the server and management console and one for local endpoint administration:

• The Hard Disk Encryption Administrator is responsible for the installation, configuration and maintenance of the GuardianEdge Hard Disk Encryption server and management console, and for the creation and deployment of client installer packages.
• Hard Disk Encryption Policy Administrators are responsible for creating and deploying Microsoft Group Policy Objects (GPO) through the Active Directory snap-in within the GuardianEdge management console. These group policy objects control the security profile for groups of machines protected by GuardianEdge Hard Disk Encryption.
• One-Time Password administration is typically assigned to Help Desk personnel, who provide assistance to users who have forgotten or lost their password or PIN.
• Client Administrators are provisioned by the Hard Disk Encryption Administrator or Policy Administrator, and have special privileges for local administration of endpoints protected by GuardianEdge Hard Disk Encryption.

For Novell eDirectory and non-domain endpoints:

• A single level of administrative access is available

5) How hard is it to provision hard disk encryption to endpoints?

It’s simple and easy! Client installer packages come in the standard MSI format, and can be deployed to endpoints through Active Directory group policy or any standard enterprise software provisioning tool such as SMS, Tivoli or Altiris. Silent installation is supported to help make the end user experience seamless and transparent.

6) How are software updates installed?

Software updates for both the GuardianEdge Hard Disk Encryption server and endpoint clients come in the standard MSI format, making it easy to deploy updates using standard enterprise software provisioning tools. Updates can be installed at any time, and never require un-installation of previous versions or decryption of endpoint data.

7) How are disk encryption policies set and changed?

Endpoint disk encryption policies are controlled through Microsoft Active Directory Group Policy Objects (GPO). The GuardianEdge Hard Disk Encryption management console includes a group policy snap-in that interfaces with Active Directory. Policies created by the Hard Disk Encryption Policy Administrator can be deployed at any level of granularity within the Active Directory tree, from all machines within an Active Directory forest to any organizational unit - even to a single machine.

Novell eDirectory and non-domain computers use GuardianEdge’s native policy deployment mechanism to deploy policies.

8) Is GuardianEdge disk encryption able to handle thousands of endpoints?

Yes. The server management infrastructure leverages both Microsoft Active Directory and Microsoft SQL Server, ensuring robust management and reporting capabilities that scale to virtually all enterprise deployment requirements. GuardianEdge can provide references to enterprise customers who protect tens of thousands of their endpoints with GuardianEdge Hard Disk Encryption.

9) Is GuardianEdge Hard Disk Encryption Integrated with Altiris?

Yes. GuardianEdge Altiris Connector Integrates GuardianEdge Hard Disk and Removable Storage Encryption controls with the Altiris Notification Server. Allow organizations to:

• Manage Removable Storage Encryption and Hard Disk Encryption from a common management environment with asset, configuration, patch and update
• Easily identify systems without protection
• Remediate immediately from the Altiris Notification Server

User Authentication

---

1) How do users authenticate to encrypted endpoints?

GuardianEdge Hard Disk Encryption supports password authentication for endpoint users and— when combined with GuardianEdge Advanced Authentication—can be extended to provide and token or smartcard authentication. Single sign-on is supported for both authentication methods, enabling endpoint users to authenticate to GuardianEdge Hard Disk Encryption pre-boot authentication and Windows using a single set of credentials. For password users with single sign-on enabled, user authentication credentials consist of their Windows logon name, Active Directory domain, and password. When combined with GuardianEdge Advanced Authentication, users extend their credentials with tokens or smartcards. In this circumstance user credentials consist of their Windows logon name, Active Directory domain, the physical token, and their token PIN.

2) Is strong multi-factor authentication supported?

GuardianEdge Hard Disk Encryption supports multi-factor authentication when combined with GuardianEdge Advanced Authentication. This combination supports tokens and smartcards with X.509 digital certificates during pre-boot authentication, including tokens and smartcards certified as compliant with the U.S. Department of Defense Common Access Card (CAC) standard.

3) Do users have to remember multiple passwords?

No. With GuardianEdge Hard Disk Encryption’s single sign-on feature, users provide their normal Windows or Novell credentials once and GuardianEdge Hard Disk Encryption automatically and securely passes those credentials to the Windows logon process after authenticating in pre-boot. GuardianEdge Hard Disk Encryption can be configured to require two separate user passwords – one for pre-boot authentication and one for Windows authentication – but most customers prefer to deploy with the GuardianEdge Hard Disk Encryption single sign-on feature enabled.

4) What happens when a user’s Windows password changes?

With single sign-on enabled, GuardianEdge Hard Disk Encryption automatically receives notice of changes to the user’s Windows password from the Windows GINA or Credentials Manager. It automatically updates any change with pre-boot authentication, ensuring that the user’s password remains in sync for both pre-boot and Windows authentication.

End User Experience

---

1) Do users have to stop working while their disk is being encrypted?

No. The GuardianEdge Hard Disk Encryption driver runs at a low priority in the background during disk or partition level encryption, so users can continue to use their machines productively while data on the hard drive is being encrypted for the first time.

2) What happens if power is lost during disk encryption?

Power loss protection is *always* enabled during disk or partition level encryption. The GuardianEdge Hard Disk Encryption driver maintains the state of disk encryption and, if power is lost, will automatically resume encryption where it left off when power is restored.

3) How easy is it for a user to set up an account?

It’s as easy as logging on to Windows! When a user logs on to Windows after GuardianEdge Hard Disk Encryption has been installed on their endpoint, a simple dialog prompts them to become a registered GuardianEdge Hard Disk Encryption user. All they have to do is reply “Yes” to the dialog, and the GuardianEdge Hard Disk Encryption registration process sets up their account for them.

4) Will users notice changes to system performance because of encryption?

Users typically don’t notice the performance impact of GuardianEdge Hard Disk Encryption, which varies between 5% and 15% depending on the machine configuration and hardware. The GuardianEdge Hard Disk Encryption driver is specifically architected to run at low priority during drive or partition level encryption, so users can continue to work productively on machines that are undergoing encryption for the first time.

5) Can more than one user log on to an encrypted endpoint?

Yes. GuardianEdge Hard Disk Encryption endpoints can be configured through policy to support up to 250 user accounts and 250 administrator accounts.

6) What happens when a user forgets their password or PIN?

GuardianEdge Hard Disk Encryption provides both self-help and Help Desk-assisted recovery for users who forget their password or PIN. Authenti-Check™ is a self-help, challenge and response feature that enables users to recover access to their machines through a combination of questions and answers that were defined during the user’s GuardianEdge Hard Disk Encryption registration process. Authenti-Check provides secure recovery without involving Help Desk or other administrative personnel, reducing the TCO for a GuardianEdge Hard Disk Encryption deployment. One Time Password is a Help Disk-assisted recovery feature that enables user to recover access to their machines even if they’ve forgotten their password or PIN and the answers to their Authenti-Check questions. One Time Password uses a secure challenge and response system based on public/private key cryptography to provide a user with one-time access to their machine.

Integration with Network Environment

---

1) Can IT administrators push out patches to encrypted endpoints?

Yes. GuardianEdge Hard Disk Encryption supports remote machine administration or “Wake on LAN”. Through policy, administrators can establish a window of time during which machines will re-boot without requiring pre-boot authentication, and also specify the number of times the machine can re-boot before pre-boot authentication is reactivated.

2) Is encryption compatible with anti-virus products?

Yes. GuardianEdge tests its endpoint data encryption products with current anti-virus solutions to ensure that they are compatible with typical enterprise deployments.

3) Can the GuardianEdge disk encryption products leverage existing directory services?

Yes. Close integration with Microsoft Active Directory is a key component of the GuardianEdge Hard Disk Encryption solution. Security policies for GuardianEdge Hard Disk Encryption endpoints are controlled through Microsoft Group Policy Objects (GPO), and creation and deployment of GuardianEdge Hard Disk Encryption policies is leveraged within the GuardianEdge management console through an MMC snap-in to Active Directory group policy management. In addition, GuardianEdge also supports the Novell eDirectory environment, including all computer objects and the complete eDirectory organizational unit hierarchy.

4) Does encryption affect compatibility with office productivity applications?

Virtually all office productivity applications are compatible with full disk encryption. The GuardianEdge Hard Disk Encryption driver sits at a software layer well below these applications. Both encryption of data written to the disk and decryption of data read from the disk are completely transparent to the Windows software application layer.

5) What operating systems does GuardianEdge Hard Disk Encryption support?

For endpoint encryption, all of Microsoft’s current business-class endpoint operating systems are supported:

• Microsoft Windows 2000 SP 4
• Microsoft Windows XP Professional and Tablet Edition SP 2 and SP 3
• Microsoft Vista Business Edition
• Microsoft Vista Ultimate Edition
• Microsoft Vista Enterprise Edition

The GuardianEdge Management Server supports Microsoft Windows Server 2003 SP1 and SP2.

6) Are 3rd party disk forensics supported?

Yes. GuardianEdge and Guidance Software have integrated their solutions with the EnCase Forensic product from GuidanceSoftware, an industry leading computer forensic investigation tool. The EnCase Forensic product is compatible with GuardianEdge Hard Disk Encryption, and provides comprehensive computer forensic investigation for disks encrypted by GuardianEdge Hard Disk Encryption. Note that the customer must supply valid GuardianEdge Hard Disk Encryption administrative credentials in order for EnCase to be able to access encrypted data on the disk.

Key Management

---

1) Is a PKI infrastructure required to support your product?

No. GuardianEdge has implemented its own robust, secure public/private key infrastructure within the Hard Disk Encryption product for key escrow and recovery. For customers who have deployed PKI solutions within their enterprise, GuardianEdge Hard Disk Encryption is fully compatible with Windows authentication methods required by these solutions including two-factor authentication.

2) How are the encryption keys for an encrypted machine protected?

Encryption keys are generated by GuardianEdge Hard Disk Encryption’s FIPS 140-2 validated pseudo-random number generator and are unique to each endpoint. These keys are encrypted with public keys derived from user and administrator credentials applied to the Elliptic Curve Cryptography public/private key pair algorithm and securely stored within the GuardianEdge Hard Disk Encryption pre-boot environment, ensuring that the disk encryption keys can only be unlocked through valid user or administrator authentication.

3) Can administrators gain emergency access to encrypted machines?

GuardianEdge Hard Disk Encryption ensures that at least one valid administrative account is always provisioned to each machine. A comprehensive set of utilities is provided with the solution that allow administrative accounts to remove existing registered users from a machine, add new users to a machine, or quickly and securely recover data from encrypted machines when user account information is lost or missing.

4) What is the role of the IT help desk in assisting users with key recovery?

One Time Password is a Help Disk-assisted recovery feature that enables user to recover access to their machines even if they’ve forgotten their password or PIN and the answers to their Authenti-Check questions. One Time Password uses a secure challenge and response system based on public/private key cryptography to provide a user with one-time access to their machine.

5) Is password or access recovery supported even when the endpoint is off the network?

Yes. Both the self-help Authenti-Check access recovery feature and the Help Desk-assisted One Time Password feature can be used regardless of whether a machine is currently connected to the corporate network.

Reporting

---

1) What information do endpoints report back to the central management console?

All endpoints report information to the GuardianEdge Hard Disk Encryption server, providing a centralized, aggregated view of the state of endpoint encryption throughout an enterprise deployment. This information includes:

• User accounts per machine
• Administrative accounts per machine
• Timestamp of last check-in by a machine to the server
• State of drive and partition encryption on a machine
• SM BIOS id information
• Asset Tag
• Part number
• Serial number

2) What reports are provided?

Four reports are included as starting points for administrators. Data from these reports can be exported to CSV file for further analysis, printed or viewed from the screen 100 at a time:

• Collection of machine names and status
• All machines without Hard Disk Encryption
• All machines without Removable Storage Encryption
• Machines with decrypted logical drives

3) How can I get custom and more detailed reports?

All data reported to the GuardianEdge Management console is stored in the Microsoft SQL server instance that you are using with your GuardianEdge installation. To create customized reports, use standard database reporting tools.

4) How can I know if a system has been subject to a “brute force” or other similar attack?

GuardianEdge Hard Disk Encryption logs all user and administrative authentication attempts to the Windows Event Log on the local machine. These logs provide comprehensive data regarding all authentication attempts, including user names, success or failure, reason for failure, and timestamp. GuardianEdge Hard Disk Encryption protects against brute force authentication attempts at the pre-boot logon dialog by implementing an automatic delay after the administrator-defined threshold for unsuccessful logon attempts has been exceeded.

5) Can an endpoint that goes lost or missing be locked out from all user access?

Yes. Through policy, machines can be required to “check in” to the GuardianEdge Hard Disk Encryption server periodically. A machine that exceeds the administrator-defined reporting interval will be automatically locked out to all user accounts.

6) Is there an audit trail that shows what users are registered on what endpoints?

Yes. All endpoints report information to the GuardianEdge Hard Disk Encryption server, providing a centralized, aggregated view of the state of endpoint encryption throughout an enterprise deployment. This information includes both user and administrative accounts per machine.

7) Is there an audit trail proving that an endpoint is encrypted?

Yes. All endpoints report information to the GuardianEdge Hard Disk Encryption server, providing a centralized, aggregated view of the state of endpoint encryption throughout an enterprise deployment. This information includes the state of drive and partition encryption on a machine.

How Does GuardianEdge Compare?

---

1) How is GuardianEdge’s solution different that Microsoft Vista Bitlocker?

Bitlocker and GuardianEdge Hard Disk Encryption are two completely different classes of product. Bitlocker is a relatively immature, difficult to deploy and manage first generation product. GuardianEdge Hard Disk Encryption is a mature, robust product with hundreds of successful enterprise deployments over the past ten years.

Microsoft BitLocker is a first-generation disk encryption product. Bitlocker:

• Runs only on certain versions of the Vista operating system.
• Requires IT administrators to create a special partition on the system boot drive for all endpoints.
• Requires either a TPM module, or a USB Flash drive to store logon keys. If TPM is used, TPM modules must be deployed, activated and managed on all protected endpoints (Microsoft does not provide a management solution for TPM)
• Does not include a management console. Microsoft does not provide a central management console for BitLocker. In order to escrow recovery keys from BitLocker endpoints, Microsoft requires the modification of the enterprise Active Directory schema.

By contrast, GuardianEdge Hard Disk Encryption:

• Leverages the existing enterprise infrastructure and is designed from the ground up for the best security with the lowest total cost of ownership.
• Runs on all Microsoft endpoint operating systems that Microsoft provides support for today (Windows 2000, XP Professional and Vista), and requires no additional hardware or software to deploy and manage thousands of endpoints.
• Has an enterprise class management console tightly integrated with Active Directory, does not require the extension of the enterprise Active Directory schema, and provides a common interface for management of all GuardianEdge data protection solutions, including Hard Disk Encryption, Removable Storage Encryption, and Device Control.

2) What makes GuardianEdge different from other full disk encryption software vendors?

GuardianEdge offers the only native Active Directory integration in the industry. This approach leverages the significant investment that organizations have already implemented in Active Directory—a scalable, robust and familiar management environment. It includes existing organizational structures such as groups, OUs and domains, role-based administration, training, replication and failover. The result is the industry’s lowest total cost of ownership, with minimal training requirements for IT staff and fast deployments.

Not only does GuardianEdge have the only native integration to Active Directory, it also supports Novell eDirectory and non-domain endpoints from the same single console environment. This makes it possible for organizations that primarily use eDirectory as their directory services solution—or who use it in addition to Active Directory—to get the full benefit of GuardianEdge’s integrated data protection platform. In addition, as users increasingly work from home with either a full time or part time connection to the network, and as contractors bring their machines into the network, these PCs not registered with the domain can also be protected and managed from this same single management console.

Enterprises also need common administration for data protection solutions. GuardianEdge enables common policy management, reporting, role-based administration, help desk, key management and other administrative actions for GuardianEdge Hard Disk Encryption, Removable Storage Encryption and Device Control from the same single management console.

GuardianEdge Hard Disk Encryption is based on a 13-year track record of success in full disk encryption solutions. It has the highest success rates on deployment of any full disk encryption solution and a long list of satisfied blue chip customers. Service and support for GuardianEdge products—a key component of any enterprise-class solution—also meets the highest standards for availability, customer satisfaction and expert assistance.

It is also non-disruptive and transparent to end-users. For successful deployment and operation, a full disk encryption solution must both protect data, and make it possible for workers to productively use their PCs. Key to this balance are minimal user adoptions requirements, and implementations that allow users to continue to use their systems as they have in the past, while providing the protection organizations require for their data. GuardianEdge provides a truly non-disruptive, transparent environment that allows users to productively get on with their work, while protecting the data on their systems.