Overview

Protects Data on Removable Storage and Removable Media

Removable storage devices are now common in offices anywhere—and everywhere that today’s mobile workers go. And the proliferation of inexpensive USB thumb drives, portable hard drives, MP3 players, iPods, digital cameras, mobile phones, PDAs and CD/DVD burners puts organizations’ data and their business at risk.

GuardianEdge™ Removable Storage Encryption solves this problem by delivering the ability to encrypt data by policy on any storage device or media. This capability allows employees to safely transport and use data on portable media and securely distribute data via email.

GuardianEdge technology also minimizes deployment, management, training, rollout and support requirements by making maximum use of existing infrastructure through native Microsoft® Active Directory™ integration—as well Novell eDirectory™ support—within a single management console.

By deploying GuardianEdge Removable Storage Encryption organizations can:

Drive Productivity while minimizing the information security risks posed by USB thumb drives, FireWire drives and keys, MP3 players, iPods, digital cameras, mobile phones, PDAs and CD/DVD burners
Assure that intellectual property and sensitive or legally protected information on removable devices and media is accessible only to authorized users
Meet regulatory compliance requirements through strong, centrally managed encryption, including FIPS 140-2 certified and AES 128 bit/256 bit encryption
Allow users to securely take data home, work on the encrypted files, and re-encrypt the data on the removable media device even when GuardianEdge Removable Storage Encryption is not installed on their personal system
Securely distribute confidential and private information through email, FTP post, network drive or other mechanism with self-extracting encrypted file archives

Key Benefits

Benefit from the "safe harbor" provided by encryption to eliminate the legal liability, customer service costs and brand erosion associated with data breach disclosures when removable storage devices or removable media are lost or stolen
Safeguard intellectual property using AES-128 or AES-256 bit encryption to protect data on removable storage devices and removable media
Leverage Microsoft Active Directory and Novell eDirectory to reduce the cost and complexity of deploying and managing an endpoint data protection solution
Transparently manage endpoint security policies with system policies and user policies through full integration with Active Directory GPO and native policy deployment
Per file authentication ensures that only authorized users can access data on removable storage when devices are shared
When combined with GuardianEdge Advanced Authentication, enhance access protection with certificate-based user authentication
Complements GuardianEdge Device Control – the combination makes possible a two-tiered approach to preventing data loss and data leakage from removable storage media and associated ports
When combined with GuardianEdge Altiris Connector, proactively identify and protect systems at risk of data loss and remediate from the same console as administrators now use for configuration, patch and update management

Key Features

Supported Ports

USB, FireWire, floppy, CD/DVD

Supported Devices

Memory cards: SD, MMC, CDC, SMC, etc.
Memory sticks and thumb drives
Internal and external – floppy, CD and DVD writers
Removable hard drives
All devices recognized as storage media by supported OS releases

CD/DVD Support

Encrypt data written to CDs and DVDs
Native CD and DVD burner – can replace other CD and DVD burning software

Encryption

256- or 128-bit AES encryption of stored data
Granular file-level data encryption policies
Support for password or digital certificate user authentication keys
FIPS 140-2 validated cryptographic library

Self-extracting Archives

Easily distribute encrypted data on storage devices and through email
Access data via password entry without requiring additional software

Removable Storage Access Utility

Enables access to encrypted data on computers without GuardianEdge Removable Storage installed
Resides on removable storage media, requires a very small footprint
Decrypts and encrypts data

Key and Password Administration and Recovery

Administrator-assisted password recovery
Recovery of encrypted data in the event of lost tokens or passwords

GuardianEdge Data Protection Platform

Native Microsoft Active Directory integration
Support for Novell eDirectory and for non-domain computers
Single console for Active Directory, eDirectory and other computers
Common administration and management with other GuardianEdge endpoint data protection products

The Only Native Active Directory Integration

Deploy and manage with existing infrastructure
Low training and support costs
Fast rollouts
GPO-based policy deployment
MMC snap-in architecture
Role-based policy administration
Detailed auditing and reporting

Client Computers

Microsoft Windows XP Pro SP2 and SP3, Windows 2000 SP4, Windows Vista; Business, Enterprise and Ultimate, Windows Server 2003 SP1 and SP2

GuardianEdge Management Server

Microsoft Server 2003 Standard or Enterprise

Database - Microsoft SQL Server 2005

Express Edition with Advanced Services, Standard or Enterprise

GuardianEdge Advanced Authentication Integration

Extend data protection with certificate-based user authentication by adding GuardianEdge Advanced Authentication to Removable Storage Encryption
Smartcard/Common Access Card (CAC) support
Extensive support for readers and tokens
PKI environment support

GuardianEdge Altiris Connector Integration

Integrates GuardianEdge Hard Disk and Removable Storage Encryption controls with the Altiris Notification Server
Manage Removable Storage Encryption and Hard Disk Encryption from a common management environment with asset, configuration, patch and update
Easily identify systems without protection
Remediate immediately from the Altiris Notification Server

Why GuardianEdge ?

The industry’s only native Active Directory integration
The unique GuardianEdge approach to management is based on an MMC snap-in architecture, MSI and EXE files for deployment, as well as Microsoft Active Directory GPOs for policy control. This approach leverages the significant investment that organizations have already implemented in Active Directory—a scalable, robust and familiar management environment. It includes existing organizational structures such as groups, OUs and domains, role based administration, training, replication and failover. The result is the industry’s lowest total cost of ownership, with minimal training requirements for IT staff and fast deployments.
Manage endpoint data protection for all PCs from the same console
GuardianEdge not only offers the industry’s only native integration to Active Directory but also supports Novell eDirectory and non-domain endpoints from the same single console management environment. This makes it possible for organizations that primarily use eDirectory as their directory services solution—or those that use it in addition to Active Directory—to get the full benefit of the integrated GuardianEdge data protection platform. In addition, as users increasingly work from home with either a full-time or part-time connection to the network, and as contractors bring their machines into the network, PCs not registered with the domain can also be protected and managed from the same single console.
Single console administration for endpoint data protection products
Enterprises require common administration of data protection solutions, GuardianEdge enables common policy management, reporting, role-based administration, help desk, key management and other administrative actions for GuardianEdge applications (Hard Disk Encryption, Removable Storage Encryption, and Device Control) from the same single management console.
Proven ease of operation
GuardianEdge Removable Storage Encryption builds on a 13-year track record of success in creating and managing encryption solutions. It boasts the highest success rates on deployment, as well as a long list of satisfied blue chip customers. Additionally, service and support for GuardianEdge products—a key component of any enterprise-class solution—meets the highest standards for availability, customer satisfaction and expert assistance.
The best data portability
A complete endpoint data protection solution must deliver both the ability to encrypt data by policy on any storage device or media and a policy-driven capability to allow employees to safely transport and use data on portable media away from their office machines, and to securely distribute data via one-way distribution methods such as email.
- Removable Storage encryption supports the industry’s most complete selection of storage devices and media.
- GuardianEdge provides a policy-driven option to automatically install the Access Utility on removable media when writing encrypted data, so that users can use their credentials or passwords to access encrypted data from machines that do not have Removable Storage Encryption installed. This complete capability not only makes it possible decrypt the data but also to re-encrypt files once changes are made.
- Accessing and re-encrypting data on machines without GuardianEdge Removable Storage Encrption is easy and familiar, using the same look and feel as Windows Explorer.
- For circumstances when data needs to be distributed securely outside of an organization, Removable Storage Encryption includes the capability to create a self-extracting archive that can include a complete file and folder tree. This allows secure posting to FTP and network servers as well as distribution by email to meet this need.
Non-disruptive user experience
GuardianEdge delivers full protection with minimal intrusion into users’ daily use of their machines. This best-in-class user experience includes options for user registration that require little or no user interaction, capabilities to support kiosk mode operation with up to a 1000 users per machine. and shared workgroup keys that require no user intervention when data is written.

Removable Storage Frequently Asked Questions

This page contains answers to the most commonly asked questions about Removable Storage

Removable Storage Encryption

Enterprise Manageability

Key Management

Data Portability

Supported Platforms/Devices

End User Experience

Reporting

Removable Storage Encryption

1) Does GuardianEdge Removable Storage use a file-based or volume-based approach to protect data?

GuardianEdge Removable Storage uses a file-based approach to encrypt data. Files are individually encrypted with their own randomly generated file encryption key. This is in contrast to a volume-based approach whereby all of the files on a device are encrypted as a single unit. Advantages of a file-based approach include the following:

Flexibility for users to use a device for personal and work. File-based encryption allows employees to have their personal data that is saved from their home computers unencrypted on the same device as the data that is saved from their work computer that is forced to be encrypted.
Enhanced security when devices are shared with one or more people – File-based encryption provides users the ability to set different passwords for different files, thereby providing others access only to the files that are intended for them. With volume-based encryption, on the other hand, there is only one password, and anyone that knows that password can access all of the files on a device.

2) Does GuardianEdge Removable Storage use a file-based or volume-based approach to protect data?

GuardianEdge Removable Storage intercepts files read from and written to storage devices. For file reads, GuardianEdge Removable Storage will allow unencrypted files to be opened in a manner identical to how the files would be opened if GuardianEdge Removable Storage was not installed on the computer (provided there is not a No Access policy in place). For encrypted files, GuardianEdge Removable Storage will first try to decrypt the file using a workgroup key (if there is one), and then will try passwords that the user previously entered. If neither of these methods works, only then will GuardianEdge Removable Storage prompt the user to enter a password or, when combined with GuardianEdge Advanced Authentication, to insert a smart card or token to decrypt the file.

When users write data to storage devices, GuardianEdge Removable Storage will intercept the write and, if a forced encryption policy is in place, will encrypt the file. Users will be prompted to enter a password and/or certificate(s) that will be used to protect the file encryption key, if they have not already set these.

3) What algorithms does GuardianEdge Removable Storage use to protect data?

GuardianEdge Removable Storage uses AES-128 and AES-256 algorithms to protect encrypted data.

4) What certifications does GuardianEdge Removable Storage possess?

GuardianEdge Removable Storage encryption algorithms are FIPS 140-2 certified.
GuardianEdge Removable Storage is Common Criteria EAL4 compliant, and is in evaluation for certification.

5) What options do users have for deciding how they are going to encrypt data?

Users can encrypt data using standard encryption or can create self-extracting encrypted archives.

Files encrypted with standard encryption can be accessed on computers that have GuardianEdge Removable Storage installed and on those that do not using an access utility. Users do not have to do anything to select this method of encryption; it occurs automatically when users save data to devices/media.

Self-extracting encrypted archives are intended for one-way distribution to recipients, such as attorneys, accountants, partners, and vendors that do not have GuardianEdge Removable Storage installed on their computers, although the files can also be accessed from computers that do have GuardianEdge Removable Storage installed. Self-extracting archives can be saved to storage devices, sent by email, or placed on a network share or FTP server.

6) Do users notice a change in performance when using GuardianEdge Removable Storage?

There is minimal performance impact from using GuardianEdge Removable Storage. Users may note a small change in performance when they save files to devices as part of their normal workflow, and a slight delay when saving either a large number of files (e.g. > 500) or very large files (e.g. > 1 GB).

7) How does GuardianEdge Removable Storage treat existing unencrypted files that are already on a device?

Administrators can decide how plaintext files already on a device are dealt with. Plaintext files can either be allowed to remain unencrypted or can be forced to be encrypted.

8) Can GuardianEdge Hard Disk and GuardianEdge Removable Storage run on the same endpoint?

Yes. GuardianEdge Hard Disk and GuardianEdge Removable Storage complement each other. GuardianEdge Hard Disk protects data on the hard drive, while GuardianEdge Removable Storage protects data on storage devices.

When users save data from a disk that GuardianEdge Hard Disk has encrypted to a storage device, GuardianEdge Hard Disk decrypts the data on the fly as it is being read from the hard drive into RAM. At this point, this data is indistinguishable from data that is being read from a disk that is not encrypted. The data then gets copied to the storage device, and GuardianEdge Removable Storage encrypts the data as it is being written to the storage device.

If a user copies or drags-and-drops an encrypted file from a storage device to the hard drive, GuardianEdge Removable Storage will first decrypt the file so that the computer can read it into RAM. Then, the computer will write the data to the hard drive, at which point, GuardianEdge Hard Disk will encrypt it.

Enterprise Manageability

1) Is GuardianEdge Removable Storage integrated with Active Directory?

GuardianEdge Removable Storage is a component of the GuardianEdge Data Protection Platform. The GuardianEdge Data Protection Platform has the most extensive Active Directory integration of data protection products on the market today. The points of integration into Active Directory include:

MMC interface - The GuardianEdge Management Console uses a native MMC interface, already familiar to administrators for managing email and systems and allowing them to be immediately effective with minimal training.
Microsoft GPO policy control - Policies can be deployed to all levels of the Active Directory hierarchy, including domains, sites, OUs, and groups. This Active Directory hierarchy is natively available through GuardianEdge Manager, and no LDAP synch is required to periodically update it.
Active Directory role based administration - The GuardianEdge Data Platform uses Active Directory’s powerful role-based capabilities. Administrators can be limited to specific functions, such as creating MSI files or viewing monitored data, within the GuardianEdge Management Console. Additionally, administrators can only be allowed to deploy GuardianEdge policies to a specific domain, site, OU, or group
Active Directory’s Resultant Set of Policies (RSoP) can be used to determine the winning GuardianEdge policy on an endpoint.
Structure and policy deployment - GuardianEdge Platform policies use Active Directory’s replication, forest / domain structures and policy deployment mechanisms.

2) How does GuardianEdge support Novell eDirectory?

GuardianEdge provides support for Novell eDirectory via automatic synchronization. The Novell eDirectory full hierarchy and computer objects are imported and can be managed from the same single management console with Active Directory endpoints and endpoints not part of any network domain. Policy deployment is via GuardianEdge’s native policy control mechanism or via MSI package deployment to the Novell endpoints.

In addition, machines can be moved to Active Directory management from eDirectory management without loss of protection or reporting.

3) How does GuardianEdge support PCs not connected to any network domain (eDirectory or Active Directory)?

Non-domain endpoints—such as computers that are connected via VPN from home users and also contractors’ machines that connect to the network—are supported from the GuardianEdge Management Console. Once software is deployed to these endpoints, they begin reporting into the console and are managed with GuardianEdge’s native policy control and reporting mechanisms.

In addition, these non-domain machines can be moved to Active Directory management without loss of protection or reporting.

4) How do administrators deploy GuardianEdge Removable Storage to endpoints?

Administrators deploy GuardianEdge Removable Storage to endpoints using their existing deployment tools and methodologies. GuardianEdge Removable Storage supports deployment using any standard software deployment tool that can distribute .msi packages. These include third party software deployment tools, such as SMS and Tivoli, and Microsoft GPOs.

5) When new releases or upgrades come out, how do administrators upgrade the endpoints?

Administrators upgrade the endpoints by pushing out an MSI package with the new version using their existing deployment methodologies and tools. If using a third party deployment tool, the administrator will need to inform the tool that the MSI package will be upgrading an installation in place, as opposed to creating a fresh install. If using GPOs, the administrator can right-click on the GPO and indicate that the MSI package upgrades a previously pushed out MSI package.

6) How are policies set and pushed out to endpoints?

For Active Directory, GuardianEdge Removable Storage policies are set in a manner very similar to setting other policies. Assuming administrators are deploying a new GPO, they start by right-clicking on the GPO container and selecting “New”. The administrator can then right-click on the new GPO and select “Edit”, after which users can select the GuardianEdge Removable Storage setting they want to modify. For example, the administrator could select the setting “Encrypt All Files.” After choosing the setting the administrator closes the GPO and then links the GPO to an Active Directory. As the final step, the administrator will need to ensure that this policy is higher in precedence than any other policies containing the same settings.

For Novell eDirectory and for non-domain computers, the operation is similar, but the policies are deployed using GuardianEdge’s native policy deployment mechanism.

7) Can GuardianEdge Removable Storage force data saved to removable storage devices to be encrypted?

Yes. All files that are saved to a storage device are forced to be encrypted if there is an administrator-defined policy in place to force encryption.

8) How are users authenticated in order to access encrypted data?

The server management infrastructure leverages both Active Directory and SQL Server from Microsoft, ensuring robust management and reporting capability that scale to virtually all enterprise deployment requirements. Data is stored in Microsoft SQL Server, taking advantage of this high capacity, highly scalable database. GuardianEdge can provide references to enterprise customers who protect tens of thousands of their endpoints with removable storage encryption.

9) Can GuardianEdge Removable Storage be used on multi-user computers, such as those used at kiosks, hospitals, and police stations?

Yes. Each user has his/her own GuardianEdge account that is created automatically and behind the scenes when the user logs on to Windows. The user can use this to encrypt data that he/she writes to storage devices, and the administrator can be assured that all data that users write is encrypted.

10) How scalable is GuardianEdge Removable Storage?

The server management infrastructure leverages both Active Directory and SQL Server from Microsoft, ensuring robust management and reporting capability that scale to virtually all enterprise deployment requirements. Data is stored in Microsoft SQL Server, thereby taking advantage of this high-capacity, highly scalable database environment. GuardianEdge can provide references to enterprise customers who protect tens of thousands of their endpoints with removable storage encryption.

11) Is GuardianEdge Hard Disk Encryption Integrated with Altiris?

Yes. GuardianEdge Altiris Connector Integrates GuardianEdge Hard Disk and Removable Storage Encryption controls with the Altiris Notification Server. This allows organizations to:

Manage Removable Storage Encryption and Hard Disk Encryption from a common management environment with asset, configuration, patch and update
Easily identify systems without protection
Remediate immediately from the Altiris Notification Server

Key Management

1) How are files encrypted?

Files are encrypted with “file encryption keys” generated by GuardianEdge FIPS 140-2 validated pseudo-random number generator. These “file encryption keys” are then encrypted with public keys derived from user and administrator credentials including passwords and / or certificates as controlled via policy by the administrator. Additionally, if the computer from which the data is being saved is part of an administrator-defined workgroup, then the file encryption key will be encrypted with a workgroup key for common workgroup access.

2) Is there a means to access encrypted files if a user forgets their password?

Yes, GuardianEdge Removable Storage provides a recovery method whereby administrators can access files for which users forgot their passwords.

3) How are encryption keys protected in order to ensure that encrypted data remains secure?

GuardianEdge Removable Storage protects each file encryption key with other encryption keys as defined by the administrator. These keys permit access to the encryption key, and may include: a workgroup key, a password, a recovery key, or, when combined with GuardianEdge Advanced Authentication, may also include one or more certificates.

4) Does GuardianEdge Removable Storage offer an easy way for users who are part of the same workgroup to protect and share data?

Yes. Administrators can enable a workgroup key. This allows seamless encryption and decryption of data for members of the same workgroup.

5) Is a PKI infrastructure required to use GuardianEdge Removable Storage?

No. Users can protect files with passwords. However, if users must be able to use certificates to encrypt data, then GuardianEdge Advanced Authentication and PKI are required.

Data Portability

1) Can data encrypted by GuardianEdge Removable Storage be accessed on computers that are not running the software?

Yes. GuardianEdge provides the Removable Storage Access utility. This utility can reside on storage devices and be used to decrypt and encrypt data from computers that do not have GuardianEdge Removable Storage installed. Administrators can set a policy to automatically copy this utility onto devices that users connect to computers that have GuardianEdge Removable Storage installed. The utility can also be configured as an option which can appear and be run when the device is inserted into a PC without Removable Storage Encryption.

2) When encrypted data is accessed on machines not running GuardianEdge Removable Storage can it be re-encrypted?

Yes. The GuardianEdge Removable Storage Access utility enables data to be encrypted from computers that do not have GuardianEdge Removable Storage installed.

3) Can GuardianEdge Removable Storage protect email attachments?

Yes. Users can create self-extracting archives that include a complete nested set of folders and files, which can also be sent via email. The recipient is then required to enter a password and/or other credentials to access the data.

4) Can GuardianEdge Removable Storage protect CDs/DVDs?

Yes. GuardianEdge Removable Storage encrypts data being saved to CDs / DVDs with a native CD / DVD burning capability to provide maximum protection when encrypting data for use on CD / DVD media.

Supported Platforms/Devices

1) What storage devices does GuardianEdge Removable Storage support?

GuardianEdge Removable Storage supports devices that connect through the USB, FireWire, and SecureDigital (SD) ports and that attach a file system. This includes devices such as USB flash drives, external hard drives, SD readers, Compact Flash (CF) readers, and Apple iPods.

2) What physical media does GuardianEdge Removable Storage support?

GuardianEdge Removable Storage supports CDs/DVDs, Secure Digital (SD) cards, Compact Flash (CF) cards, and floppy disks.

3) What operating systems does GuardianEdge Removable Storage support?

GuardianEdge Removable Storage supports the following operating systems:

Microsoft Windows XP Pro and Tabled Editions SP2 and SP3
Windows 2000 SP4
Windows Vista; Business, Enterprise and Ultimate
Windows Server 2003 SP1 and SP2

End User Experience

1) What methods are available for users to authenticate to encrypted data?

Users can authenticate in various way, depending upon how the data is protected:

If there is a workgroup key on the GuardianEdge Removable Storage computer—and it matches that of the file—then no user authentication is required.
If the data is protected with a password, then users will authenticate with their password.
When GuardianEdge Advanced Authentication is present, data may also be protected with certificates. If the data is protected with a certificate, then users will authenticate with a token or smart card that has a private key matching a certificate with which the data is protected.

2) Do users have to go through any sign-up or registration process before they can start using GuardianEdge Removable Storage?

No. Administrators can enable auto-registration, which allows users who log on to Windows to automatically have a GuardianEdge account through a process that is transparent to them.

3) Does encryption interfere with normal usage of the machine?

No. Users continue to work as they always have. The only thing that is different from a user workflow perspective is that GuardianEdge Removable Storage will prompt users for encryption and decryption only when required to obtain credentials to encrypt and decrypt the files. GuardianEdge has provided a number of mechanisms that minimize such interactions.

4) Does the user need to perform any additional steps to access encrypted data?

Although GuardianEdge has taken steps to minimize the prompts associated with providing credentials to access encrypted data, there will be instances where the user will receive prompts. In these cases, to access encrypted data the user will be required to enter a password or (when GuardianEdge Advanced Authentication is present and data is protected with certificates) insert a token/smart card. Other than this, there are no changes to the way users work when using encrypted data from devices.

5) How does a user share encrypted data with co-workers? How about with suppliers, partners, and other external parties?

GuardianEdge Removable Storage is very flexible in how it allows users to share encrypted data. Following are among the ways it allows users to share data:

Encrypted files can be provided to a co-worker on a USB flash drive
Encrypted files can be provided to a co-worker on a CD/DVD
A self-extracting encrypted archive can be sent by email to a co-worker
A self-extracting encrypted archive can be put on an FTP site or network share

These same methods are available for sharing data with external parties, such as suppliers and partners, except that external parties would be required to use a special utility that resides on devices/media for the standard GuardianEdge Removable Storage-encrypted archives. For self-extracting archives, no special software is required, and the user simply needs to enter a correct password and/or use that appropriate certificate.

6) Does the encryption and decryption cause degradation in performance?

There is minimal performance impact from using GuardianEdge Removable Storage. Users may note a small change in performance when they save files to devices as part of their normal workflow, and a slight delay when saving either a large number of files (e.g. > 500) or very large files (e.g. > 1 GB).

7) Does GuardianEdge Removable Storage create any application compatibility issues?

GuardianEdge Removable Storage is a standard Windows application and does not cause problems with other applications.

Reporting

1) Does GuardianEdge Removable Storage enable administrators to validate that the proper policies are in place?

Yes. The following data is included in the data that GuardianEdge Removable Storage shows for each user:

Computer name
User name
Date and time of last status update
Encryption policy
Encryption method (password/certificate)
Workgroup key
Recovery
Automatic copying of Access utility to devices

2) Does GuardianEdge Removable Storage provide logging of endpoint events and activities?

Yes. There are a number of events that are logged, including the following:

Successful receipt of a policy
Successful encryption of a file, together with the file name
Successful decryption of a file, together with the file name
Unsuccessful decryption of a file, together with the file name
Delay instituted for consecutive unsuccessful authentication attempts in excess of the administrator-defined threshold
Expiration of the above mentioned delay

3) Does the reporting include details for users and computers?

Yes. Users and computers are included in the reporting, as detailed above.