Tech Talk 3 By David Ferre
Striking the Right Balance So that All Your Endpoints Are Secure
As a comprehensive endpoint security solution, ZENworks Endpoint Security Management provides a wide array of protections and controls. Specific to USB security, the solution focuses on four main areas of protection:
- Storage device enumeration
- USB bus enumeration
- White list device ID and serial number control
- Device encryption
Storage device enumeration determines if a storage device is even allowed to register with the endpoint’s file system. To do this, ZENworks Endpoint Security Management utilizes a storage device security driver that can, based on policy, enable, disable or configure as read-only any device that dynamically enumerates onto the system. The storage device security driver sits in the kernel-level storage stack of all your endpoint devices so it can control access to CD/DVD writers, thumb drives, floppy drives, flash memory cards, ZIP drives, PCMCIA cards and other types of removable media. The driver not only works to protect against data theft, but can stop harmful files—such as viruses, spyware and malware—from infecting your endpoints.
ZENworks Endpoint Security Management also gives you control at an access layer even closer to the USB bus. When a USB device tries to enumerate, it lets you configure policies that utilize device classes or device-friendly names to determine whether it will be enabled, disabled or configured as read-only.
The white list device ID and serial number controls in the solution give you even more granular control over which devices are allowed, blocked or set to read-only. By leveraging the device IDs and unique serial numbers of your approved USB devices, this control allows you to ensure that only the USB devices you know about can be used—and only in the manner you dictate.
But perhaps the most powerful and flexible control provided by ZENworks Endpoint Security Management is its encryption control. The solution utilizes AES 256-bit encryption not only to make sure that unauthorized copying of data to USB devices is unreadable, but also to ensure that data on lost or stolen thumb drives can’t be read by those outside your organization. (See Figure 2.)
In addition to protecting your valuable data, a primary goal of the solution’s encryption capabilities is to facilitate the interaction of the users within your organization. If you hand one of your coworkers a thumb drive containing information they need to do their job, you want them to be able to read it. However, if they happen to lose that thumb drive on an airplane or in a cab, you don’t want whoever finds it to be able to read that data. The way ZENworks Endpoint Security Management implements data encryption on removable drives delivers this capability.
Encryption key management allows you to choose whether or not to encrypt all data copied to removable drives. When the solution pushes that policy out to your endpoints, it will place your organization’s encryption key into the agents residing on your endpoints. This means that you and your coworkers can read the contents of that thumb drive from any of your organization’s managed endpoints, regardless of whether or not they’re connected to the network. It also means if the thumb drive gets lost, its data will be unreadable to anyone outside your organization.
Subscribe to Connection Magazine
If for some reason you need to share a file on a thumb drive with someone outside your organization or policy group, the solution allows you to activate a sharing folder. Users beyond the scope of the policy would be able to access the sharing folder using a password, but they would not be able to read any encrypted files not residing within the sharing folder.
The encryption solution also allows you to give users one-time, temporary emergency override capabilities to read encrypted data on a removable drive that is inserted into a non-managed endpoint. This is extremely helpful in situations where your salespeople or executives are on the road and need to use a thumb drive on a machine that doesn’t have the agent. Perhaps they’re at a customer site giving a presentation on a customer computer. In these cases, you can generate a user-specific, time-sensitive, one-time hash based on your encryption key that enables them to temporarily read that encrypted data. (See Figure 3.)
Comprehensive Endpoint Security
In addition to USB and removable storage security, ZENworks Endpoint Security Management is a comprehensive endpoint security solution that gives you centralized management and control over your endpoints’ personal firewalls, wireless security, data encryption, VPN enforcement, antivirus management and remediation, application control, hardware communication control and integration with network access controls. (See Flipside of Mobile Security.) All of these capabilities combine to help you strike the ideal balance between complete endpoint security and user agility.