Ceedo Client Family Products Security

Transcription

1 ABOUT THIS DOCUMENT Ceedo Client Family Products Security NOTE: This document DOES NOT apply to Ceedo Desktop family of products. ABOUT THIS DOCUMENT The purpose of this document is to define how a company can mitigate the security risks associated with portable computing environments and reduce threats to an acceptable level in relation to industry standards. This document will outline different security and authentication measures that are and can be employed in your environment by Ceedo in addition to third party software and hardware providers. DISCLAIMER The content of this document is provided for general informational purposes only and should not be considered a substitute for a professional security expert s advice.

2 Executive Summary EXECUTIVE SUMMARY Ecosystem Security As will be highlighted in this document, there are a few basic industry standard rules that are meant to keep your corporate environment and data safe, and Ceedo, in addition to the overall ecosystem, does not only meet those standards, but, in fact, exceeds them if the Workspace and its ecosystem are properly configured and adjusted to the required security level. The key points of this standard, generally known as Access Control, when put in practical terms amounts to: (1) password protection; (2) authentication; (3) a comprehensive system health check (i.e. check to ensure that the system is protected by an active antivirus solution, firewall, etc., much like high-end VPN clients do). As far this industry standard goes, Ceedo not only meets the basic guidelines, but actually exceeds them if the environment has the appropriate configuration and specifications. For instance: block host resource access from within the environment; make sure the Ceedo System Health Check allows the Workspace to run only if the host is well protected from malware to begin with, and that the encrypted drive's own antivirus is enabled (this is an integral part of most high-end encrypted devices). The following chart shows an example of a well-protected security flow of an environment consisting of: Ceedo Workspace: Configured to run in full sandbox mode under a locked down environment with Ceedo's System Health Verification running prior to Workspace launch, and with allowed processes whitelisted. Portable drive hardware: Password protected, encrypted USB drive with preliminary antivirus scan enabled. Third party software: VPN SSL client for network connection and Two-Factor Authentication client, with the addition of optional 3 rd party security software.

3 Executive Summary Data Loss Prevention When it comes to protecting your data from being compromised or leaked, there are a few guidelines which must be followed in order to meet government and/or company regulations. First and foremost, you need to define the data sensitivity level. If the data is not sensitive, then there is nothing preventing you from simply storing the raw data on your encrypted devices. However, if the data is sensitive, the best course of action is to leavethe data in the data center and grant access to it only via third party remote computing solutions such as Citrix, VNC, etc. Another thing to make sure of is that you have configured your Ceedo Workspace to run in full sandbox mode. This means that users will not be able to print documents, save them to a local drive, etc. It is, however, important to note that this constitutes protection from "good users" doing "bad things," and after all, there is no guarantee that a "bad user" won't simply capture the screen with his smartphone or digital camera. For more tips and guidelines, please review the Tips and Guidelines for Secured Environments chapter on page 7, and review the Conclusion chapter, on page 9. IMPORTANT NOTE: Ceedo's new client version Ceedo 5.0 which will be released in Q4, 2012, will have an additional feature that includes an isolation layer that prevents all Ceedo system and data files from being accesses from the host by malicious software as well as by the user. Ceedo's new sandbox mechanism will be able to protect Ceedo from malware that might present be on the device, but was not caught by either the natively installed antivirus or the encrypted drive's antivirus, and at the same time prevent users and applications running on the host from accessing data found on the Ceedo drive as an extra layer for DLP.

4 CEEDO IN RELATION TO INDUSTRY STANDARDS Access Control (Host Security Verification) Today's security industry standard uses a variety of functions as part of an overall security policy, generally known as Access Control (AC), as described in U.S. Federal Standard 1037C, which defines Access Control to be the following: 1. A service feature or technique used to permit or deny use of the components of a communications system 2. A technique used to define or restrict the rights of individuals, or application programs to obtain data from, or place data onto, a storage device 3. The definition or restriction of the rights of individuals, or application programs to obtain data from, or place data into, a storage device 4. The process of limiting access to the resources of an Automated Information System to authorized users, programs, processes, or other systems 5. That function performed by the resource controller that allocates system resources to satisfy user requests Within the organization, on managed machines, Access Control verification is meant to assure that computers accessing corporate resources meet the following "health" and security requirements: Hardened security settings Secure log-on methods Strong authentication protocols Enabled host-based firewalls Antimalware software is installed and up-to-date Securely configured software Up-to-date, patched software The above list essentially verifies that a host PC is trusted in terms of its own protection, thus reducing the chance that the underlying operating system is compromised. In Ceedo's case, this industry standard is kept, and even extended, by performing the same security verifications mentioned above multiple times by independent systems. NOTE: this is dependent upon the Ceedo configuration and on the third party hardware and software that has been implemented.

5 Meeting Access Control Standards The following list will give an example, illustrating how Ceedo, in addition to third party software and hardware, meets and extends industry standards regarding Access Control. The Environment The list below corresponds to Ceedo s security best practices, which include: Ceedo Workspace: o Configured in full sandbox mode, blocking any user access to the host o Configured in locked down user mode o Configured to run System Health Verification prior to launch o Whitelisted to allow only specific processes to run (including MD5 signatures) Portable driver hardware: o Password protected - encrypted USB drive o With preliminary antivirus scan enabled Third party software: o VPN SSL client for network connection o Additions beyond standard recommendations are marked with OPTIONAL Meeting Access Control Standards Hardened security settings o Both Ceedo and the encrypted drive s security settings cannot be changed by users Secure log-on and authentication o Encrypted drives are password protected o Network access is encrypted and protected under VPN SSL o OPTIONAL: Two-Factor Authentication (2FA) soft token for authenticating user identity. NOTE: For hardware-based 2FA devices, please refer to Running Ceedo from 2FA Devices chapter on page 7 Enabled host-based firewalls and up-to-date antimalware software o Before the encrypted drive opens and data is exposed: 1. Hardware-encrypted portable drives launch an Antivirus scan which assures no malware is present on the machine. NOTE: In most devices, this option should be turned on by an administrator o After drive is decrypted and before Ceedo Workspace launches: 2. Ceedo s System Health Verification checks with the host's security center that: An active native antivirus is installed on the host

6 o Antivirus is active on the host OS version and updates are up to the standards set by the administrator NOTE: Should be turned on and configured in Ceedo Enterprise Manager After Ceedo launches: 3. OPTIONAL: Additional independent antivirus/anti-spyware scans 4. Leading VPN SSL clients perform an additional extended host health check which may include: Firewall, antivirus and OS settings verification Securely configured software and up-to-date, patched software o Encrypted drives can be controlled and updated from a central management system o Ceedo Workspaces can be controlled and updated from a central management system Antimalware, Antivirus and Protection Mechanisms First independent antivirus scan The first antimalware software which is used is usually built into leading encrypted drives, and can be configured to launch once the encrypted drive is plugged-in. This means that the drive s own antivirus runs an independent scan which takes place before the drive is decrypted. Verifying host antivirus and OS health Before the Workspace itself is launched, Ceedo runs a System Health Verification which checks whether the host computer is internally protected via a functioning antivirus, and up-to-date regarding OS versions and service packs (as designated by the administrator). Verifying only approved processes run within Ceedo Once launched, the Ceedo Workspace checks that processes running within Ceedo have been whitelisted. This means that it will detect and prevent foreign and unauthorized processes from working, according to their name and internal MD5 signature. Optional third-party antimalware beefing-up Ceedo s innate versatility allows additional security-related software to be installed into the Workspace. Security software can include additional antivirus and antispyware clients, intrusion detection software, and more. IMPORTANT NOTE: Ceedo s Workspace does not support installing kernel-mode drivers, meaning that most antimalware software will be able to scan only.

7 Additional security measures: Memory Volatility Ceedo runs entirely from the device and in the host s volatile memory. This means it has zero footprint on the host, and no data or running processes are left behind on the host, even after hard-reboot, or if the device is abruptly unplugged while Ceedo is running. Registry Segregation Registry keys which are injected into the host's registry are confined to a special Ceedo registry location, meaning application registry entries are not stored where malicious software expects them to be. Device Binding Workspaces licenses are device-bound and cannot work if copied to unauthorized devices. Additionally, in most cases copying a Workspace will break it due to 'short file name' mismatches. Remote Deactivation and Limitations Workspaces can be revoked remotely from a central management system, limited to work online only, or limited to a specific number of days of being able to function offline, and so on. Running Ceedo from 2FA Devices Some companies that utilize 2FA devices use Ceedo to automatically run the device s own PKI middleware (instead of letting users install it themselves), and also add additional secure and preconfigured hardened browsers, communications software, Citrix Receiver, etc. In these cases, the device itself is usually not encrypted, nor does it have an independent antivirus checker. For this reason, it is recommended to mount Ceedo on the read-only partition of the 2FA device, and add third party security applications in high-risk environments, or if dealing with sensitive information. Tips and Guidelines for Secured Environments Use hardware-encrypted USB drives with active anti-malware scanners (such as IronKey, SafeNet, Imation, etc.) Add software-based Two-Factor Authentication (such as RSA SecureID, SafeNet soft-token, etc.) When using a 2FA device, mount components on the read-only partition

8 Whitelist processes that are allowed to run in Ceedo (configurable in Ceedo Enterprise Manager) Turn-on and configure Ceedo s System Health Verification (configurable in Ceedo Enterprise Manager) Configure Ceedo to run in a locked-down user mode Configure Ceedo Enterprise to block writing to host drives, printers, etc. Use a VPN-SSL solution with strong Access Control benchmark settings (such as Juniper) Install an independent browser within Ceedo for Internet connections (such as Firefox or Chrome) Add to the internal browser safe browsing add-ons and configurations (such as password-protected browser configuration, blacklist and whitelist URLs, add kiosk-mode, etc.) If data is highly sensitive, leave it in the datacenter or use secure cloud storage (such as Citrix s ShareFile) Employ 3rd party anti-malware, security applications, soft-biometric apps, etc.

9 Conclusion CONCLUSION Beyond the industry standard Access Controls checks which are usually performed by two independent systems that reduce the likelihood a given PC has been compromised, 3 rd party solutions can help strengthen security further. The following depicts the different systems that run, and can run, apart from the industry standard Access Control checks: Before the encrypted drive opens: 1. The encrypted drive runs a built-in independent antivirus scan which scans the host before the data on the drive is decrypted After drive is decrypted but before Ceedo launches 2. Ceedo s System Health Verification checks that the host itself is protected with its own internal antivirus, and that the OS meets the requirements set by an administrator After Ceedo launches: 3. Ceedo checks that processes running within Ceedo have been whitelisted 4. A software-based Two-Factor Authentication application authenticates users 5. An additional independent internal antivirus client can be installed into the Workspace to perform an independent scan of the Ceedo Workspace* 6. An internal antispyware client can be installed into the Workspace for other malware scans* 7. Internal Intrusion Detection software can be installed into the Workspace for detecting suspicious activities* * IMPORTANT NOTE: Ceedo s Workspace does not support the installation of kernel-mode drivers, meaning that most antimalware software will be able to scan only. Alternately, an agentless solution should be applied.