Ceedo Client Family Products Security

Similar documents
Symantec Endpoint Protection Family Feature Comparison

Internet of Things real life cases Alex Ahlberg

Mobile Devices prioritize User Experience

Seqrite Endpoint Security

Security Aspects Control Rationale Best Practices Self-Assessment (Click all that applicable) 1. Security Policy and Security Management

PCI DSS Compliance. White Paper Parallels Remote Application Server

ClearPath OS 2200 System LAN Security Overview. White paper

SentinelOne Technical Brief

Defense-in-Depth Against Malicious Software. Speaker name Title Group Microsoft Corporation

SO YOU THINK YOU ARE PROTECTED? THINK AGAIN! NEXT GENERATION ENDPOINT SECURITY

GLOBALPROTECT. Key Usage Scenarios and Benefits. Remote Access VPN Provides secure access to internal and cloud-based business applications

Securing the Modern Data Center with Trend Micro Deep Security

User Guide. This user guide explains how to use and update Max Secure Anti Virus Enterprise Client.

CIS Controls Measures and Metrics for Version 7

Cloud Security Whitepaper

AT&T Endpoint Security

Client Computing Security Standard (CCSS)

CIS Controls Measures and Metrics for Version 7

How to Identify Advanced Persistent, Targeted Malware Threats with Multidimensional Analysis

SentinelOne Technical Brief

TOP 10 IT SECURITY ACTIONS TO PROTECT INTERNET-CONNECTED NETWORKS AND INFORMATION

Information Security Controls Policy

BEST PRACTICES FOR PERSONAL Security

Education Network Security

Cyber Essentials Questionnaire Guidance

Xerox Audio Documents App

The University of Texas at El Paso. Information Security Office Minimum Security Standards for Systems

Speaker Introduction Who Mate Barany, VMware Manuel Mazzolin, VMware Peter Schmitt, Deutsche Bahn Systel Why VMworld 2017 Understanding the modern sec

PCI DSS and VNC Connect

MEMORY AND BEHAVIORAL PROTECTION ENDPOINT SECURITY NETWORK SECURITY I ENDPOINT SECURITY I DATA SECURITY

PCI Compliance Updates

Built without compromise for users who want it all

Seqrite Antivirus for Server

epldt Web Builder Security March 2017

12/5/2013. work-life blur. more mobile. digital generation. multiple devices. tech. fast savvy

CYBERSECURITY RISK LOWERING CHECKLIST

Google Authenticator User Guide

PCI DSS and the VNC SDK

DEEP FREEZE CLOUD FOR HIPAA COMPLIANCE

Whitepaper. Endpoint Strategy: Debunking Myths about Isolation

McAfee Embedded Control

90% 191 Security Best Practices. Blades. 52 Regulatory Requirements. Compliance Report PCI DSS 2.0. related to this regulation

HPE Intelligent Management Center

Google Cloud Platform: Customer Responsibility Matrix. December 2018

The SANS Institute Top 20 Critical Security Controls. Compliance Guide

Quick Heal AntiVirus Pro Advanced. Protects your computer from viruses, malware, and Internet threats.

G/On OS Security Model

Protecting Your Cloud

Ritz Camera Leverages Whitelisting for Picture Perfect Security

Data Security at Smart Assessor

Kenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data

Quick Heal Total Security for Mac. Simple, fast and seamless protection for Mac.

Security

How do you track devices that have been approved for use? Are you automatically alerted if an unapproved device connects to the network?

Security Policy (EN) v1.3

SECURITY PRACTICES OVERVIEW

CS 356 Operating System Security. Fall 2013

Watson Developer Cloud Security Overview

ENDNOTE SECURITY OVERVIEW INCLUDING ENDNOTE DESKTOP AND ONLINE

Audience. Overview. Enterprise Protection Platform for PCI DSS & HIPAA Compliance

McAfee Network Security Platform 9.1

Best Practices Guide to Electronic Banking

Addressing Today s Endpoint Security Challenges

CoreMax Consulting s Cyber Security Roadmap

EU GENERAL DATA PROTECTION: TIME TO ACT. Laurent Vanderschrick Channel Manager Belgium & Luxembourg Stefaan Van Hoornick Technical Manager BeNeLux

Complying with RBI Guidelines for Wi-Fi Vulnerabilities

PCI DSS v3.2 Mapping 1.4. Kaspersky Endpoint Security. Kaspersky Enterprise Cybersecurity

Security+ Guide to Network Security Fundamentals, Third Edition. Chapter 3 Protecting Systems

Fencing the Cloud. Roger Casals. Senior Director Product Management. Shared vision for the Identity: Fencing the Cloud 1

Cloud-Based Data Security

Quick Heal AntiVirus for Server. Optimized Antivirus Scanning. Low on Resources. Strong on Technology.

Quick Heal AntiVirus Pro. Tough on malware, light on your PC.

Symantec Ransomware Protection

201 CMR COMPLIANCE CHECKLIST Yes No Reason If No Description

Simple and Powerful Security for PCI DSS

Cisco s Appliance-based Content Security: IronPort and Web Security

PROTECTION FOR WORKSTATIONS, SERVERS, AND TERMINAL DEVICES ENDPOINT SECURITY NETWORK SECURITY I ENDPOINT SECURITY I DATA SECURITY

Perceptive Experience Web Scan

Quick Heal Total Security for Mac. Simple, fast and seamless protection for Mac.

Google Cloud Platform: Customer Responsibility Matrix. April 2017

Mobile Security Overview Rob Greer, VP Endpoint Management and Mobility Product Management Dave Cole, Sr. Director Consumer Mobile Product Management

Operating system hardening

Two-Factor Authentication over Mobile: Simplifying Security and Authentication

Oracle Hospitality OPERA Cloud Services Security Guide Release 1.20 E June 2016

AZURE CLOUD SECURITY GUIDE: 6 BEST PRACTICES. To Secure Azure and Hybrid Cloud Environments

Presenting the VMware NSX ECO System May Geert Bussé Westcon Group Solutions Sales Specialist, Northern Europe

WHITEPAPER. Security overview. podio.com

ENTRUST DATACARD DERIVED PIV CREDENTIAL SOLUTION

Web Cash Fraud Prevention Best Practices

IT Remote Working Policy

Security Guide SAP Supplier InfoNet

StorageZones Controller 3.4

A Comprehensive CyberSecurity Policy

HikCentral V.1.1.x for Windows Hardening Guide

CompTIA Security+ (Exam SY0-401)

Criminal Justice Information Security (CJIS) Guide for ShareBase in the Hyland Cloud

Security+ SY0-501 Study Guide Table of Contents

HikCentral V1.3 for Windows Hardening Guide

Endpoint Protection. ESET Endpoint Antivirus with award winning ESET NOD32 technology delivers superior detection power for your business.

Product Guide. McAfee Web Gateway Cloud Service

Transcription:

ABOUT THIS DOCUMENT Ceedo Client Family Products Security NOTE: This document DOES NOT apply to Ceedo Desktop family of products. ABOUT THIS DOCUMENT The purpose of this document is to define how a company can mitigate the security risks associated with portable computing environments and reduce threats to an acceptable level in relation to industry standards. This document will outline different security and authentication measures that are and can be employed in your environment by Ceedo in addition to third party software and hardware providers. DISCLAIMER The content of this document is provided for general informational purposes only and should not be considered a substitute for a professional security expert s advice.

Executive Summary EXECUTIVE SUMMARY Ecosystem Security As will be highlighted in this document, there are a few basic industry standard rules that are meant to keep your corporate environment and data safe, and Ceedo, in addition to the overall ecosystem, does not only meet those standards, but, in fact, exceeds them if the Workspace and its ecosystem are properly configured and adjusted to the required security level. The key points of this standard, generally known as Access Control, when put in practical terms amounts to: (1) password protection; (2) authentication; (3) a comprehensive system health check (i.e. check to ensure that the system is protected by an active antivirus solution, firewall, etc., much like high-end VPN clients do). As far this industry standard goes, Ceedo not only meets the basic guidelines, but actually exceeds them if the environment has the appropriate configuration and specifications. For instance: block host resource access from within the environment; make sure the Ceedo System Health Check allows the Workspace to run only if the host is well protected from malware to begin with, and that the encrypted drive's own antivirus is enabled (this is an integral part of most high-end encrypted devices). The following chart shows an example of a well-protected security flow of an environment consisting of: Ceedo Workspace: Configured to run in full sandbox mode under a locked down environment with Ceedo's System Health Verification running prior to Workspace launch, and with allowed processes whitelisted. Portable drive hardware: Password protected, encrypted USB drive with preliminary antivirus scan enabled. Third party software: VPN SSL client for network connection and Two-Factor Authentication client, with the addition of optional 3 rd party security software.

Executive Summary Data Loss Prevention When it comes to protecting your data from being compromised or leaked, there are a few guidelines which must be followed in order to meet government and/or company regulations. First and foremost, you need to define the data sensitivity level. If the data is not sensitive, then there is nothing preventing you from simply storing the raw data on your encrypted devices. However, if the data is sensitive, the best course of action is to leavethe data in the data center and grant access to it only via third party remote computing solutions such as Citrix, VNC, etc. Another thing to make sure of is that you have configured your Ceedo Workspace to run in full sandbox mode. This means that users will not be able to print documents, save them to a local drive, etc. It is, however, important to note that this constitutes protection from "good users" doing "bad things," and after all, there is no guarantee that a "bad user" won't simply capture the screen with his smartphone or digital camera. For more tips and guidelines, please review the Tips and Guidelines for Secured Environments chapter on page 7, and review the Conclusion chapter, on page 9. IMPORTANT NOTE: Ceedo's new client version Ceedo 5.0 which will be released in Q4, 2012, will have an additional feature that includes an isolation layer that prevents all Ceedo system and data files from being accesses from the host by malicious software as well as by the user. Ceedo's new sandbox mechanism will be able to protect Ceedo from malware that might present be on the device, but was not caught by either the natively installed antivirus or the encrypted drive's antivirus, and at the same time prevent users and applications running on the host from accessing data found on the Ceedo drive as an extra layer for DLP.

CEEDO IN RELATION TO INDUSTRY STANDARDS Access Control (Host Security Verification) Today's security industry standard uses a variety of functions as part of an overall security policy, generally known as Access Control (AC), as described in U.S. Federal Standard 1037C, which defines Access Control to be the following: 1. A service feature or technique used to permit or deny use of the components of a communications system 2. A technique used to define or restrict the rights of individuals, or application programs to obtain data from, or place data onto, a storage device 3. The definition or restriction of the rights of individuals, or application programs to obtain data from, or place data into, a storage device 4. The process of limiting access to the resources of an Automated Information System to authorized users, programs, processes, or other systems 5. That function performed by the resource controller that allocates system resources to satisfy user requests Within the organization, on managed machines, Access Control verification is meant to assure that computers accessing corporate resources meet the following "health" and security requirements: Hardened security settings Secure log-on methods Strong authentication protocols Enabled host-based firewalls Antimalware software is installed and up-to-date Securely configured software Up-to-date, patched software The above list essentially verifies that a host PC is trusted in terms of its own protection, thus reducing the chance that the underlying operating system is compromised. In Ceedo's case, this industry standard is kept, and even extended, by performing the same security verifications mentioned above multiple times by independent systems. NOTE: this is dependent upon the Ceedo configuration and on the third party hardware and software that has been implemented.

Meeting Access Control Standards The following list will give an example, illustrating how Ceedo, in addition to third party software and hardware, meets and extends industry standards regarding Access Control. The Environment The list below corresponds to Ceedo s security best practices, which include: Ceedo Workspace: o Configured in full sandbox mode, blocking any user access to the host o Configured in locked down user mode o Configured to run System Health Verification prior to launch o Whitelisted to allow only specific processes to run (including MD5 signatures) Portable driver hardware: o Password protected - encrypted USB drive o With preliminary antivirus scan enabled Third party software: o VPN SSL client for network connection o Additions beyond standard recommendations are marked with OPTIONAL Meeting Access Control Standards Hardened security settings o Both Ceedo and the encrypted drive s security settings cannot be changed by users Secure log-on and authentication o Encrypted drives are password protected o Network access is encrypted and protected under VPN SSL o OPTIONAL: Two-Factor Authentication (2FA) soft token for authenticating user identity. NOTE: For hardware-based 2FA devices, please refer to Running Ceedo from 2FA Devices chapter on page 7 Enabled host-based firewalls and up-to-date antimalware software o Before the encrypted drive opens and data is exposed: 1. Hardware-encrypted portable drives launch an Antivirus scan which assures no malware is present on the machine. NOTE: In most devices, this option should be turned on by an administrator o After drive is decrypted and before Ceedo Workspace launches: 2. Ceedo s System Health Verification checks with the host's security center that: An active native antivirus is installed on the host

o Antivirus is active on the host OS version and updates are up to the standards set by the administrator NOTE: Should be turned on and configured in Ceedo Enterprise Manager After Ceedo launches: 3. OPTIONAL: Additional independent antivirus/anti-spyware scans 4. Leading VPN SSL clients perform an additional extended host health check which may include: Firewall, antivirus and OS settings verification Securely configured software and up-to-date, patched software o Encrypted drives can be controlled and updated from a central management system o Ceedo Workspaces can be controlled and updated from a central management system Antimalware, Antivirus and Protection Mechanisms First independent antivirus scan The first antimalware software which is used is usually built into leading encrypted drives, and can be configured to launch once the encrypted drive is plugged-in. This means that the drive s own antivirus runs an independent scan which takes place before the drive is decrypted. Verifying host antivirus and OS health Before the Workspace itself is launched, Ceedo runs a System Health Verification which checks whether the host computer is internally protected via a functioning antivirus, and up-to-date regarding OS versions and service packs (as designated by the administrator). Verifying only approved processes run within Ceedo Once launched, the Ceedo Workspace checks that processes running within Ceedo have been whitelisted. This means that it will detect and prevent foreign and unauthorized processes from working, according to their name and internal MD5 signature. Optional third-party antimalware beefing-up Ceedo s innate versatility allows additional security-related software to be installed into the Workspace. Security software can include additional antivirus and antispyware clients, intrusion detection software, and more. IMPORTANT NOTE: Ceedo s Workspace does not support installing kernel-mode drivers, meaning that most antimalware software will be able to scan only.

Additional security measures: Memory Volatility Ceedo runs entirely from the device and in the host s volatile memory. This means it has zero footprint on the host, and no data or running processes are left behind on the host, even after hard-reboot, or if the device is abruptly unplugged while Ceedo is running. Registry Segregation Registry keys which are injected into the host's registry are confined to a special Ceedo registry location, meaning application registry entries are not stored where malicious software expects them to be. Device Binding Workspaces licenses are device-bound and cannot work if copied to unauthorized devices. Additionally, in most cases copying a Workspace will break it due to 'short file name' mismatches. Remote Deactivation and Limitations Workspaces can be revoked remotely from a central management system, limited to work online only, or limited to a specific number of days of being able to function offline, and so on. Running Ceedo from 2FA Devices Some companies that utilize 2FA devices use Ceedo to automatically run the device s own PKI middleware (instead of letting users install it themselves), and also add additional secure and preconfigured hardened browsers, communications software, Citrix Receiver, etc. In these cases, the device itself is usually not encrypted, nor does it have an independent antivirus checker. For this reason, it is recommended to mount Ceedo on the read-only partition of the 2FA device, and add third party security applications in high-risk environments, or if dealing with sensitive information. Tips and Guidelines for Secured Environments Use hardware-encrypted USB drives with active anti-malware scanners (such as IronKey, SafeNet, Imation, etc.) Add software-based Two-Factor Authentication (such as RSA SecureID, SafeNet soft-token, etc.) When using a 2FA device, mount components on the read-only partition

Whitelist processes that are allowed to run in Ceedo (configurable in Ceedo Enterprise Manager) Turn-on and configure Ceedo s System Health Verification (configurable in Ceedo Enterprise Manager) Configure Ceedo to run in a locked-down user mode Configure Ceedo Enterprise to block writing to host drives, printers, etc. Use a VPN-SSL solution with strong Access Control benchmark settings (such as Juniper) Install an independent browser within Ceedo for Internet connections (such as Firefox or Chrome) Add to the internal browser safe browsing add-ons and configurations (such as password-protected browser configuration, blacklist and whitelist URLs, add kiosk-mode, etc.) If data is highly sensitive, leave it in the datacenter or use secure cloud storage (such as Citrix s ShareFile) Employ 3rd party anti-malware, security applications, soft-biometric apps, etc.

Conclusion CONCLUSION Beyond the industry standard Access Controls checks which are usually performed by two independent systems that reduce the likelihood a given PC has been compromised, 3 rd party solutions can help strengthen security further. The following depicts the different systems that run, and can run, apart from the industry standard Access Control checks: Before the encrypted drive opens: 1. The encrypted drive runs a built-in independent antivirus scan which scans the host before the data on the drive is decrypted After drive is decrypted but before Ceedo launches 2. Ceedo s System Health Verification checks that the host itself is protected with its own internal antivirus, and that the OS meets the requirements set by an administrator After Ceedo launches: 3. Ceedo checks that processes running within Ceedo have been whitelisted 4. A software-based Two-Factor Authentication application authenticates users 5. An additional independent internal antivirus client can be installed into the Workspace to perform an independent scan of the Ceedo Workspace* 6. An internal antispyware client can be installed into the Workspace for other malware scans* 7. Internal Intrusion Detection software can be installed into the Workspace for detecting suspicious activities* * IMPORTANT NOTE: Ceedo s Workspace does not support the installation of kernel-mode drivers, meaning that most antimalware software will be able to scan only. Alternately, an agentless solution should be applied.

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback