GUARDIANEDGE HARD DISK ENCRYPTION

• Benefit from the “safe harbor” provided by encryption to eliminate the legal liability, customer service costs and brand erosion associated with data breach disclosures when laptops and desktops are lost or stolen
• Safeguard intellectual property by using full disk or multi-partition encryption to protect data
• Leverage Microsoft Active Directory and Novell eDirectory to reduce the cost and complexity of deploying and managing an endpoint data protection solution
• Transparently manage endpoint security policies with system policies and user policies through full integration with Active Directory GPO and native policy deployment
• Allows organizations to implement a Microsoft Single Sign-On and Novell Single Sign-On integrated pre-boot authentication environment to ensure that only authorized users can gain access to data
• When combined with GuardianEdge Advanced Authentication, makes it possible to extend pre-boot environment access control with multi-factor authentication for enhanced access protection
• When combined with GuardianEdge Altiris Connector, administrators can proactively identify and protect systems at risk of data loss and remediate from the same console as they now use for configuration, patch and update management

Client Environment

• No additional log-in required (integrated with Microsoft and Novell Single Sign-On)
• High performance encryption
• Secure client/server communications
• Power failure protection for computers without a battery or backup power source during initial encryption

Pre-boot Authentication

• Microsoft and Novell Single Sign-on integration
• Password authentication (multi-factor authentication available with GuardianEdge Advanced Authentication)
• Secure Wake on LAN capability for seamless operation with enterprise patch and update management tools
• Lockout on maximum time-since-last-check-in exceeded (configurable)
• Password entry delay on failed password attempt threshold (configurable)
• Multiple user and administrator accounts (up to 1000 each)

Encryption

• Full disk or multi-partition including: master boot record, OS and system files, swap/hibernation files
• 256- or 128-bit AES
• FIPS 140-2 validated cryptographic library, CC EAL4 pending

Administrative Tools

• Remotely disable authentication of a targeted user
• Hard drive access tool to allow OS repair
• Integrated with forensic data recovery tools to retrieve data from crashed or evidential hard drives (Guidance EnCase Forensics)
• Remote, one-time password capability
• Integration with enterprise-grade deployment tools such as SMS, Tivoli, Altiris
• Real-time audit logging: policy changes, user actions (succeeded/failed authentication, attempts to uninstall the product, password recovery, change of password)

The GuardianEdge Data Protection Platform

• Native Microsoft Active directory integration
• Support for Novell eDirectory and for non-domain computers
• Single console for Active Directory, eDirectory and other computers
• Common administration and management with other GuardianEdge endpoint data protection products
• Shared security and management services across data protection applications
• Unified auditing and reporting environment
• Single sign-on integration. Secure client/server communications. Minimal intrusion into existing user workflows and operation

The Only Native Active Directory Integration

• Deploy and manage with existing infrastructure
• Low training and support costs, fast rollouts
• GPO based policy deployment
• MMC snap-in architecture
• Role based policy administration
• Detailed auditing and reporting

Recovery from Lost Passwords

• Simple and secure access to encrypted PCs in the event of lost passwords with self-service or admin-assisted recovery

Client Computers

• Microsoft Windows XP Pro SP2 and SP3, Windows XP Tablet Edition, Windows 2000 SP4, Windows Vista; Business, Enterprise and Unlimited

GuardianEdge Management Server

• Microsoft Server 2003 Standard or Enterprise

Database - Microsoft SQL Server 2005

• Express Edition with Advanced Services, Standard or Enterprise

Two-factor authentication

• When used with GuardianEdge Advanced Authentication. supports an extensive set of authentication tokens, and token readers

GuardianEdge Advanced Authentication Integration

• Extend data protection with certificate based user authentication by adding GuardianEdge Advanced Authentication to Hard Disk Encryption
• Pre-boot environment multi-factor authentication
• Smartcard/Common Access Card (CAC) support
• Extensive support for readers and tokens
• PKI environment support

GuardianEdge Altiris Connector Integration

• Integrates GuardianEdge Hard Disk and Removable Storage Encryption controls with the Altiris Notification Server
• Manage Removable Storage Encryption and Hard Disk Encryption from a common management environment with asset, configuration, patch and update
• Easily identify systems without protection
• Remediate immediately from the Altiris Notification Server

• The industry’s only native Active Directory integration
  The unique GuardianEdge approach to management is based on an MMC snap-in architecture, MSI and EXE files for deployment, as well as Microsoft® Active Directory® GPOs for policy control. This approach leverages the significant investment that organizations have already implemented in Active Directory—a scalable, robust and familiar management environment. It includes existing organizational structures such as groups, OUs and domains, role-based administration, training, replication and failover. The result is the industry’s lowest total cost of ownership, with minimal training requirements for IT staff and fast deployments.
• Manage endpoint data protection for all PCs from the same console
  Not only does GuardianEdge have the only native integration to Active Directory, it also supports Novell eDirectory and non-domain endpoints from the same single console environment. This makes it possible for organizations that primarily use eDirectory as their directory services solution, or who use it in addition to Active Directory, to get the full benefit of GuardianEdge’s integrated data protection platform. In addition, as users increasingly work from home with either a full time or part time connection to the network, and as contractors bring their machines into the network, these PCs not registered with the domain can also be protected and managed from this same single management console.
• Single console administration for endpoint data protection products
  Enterprises also need common administration for data protection solutions. GuardianEdge enables common policy management, reporting, role-based administration, help desk, key management and other administrative actions for GuardianEdge applications (Hard Disk Encryption, Removable Storage Encryption and Device Control) from the same single management console.
• Proven ease of operation
  GuardianEdge Hard Disk Encryption is based on a 13 year track record of success in full disk encryption solutions. It boasts the highest success rates on deployment of any full disk encryption solution, as well as a long list of satisfied blue chip customers. Additionally, service and support for GuardianEdge products—a key component of any enterprise-class solution—meets the highest standards for availability, customer satisfaction and expert assistance.
• Non-disruptive – Transparent to end users
  For successful deployment and operation, a full disk encryption solution must both protect data, and make it possible for workers to productively use their PCs. Key to this balance are minimal user adoptions requirements, and implementations that allow users to continue to use their systems as they have in the past, while providing the protection organizations require for their data.
  • Integrated with Microsoft and Novell Single Sign-on so that users only need to log-in to their systems once, and do so with the same credentials that they use now across the network
  • Simple, and even automatic, user registration processes that are non-intrusive or minimally intrusive into user operation are built in
  • Initial encryption that takes place in the background and works properly even when power is unplugged during initial encryption of hard disks to prevent failures during the initial encryption process
  • On-going encryption occurs on-the-fly and in a background operation mode that has minimal impact on the speed that users perceive when reading and writing of data (typically an overhead of 3% or less) and no impact on their daily tasks
  • Systems management tools can work on PCs protected with hard disk encryption to update configurations, patches and other settings just as they do with unprotected PCs

Disk Encryption

1. What is a pre-boot operating system, and why is it important?
   A pre-boot operating system is a small, fast, secure environment that hosts user authentication for GuardianEdge Hard Disk Encryption endpoints. This pre-boot operating system is hardened to protect against security exploits, with entry points rigidly defined to create a very small attack surface relative to the endpoint’s main operating system. It provides a highly secure environment for user authentication with features like automatic delay after a pre-defined number of incorrect password attempts, and supports user productivity with features like single sign-on to Windows.
2. What is A.E.S. Encryption and how is it used?
   During installation of the GuardianEdge Hard Disk Encryption endpoint client, a unique workstation encryption key is created and securely stored on the drive. The GuardianEdge Hard Disk Encryption driver intercepts all drive read and write requests from the operating system, and uses the workstation encryption key in combination with the Advanced Encryption Standard (AES) algorithm to encrypt every block of data when Windows writes a file to the drive, and decrypt every block of data into memory when Windows reads a file from the drive. Data stored on the drive is always encrypted. GuardianEdge Hard Disk Encryption decrypts data into memory – never onto the drive! – As Windows reads a file.