How Endpoint Encryption Works - Cstl

1y ago
9 Views
2 Downloads
527.61 KB
8 Pages
Last View : 2d ago
Last Download : 2m ago
Upload by : Lee Brooke
Transcription

WHITE PAPER:HOW ENDPOINT ENCRYPTION WORKS.How Endpoint Encryption WorksWho should read this paperSecurity and IT administrators

How Endpoint Encryption WorksContentIntroduction to Endpoint Encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1What is Endpoint Encryption? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1What are the differences between Disk Encryption and File Encryption? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1How Disk Encryption Works . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2How Removable Media Encryption Works . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2Recovery Mechanisms: Disk Encryption. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3Recovery Mechanisms: Removable Media Encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3

How Endpoint Encryption WorksIntroduction to Endpoint EncryptionIf you're using a computer or a removable USB drive, the chances are you have sensitive data on these devices. Whether it's a computer withsensitive corporate information, or a thumb drive with government secrets, you need to ensure there is no unauthorized access to that datashould the device be lost or stolen.Endpoint encryption (which typically includes disk encryption and removable media encryption) protects this data, rendering it unreadable tounauthorized users. This paper defines endpoint encryption, describes the differences between disk encryption and file encryption, detailshow disk encryption and removable media encryption work, and addresses recovery mechanisms.What is Endpoint Encryption?When it comes to encrypting data, there are various encryption strategies.Disk encryption protects a hard drive in the event of theft or accidental loss by encrypting the entire disk including swap files, system files,and hibernation files. If an encrypted disk is lost, stolen, or placed into another computer, the encrypted state of the drive remainsunchanged, ensuring only an authorized user can access its contents.Some endpoint encryption solutions (like Symantec Endpoint Encryption) also include support to encrypt files stored on or copied toremovable media devices. As with disk encryption, removable media encryption helps prevent unauthorized access to information on lost orstolen devices (in this case the devices are USB flash drives, external hard drives (USB, FireWire, and eSATA), SD cards, and compact flashcards). In this way, organizations can benefit from the productivity gains associated from collaboration using removable storage withoutputting data at risk.What are the differences between Disk Encryption and File Encryption?Disk encryption typically uses one key to encrypt a hard disk, so all data is able to be decrypted when the system runs. If you have loggedinto your system and leave your computer unattended, your system is unlocked and unauthorized users can access your system just as anauthorized user could.Just as an alarm system protects an entire home and a safe provides additional security, disk encryption protects the entire computersystem, and file encryption provides an additional layer of security.File encryption encrypts specific files so when a user successfully authenticates to an operating system, the contents of the file remainencrypted. An application such as Symantec Endpoint Encryption’s removable media capability can protect individual files and folders,prompting the user for a passphrase to permit access. File encryption requires user action while disk encryption automatically encryptseverything you or the operating system creates.1

How Endpoint Encryption WorksHow Disk Encryption WorksDuring the startup process of an operating system, a boot sequence is executed. The boot system is the initial set of operations that thecomputer performs when it is switched on. A boot loader (or a bootstrap loader) is a short computer program that loads the main operatingsystem for the computer. The boot loader first looks at a boot record or partition table, which is the logical area “zero” (or starting point) ofthe disk drive.Disk encryption modifies the boot sector. For example, a computer protected with Symantec Endpoint Encryption presents a modified preboot environment for the user to authenticate to the computer.This modified pre-boot screen prompts the user for authentication credentials in the form of a passphrase (typically a longer password, oftenresembling a sentence). At this point, the computer may ask for additional credentials such as a smart card, token, or other two-factorauthentication.After the user enters valid authentication credentials, the operating system continues to load as normal and the user can access thecomputer.Most disk encryption software operates in conjunction with the file system architecture. It filters I/O operations for one or more file systemsor file system volumes.When a drive is encrypted for the first time, it converts unencrypted drive blocks into encrypted blocks one at a time. Disk encryption allowsusers to continue working as normal during this initial encryption process by varying the amount CPU power assigned to the initial encryptionprocess.When a user accesses a file, disk encryption decrypts the data in memory before it is presented for viewing. If the user makes any changes tothe file, the data is encrypted in memory and written back to the relevant disk drive block just as it would be without encryption. Decrypteddata is never available on the disk. The encryption/decryption process happens at such a speed that it appears completely transparent to theuser.How Removable Media Encryption WorksRemovable media encryption software provides the ability to encrypt files on removable storage devices.When a user copies files of a system onto a removable storage device, each file is encrypted to a password, a shared key or a certificate. Atthe same time, utilities for Windows or Mac systems can be copied (if permitted by policy) allowing authorized access to data without theendpoint client installed on a machine.This file encryption can be governed by policy, user action, or Symantec DLP. In the case of Symantec DLP, the Endpoint Prevent softwaremonitors users’ machines and understands when a person is moving a sensitive file off his computer. With the integration of Symantec DLPand Symantec Endpoint Encryption, administrators can ensure files with sensitive information that are moving to removable media areencrypted rather than blocked, allowing business processes to continue in a secure manner.To access the information, when the user inserts a removable media device like a USB drive with encrypted files into a computer system, theremovable media encryption software will prompt for passphrase, and upon successful authentication, the user can access the file.2

How Endpoint Encryption WorksRecovery Mechanisms: Disk EncryptionThe most common cause for data recovery is a lost or forgotten passphrase. Therefore, disk encryption software must include a recoveryfunction. There are several ways to access an encrypted system in case of a forgotten passphrase. Symantec Endpoint Encryption offers localself-recovery, a recovery token, and an administrator key among others.Self-recovery enables users to answer pre-defined and customizable questions at boot time to gain access to an encrypted system and resetthe boot passphrase without calling IT staff.With Help Desk Recovery enabled on a client computer, the user can access the encrypted computer under two conditions: if the user forgothis password or the computer is in a lockout state at preboot (which may occur if the client computer has not communicated with themanagement server with a set communication interval). Help Desk Recovery makes use of a one-time password (also known as a ResponseKey).Another cause for data recovery, although rare, may be data corruption resulting from hardware failure or other factors such as a data virus.Corruption of a master boot record on a boot disk or partition protected by disk encryption can prevent a system from booting. To protect andmake accessible the data on encrypted client computers that cannot load a Microsoft Windows operating system, it is best practice to createa Windows Preinstallation Environment (Windows PE or WinPE) CD or USB flash drive immediately after installing the client software.Recovery Mechanisms: Removable Media EncryptionThere are two main recovery mechanisms that can help recover encrypted files stored on removable media. If a file is encrypted with aworkgroup key (used to enable sharing files) the file may be recovered by inserting the USB with the encrypted file into another computerthat uses the same workgroup key. Also, if the administrator has chosen the policy to encrypt files with a recovery certificate then each file isencrypted with the public key of the recovery certificate. If the password or certificate used for encryption is lost, the administrator can usethe copy of the recovery certificate with the private key to recover the encrypted file.3

How Endpoint Encryption WorksAbout SymantecSymantec protects the world’s information, and is aglobal leader in security, backup, and availabilitysolutions. Our innovative products and servicesprotect people and information in any environment– from the smallest mobile device, to the enterprisedata center, to cloud-based systems. Our worldrenowned expertise in protecting data, identities,and interactions gives our customers confidence ina connected world. More information is available atwww.symantec.com or by connecting withSymantec at go.symantec.com/socialmedia.For specific country officesSymantec World Headquartersand contact numbers, please350 Ellis St.visit our website.Mountain View, CA 94043 USA 1 (650) 527 80001 (800) 721 3934www.symantec.comCopyright 2015 Symantec Corporation. All rightsreserved. Symantec, the Symantec Logo, and theCheckmark Logo are trademarks or registeredtrademarks of Symantec Corporation or its affiliates inthe U.S. and other countries. Other names may betrademarks of their respective owners.1/2015 21275920-3

unauthorized users. This paper defines endpoint encryption, describes the differences between disk encryption and file encryption, details how disk encryption and removable media encryption work, and addresses recovery mechanisms. What is Endpoint Encryption? When it comes to encrypting data, there are various encryption strategies.

Related Documents:

Endpoint Encryption Management Server computer. If you use Microsoft SQL authentication, Symantec Endpoint Encryption uses this account to create and configure the Symantec Endpoint Encryption Management Server database during installation. Symantec Endpoint Encryption does not store the credentials for this Microsoft SQL account.

Symantec Endpoint Encryption Policy Administrator Guide Version 11.3.1 Introduction About Symantec Endpoint Encryption Symantec Endpoint Encryption v11.3.1 provides full disk encryption, removable media protection, and centralized management. Powered by PGP technology, the drive encryption client renders data at rest inaccessible to unauthorized

access control with transparent full encryption of storage media to offer effective security for PCs running the Microsoft Windows operating system. Management, deployment and user recovery are handled by a centralised McAfee Endpoint Encryption Manager and communication between the McAfee Endpoint Encryption Client and this administrative

Symantec Endpoint Encryption Policy Administrator Guide Version 11.4.0 Introduction Getting Started with Symantec Endpoint Encryption This topic provides an overview of Symantec Endpoint Encryption, including the key features and the feature benefits.

Full disk encryption (FDE), file/folder encryption, USB encryption and email encryption are all supported features. FULLY VALIDATED ESET Endpoint Encryption is FIPS 140-2 validated with 256-bit AES encryption. ALGORITHMS & STANDARDS AES 256 bit, AES 128 bit, SHA 256 bit, SHA1 160 bit, RSA 1024 bit, Triple DES 112 bit, Blowfish 128 bit. OS SUPPORT Support for Microsoft Windows 10, 8, 8.1 .

ESET Endpoint Protection Standard v6.5.522.0 FireEye Endpoint Security v4 Fortinet FortiClient v5.6.2 G DATA EndPoint Protection Business v14.1.0.67 Kaspersky Lab Kaspersky Endpoint Security v10 Malwarebytes Endpoint Protection v1.1.1.0 McAfee Endpoint Security v10.5 Palo Alto Networks Traps v4.1 Panda Security Panda Adaptive Defense 360 v2.4.1

Nov 26, 2001 · 1. Name of Standard. Advanced Encryption Standard (AES) (FIPS PUB 197). 2. Category of Standard. Computer Security Standard, Cryptography. 3. Explanation. The Advanced Encryption Standard (AES) specifies a FIPS-approved cryptographic algorithm that can be used to protect electronic data. The AES algorithm is aFile Size: 1MBPage Count: 51Explore furtherAdvanced Encryption Standard (AES) NISTwww.nist.govAdvanced Encryption Standard - Wikipediaen.wikipedia.orgAdvanced Encryption Standard - Tutorialspointwww.tutorialspoint.comWhat is Data Encryption Standard?searchsecurity.techtarget.comRecommended to you b

Quality level according to API 6A - PSL 1, 2 or 3. 1. In the trunnion mounted design configuration, the ball is supported by bearing, held in position by the valve closures. This configuration allows to discharge any side loads on the valve body, enabling a smoother operation of the ball, minimizing the operating torque and reducing seat seal wear. 2. Anti-Blow Out stem design. 3. Standard .