Download pdf - CREDANT Mobile Guardian - Enterprise Editioncredant-security.co.uk/pdf/white-papers/...Enterprise-Technical.pdf · Enterprise Edition Technical White Paper ... Enterprise Server,

CREDANT Mobile Guardian - Enterprise Edition

Technical White Paper September 2007

CREDANT Technologies Security Solutions

White Paper

CREDANT Technologies 15303 Dallas Parkway, Suite 1420

Addison, Texas 75001 www.CREDANT.com

CREDANT Mobile Guardian Enterprise Edition Technical White Paper

CREDANT Technologies Confidential - Not to be distributed without the express permission of CREDANT Technologies. Copyright © 2002-2007 CREDANT Technologies, Inc. All rights reserved.

2

Table of Contents THE MOBILE DATA SECURITY CHALLENGE ..........................................................................................3 CREDANT MOBILE GUARDIAN ARCHITECTURE: INTEGRATED SOLUTION FOR EASY DEPLOYMENT .............................................................................................................................................3

CREDANT Mobile Guardian Enterprise Server ................................................................................... 5 CREDANT Mobile Guardian Policy Proxy............................................................................................ 5 CREDANT Mobile Guardian Local Gatekeeper ................................................................................... 6 CREDANT Mobile Guardian Shield...................................................................................................... 7

CMG Shield for Notebooks, Tablet PCs or Desktops, and External Media......................................................8 CMG Shield for PDAs, Smartphones and External Media ...............................................................................8

Optional Over-The-Air (OTA) Sync Control for PDAs, Smart Phones ............................................... 10 Negligible Network Impact of CMG Installation.................................................................................. 10

CMG FUNCTIONALITY..............................................................................................................................10 ENTERPRISE LDAP DIRECTORY INTEGRATION............................................................................................10 ENTERPRISE DATABASE INTEGRATION........................................................................................................11 BROWSER-BASED CENTRALIZED ADMINISTRATION..................................................................................11

Separation of Administrative Duties ................................................................................................... 12 Audit Logs and Reporting................................................................................................................... 13 Mobile Device Inventory Management............................................................................................... 14

SECURITY POLICY DISTRIBUTION ...............................................................................................................15 Over-The-Air Policy Updates for Pocket PC, Smartphone................................................................. 16 User Authentication ............................................................................................................................ 16 Multi-Factor Authentication Support ................................................................................................... 17 Self-Service PIN/Password Reset and Remote Device Recovery..................................................... 18

POLICY-BASED INTELLIGENT ENCRYPTION™..........................................................................................19 Five Layers of Defense ...................................................................................................................... 19

Windows Desktops, Notebooks and Tablet PCs........................................................................................... 20 FIPS Validation................................................................................................................................... 21

ENCRYPTED DATA RECOVERY................................................................................................................21 Automatic Key Escrow for Immediate Recovery ................................................................................ 21

USER AUTHORIZATION AND CONTROL FOR PDAS AND SMARTPHONES ........................................................22 User Status and Device Access Controls .......................................................................................... 22 User and Device Mutual Authentication ............................................................................................. 22 On-Device Application Controls ......................................................................................................... 23 Communication Port Controls ............................................................................................................ 23 Always On, Instant Access................................................................................................................. 23 Bluetooth® Proximity Access .............................................................................................................. 23

CISCO NAC SUPPORT FOR WINDOWS-BASED DEVICES ..............................................................................23 ADDITIONAL USABILITY FEATURES OF CREDANT MOBILE GUARDIAN, EDITION 5.3 *..........................24 CREDANT MOBILE GUARDIAN SOFTWARE UPDATES ...........................................................................25

SUMMARY..................................................................................................................................................26 CONTACT US ............................................................................................................................................26



3

THE MOBILE DATA SECURITY CHALLENGE In an enterprise-wide mobile computing environment, the use of disparate mobile devices—cell phones, personal digital assistants (PDAs), notebook computers, tablet PCs, smart phones (converged PDA/cell phone devices) and various types of removable media—make it extremely difficult to control user behavior. You can no longer be sure who has access to your data or where it resides. Most enterprises find it impossible to even know how many devices are used by their employees; let alone what data resides on those devices. Employees often purchase their own device and synchronize email and other corporate data to their computers at work and at home, placing sensitive data outside the reach of IT and security. Furthermore, driven by productivity and enhanced customer relationship benefits, the use of diverse types of mobile devices will continue to grow rapidly, making it increasingly more difficult for organizations to detect, protect, manage and support them. The large and growing memory capacity of mobile devices combined with the plummeting price of memory cards make it more likely that users will store even more critical information on their devices or on their device’s removable media – making it imperative that this information be encrypted for privacy. Gartner1 predicted that by year-end 2007, 80 percent of Fortune 1000 enterprises will encrypt most critical "data at rest," including data at rest (stored) in mobile devices. Information previously secured within the physical confines of corporate networks is now unsecured, untethered, and mobile. CREDANT Mobile Guardian (CMG) Enterprise Edition helps organizations regain control of their sensitive data, regardless of where it resides. This mobile data security solution provides centrally managed, policy based security for a broad range of mobile devices. The CMG solution was developed using industry standards to provide the security, flexibility, compatibility and scalability needed to meet a wide variety of mobile enterprise data security requirements. CREDANT Mobile Guardian is the only enterprise scale security solution to protect all mobile data with enforced security that follows the data across all endpoints.

CREDANT MOBILE GUARDIAN ARCHITECTURE: INTEGRATED SOLUTION FOR EASY DEPLOYMENT The CREDANT Mobile Guardian (CMG) Enterprise Edition integrated components interoperate seamlessly, allowing for easy deployment (Figure 1). Through a single management interface, administrators can control and secure a broad range of mobile device platforms—external media; Microsoft Windows-based desktop, tablet and notebook PCs; Windows Mobile devices; Palm-, RIM-, and Symbian-based smart phones and PDAs—and any sensitive data that resides on them.

1 Gartner, “Recommendations for Infrastructure Protection, 2006, G00137697, Ray Wagner, Peter Firstbrook, Neil MacDonald, Vic Wheatman, John Girard, Avivah Litan, Rich Mogull, Amrit T. Williams, Lawrence Orans, John Pescatore, Mark Nicollett, Jay Heiser, Paul Proctor, Greg Young, p.5, February 10, 2006



4

Figure 1. CREDANT Mobile Guardian Architecture

CMG Enterprise Server integrates with enterprise directories to provide a central, web-based interface for security policy definition and management, real-time mobile device inventory, and continuous reporting of mobile device security status for policy compliance. CMG Policy Proxy resides on corporate network or DMZ to provide secure distribution of policies and policy updates from the CMG Enterprise Server to the CMG Shield. It also collects device inventory and reports it back to the CMG server for auditing and reporting. CMG Shield resides on mobile devices and external media to enforce mobile security policies even if the device is disconnected from the network. It enforces strong authentication, Policy-based Intelligent Encryption, and device and end-user controls.

CMG Local Gatekeeper resides on desktops and notebooks to automatically detect, protect and control mobile devices that synchronize locally to the PC. It provides secure, distributed communications between CMG Shield and CMG Enterprise Server for transparent delivery and management of policy and software updates. (Optional) CMG Over-the-Air (OTA) Sync Control enhances Microsoft® Exchange ActiveSync® to enforce Shielding before allowing handhelds to synchronize email, contacts and other corporate data wirelessly with Exchange.

CMG Enterprise Edition is configurable to address a wide range of mobile data security needs, and its flexible deployment options fit unique enterprise environments without disrupting networks or detracting from the user experience.



5

CREDANT MOBILE GUARDIAN ENTERPRISE SERVER The CREDANT Mobile Guardian Enterprise Server is a modularized, web-based application that provides a variety of benefits including:

• A single, secure administration interface to manage security across disparate mobile devices • Default security policies that can be easily adjusted to align mobile data security to the type of

user, device and location. • Automated and transparent archiving of encryption keys to enable Day Zero data recovery • Read-only integration with enterprise LDAP directories to enable global, group, or individual user

level security policies • Inventory management and reporting • Self-service and administrator assisted device recovery in case of authentication failure • Enterprise database integration for a scalable and reliable solution

Flexibility for Different Enterprise Environments CREDANT Technologies believes that security solutions should be flexible enough to fit a variety of enterprise environments, thus minimizing the impact on IT and end users. Through the CMG interface, security administrators can monitor the real time state of mobile device discovery and policy compliance. Default global policies, based on security best practices, help enterprises begin securing their mobile data quickly. A common policy editor across all mobile devices significantly reduces the learning curve to ensure lower implementation costs. Five Administrator roles provide separation of administrative duties, further protecting the enterprise with a solution that’s flexible enough to fit existing IT and security procedures. Mobile device inventory management, policy management, auditing, and reporting are all supported through an ODBC compliant database to help manage regulatory compliance. The CMG Enterprise Server consists of multiple components that can be installed on a single server or distributed across multiple servers, depending on the size of your environment and your deployment needs: Enterprise Server, Web Interface, Device Server, Directory Connector, Gatekeeper Connector, Wireless Deployment Server and the optional Over-the-Air Sync Control. These components should be installed in a physically secured environment, behind a firewall within the corporate network. The CMG server must have network connectivity to the LDAP directory server, database, the CMG Policy Proxy and Local Gatekeepers, and any PCs with CMG Shield for Windows installed; however, continuous network connectivity is only required with the database. The CMG Enterprise Server components can reside on one or more dedicated servers running:

• Microsoft Windows 2000 Server SP4 • Microsoft Windows 2000 Advanced Server SP4 • Microsoft Windows 2003 Server SP1 or SP2 (including R2)

CREDANT MOBILE GUARDIAN POLICY PROXY CREDANT Mobile Guardian’s Policy Proxy is a software agent that resides on systems in the corporate network or DMZ to provide a variety of benefits including:

• Automatic, secure distribution of mobile users’ security policies • Trusted, scalable, reliable paths for communication between CMG components • Enables Web based installation and activation of the CMG Shield • Grouping options for scalability and redundancy • Communicates device status and inventory to the CMG Server



6

The CMG Policy Proxy distributes policy updates to Windows notebooks, desktops, and handheld devices that do not synchronize to a PC. The Policy Proxy helps organizations manage security policies for Windows, Pocket PC, Smartphone, BlackBerry, and Symbian devices. Deploying Policy Proxies in groups allows devices to get policy from any Policy Proxy in the group for reliable policy updates even in case of network outages or hardware failure. The CMG Policy Proxy also collects device inventory and reports this back to the CMG Enterprise Server for auditing and reporting. The CMG Policy Proxy software runs on:

• Microsoft Windows 2000 Professional SP4 • Microsoft Windows XP Professional SP1 or SP2 • Microsoft Windows XP Tablet PC Edition SP2 • Microsoft Windows 2000 Server SP4 • Microsoft Windows 2000 Advanced Server SP4 • Microsoft Windows 2003 Server SP1 or SP2 (including R2)

CREDANT MOBILE GUARDIAN LOCAL GATEKEEPER CREDANT Mobile Guardian Local Gatekeeper is a software agent that resides on desktops and notebook computers to provide a variety of benefits including:

• Automatic discovery and reporting of handheld mobile devices • Enforcement of supported and unsupported mobile device lists • Policy based installation of the CMG Shield software on diverse mobile devices • Automatic, secure distribution of handheld mobile users’ security policies and encryption keys • Control over which PCs a mobile device can synchronize to • Trusted, scalable, reliable paths for communication between CMG components

The Local Gatekeeper is the key to gaining control of your mobile device population and reducing the leakage of sensitive corporate data without your knowledge. The Local Gatekeeper can automatically detect synchronization software and identify the type of PDA or Smartphone being used. When deployed in report only mode, it can silently gather extensive mobile device inventory information without the end user’s knowledge. Once collected, this inventory is passed to the CMG Enterprise Server for auditing and reporting. The Local Gatekeeper eliminates the need for IT to manually provision mobile devices by automating the distribution of CMG Shield and a mobile user's security policies and encryption keys. The Local Gatekeeper also enforces mutual authentication between the mobile device and the companion PC, reducing the risk of unauthorized access to business information. This mutual authentication can ensure that the mobile device only synchronizes to protected, corporate systems—a critical feature for organizations trying to keep their sensitive data on devices they can secure and control. The Local Gatekeeper works with a variety of 3rd party synchronization applications, including Sony Ericsson PC Suite, Palm HotSync, Microsoft ActiveSync, and other compatible products. The Local Gatekeeper installation can be automated via scripts, batch files or industry standard software distribution tools such as SMS and Tivoli. It runs on any desktop, notebook or tablet PC running:

• Microsoft Windows 2000 SP4 • Microsoft Windows XP Professional SP1 or SP2 • Microsoft Windows XP Tablet PC Edition SP2



7

The CMG Local Gatekeeper can be configured to operate in one of three modes to accommodate security, phased deployment, internal billing, or chargeback requirements for PDAs and smart phones.

Report Only mode – The CMG Local Gatekeeper does not prevent a user from synchronizing, but reports the presence of synchronization software on the companion PC, the synchronization software version, and the models and the operating systems of all devices that synchronize with the companion PC. In this mode the user is completely unaware of any action by CMG, while organizations gather the information they need to understand how many devices are carrying their sensitive corporate data outside the organization. Report and Disable mode – The CMG Local Gatekeeper blocks the use of synchronization software on the companion PC and does not allow any device to synchronize. This mode also reports information detailed in the “Report Only” mode when a user attempts to synchronize. Auto Install mode - CMG Local Gatekeeper automatically prompts the user to Shield any unsecured mobile device that attempts to synchronize with the companion PC. If the user refuses, the device is not allowed to sync to that PC. If the user accepts, the Gatekeeper installs the CMG Shield software on the device and allows the user to synchronize. After the initial installation of CMG Shield, all subsequent policy updates are automatically pushed to the device by CMG Local Gatekeeper. The Auto Install mode also reports information detailed in the “Report Only” mode each time a user synchronizes a device to the PC.

The CMG Local Gatekeeper can also be configured to communicate with the CMG Shield, with the exception of BlackBerry devices that are managed by the CMG Policy Proxy, in either a one-to-many or many-to-many arrangement. The one-to-many configuration ensures that each occurrence of CMG Local Gatekeeper can only communicate with specific occurrences of CMG Shield. This supports situations where a single mobile user with one or more mobile devices can synchronize with only one specific CMG enabled companion PC. The many-to-many configuration ensures that any occurrence of CMG Shield can communicate with any occurrence of CMG Local Gatekeeper as defined by the administrator. This configuration supports implementations such as distribution facilities and hospitals where multiple mobile users need to synchronize with multiple, geographically dispersed workstations.

CREDANT MOBILE GUARDIAN SHIELD CREDANT Mobile Guardian Shield is the on-device component that enforces security policies whether a mobile device is connected to the network or not, to protect the device and its external media, even if they are lost or stolen. The Shield supports a variety of platforms and helps organizations extend their trusted environment to ensure protection of sensitive mobile data. CMG Shield is tightly integrated with the mobile device operating system to provide consistently enforced access control, encryption and authorization. CMG Shields communicate with CMG Enterprise Server via either CMG Local Gatekeeper or CMG Policy Proxy, depending on how CMG Shield is configured during installation. For organizations that support a combination of over-the-air and local PC synchronization, CMG Local Gatekeepers and the CMG Policy Proxy can be combined to enable simple CMG Shield deployment and policy updates for both types of synchronization.



8

CMG Shield for Notebooks, Tablet PCs or Desktops, and External Media CREDANT Mobile Guardian Shield for Windows-based devices provides a variety of benefits including:

• Policy-based Intelligent Encryption protects critical data anywhere on the disk or on removable media to help your organization ensure compliance with government legislation

• On-device mobile security policy enforcement (works in both connected or disconnected mode)

• Integration with Cisco NAC protects against enterprise threats on two different fronts: the mobile platform and the network.

• GINA replacement option that can be enabled or disabled for superior flexibility, interoperability with the Windows login, and transparency for the user

• FIPS 140-2 validated encryption algorithms • Restrict the use of external storage devices or allow an authenticated user to securely

place files onto the external device for storage or transfer of the data • Automatically and transparently encrypt any data as it is written to external media; allow

the user to transfer encrypted external media data to a computer not protected by CMG, and still be able to securely read and write encrypted data to the external media

• Flexible and secure recovery of encrypted data • Self service PIN/password reset to reduce the helpdesk burden • Seamless, standards-based integration with multi-factor authentication technologies like

RSA, biometrics, and smartcards • Administrator assisted recovery to restore access to the device in case of forgotten

authentication credentials, even when disconnected from the corporate network • Automatic fail-safe actions if the device is lost or stolen

CMG Shield has been tested with a wide range of notebooks and tablets from many manufacturers, including HP, Dell, IBM, Toshiba and others. CMG Shield for Windows is compatible with systems running:

• Microsoft Windows 2000 SP4 • Microsoft Windows XP Professional SP1 or SP2 • Microsoft Windows XP Tablet PC Edition SP2

CMG Shield for PDAs, Smartphones and External Media CREDANT Mobile Guardian Shield for PDAs and Smartphones, and their external media, provides a variety of benefits including:

• Policy-based Intelligent Encryption protects critical data anywhere on the disk or on removable media to help your organization ensure compliance with government legislation

• On-device mobile security policy enforcement (works in both connected or disconnected mode)

• Enforced mandatory access control, including support for biometric two-factor authentication



9

• Restrict the use of external storage devices or allow an authenticated user to securely place files onto the external device for storage or transfer of the data

• Automatically and transparently encrypt any data as it is written to external media; allow the user to transfer encrypted external media data to a computer not protected by CMG, and still be able to securely read and write encrypted data to the external media.

• FIPS 140-2 validated encryption algorithms for Palm, PPC and Smartphone • Self service PIN/password reset to reduce the helpdesk burden • Administrator assisted recovery to restore access in case of forgotten authentication

credentials, even when disconnected • Automatic fail-safe actions if the device is lost or stolen • Automatic, transparent mutual authentication between the mobile device and the

companion PC to control leakage of your data from your corporate network • Device application remains “always on” and user remains “always authenticated” if a

trusted Bluetooth device (Headset, GPS unit, even the car itself) within range. • Policy options to restrict application access and use (allows for white list and black list

control) • Centrally managed control of infrared port, Bluetooth, camera and microphone function

and network connectivity • Allows organizations to take full advantage of Microsoft Security Features Pack (MSFP)

and Exchange ActiveSync for Windows Mobile 5 devices CMG Shield for PDAs, Smartphones and External Media offers a variety of options to secure access to these mobile devices, including PIN, Password, and Question/Answer authentication. Administrators can set policy around how many attempts users are allowed before they fail over from one authentication method to the next. Flexible policies offer a balance between security and user comfort via a variety of options that enforce length and type of characters required in the credentials as well as control over history and aging of credentials. The self service PIN/Password/Question and Answer reset lets you define multiple types of authentication so users can reset their own forgotten authentication credentials without having to call the helpdesk. If the user fails all authentication options, they can call the helpdesk for secure, remote recovery. Fail safe actions like incremental cool down, deletion of encrypted data or hard reset can be set in case all four authentication options are failed. A wide range of synchronization mechanisms are supported, including USB, serial, infrared (IR) and network, as well as 3rd party network-based synchronization and management solutions. CMG Shield has been tested with a wide range of mobile devices from many manufacturers. CMG Shield for PDAs, Pocket PCs and Smartphones is compatible with:

• Palm® OS 5.x • Windows Mobile® 2003 Pocket PC and Smartphone • Windows Mobile 5.0 Pocket PC and Smartphone • Windows Mobile 6.0 Pocket PC and Smartphone • RIM® Java OS 4.0 BlackBerry™ devices • Symbian® OS 7.x devices (Nokia Series 80)

CMG External Media Shield (USB sticks, iPods/MP3 players, memory cards, compact flash drives) is compatible with portable storage devices accessing data from:

• Microsoft Windows 2000 Professional • Microsoft Windows XP (32-bit) Professional, Home, Media Center and Tablet PC



10

OPTIONAL OVER-THE-AIR (OTA) SYNC CONTROL FOR PDAS, SMART PHONES CREDANT Mobile Guardian’s Over-The-Air (OTA) Sync Control feature for Microsoft Exchange Server enables organizations to detect any Windows Mobile, Palm and Symbian device that attempts connection via Exchange Active Sync (EAS) and blocks the connection if the device does not have CMG Shield installed. Once CMG detects the installed Shield on the device, the device is allowed to synchronize e-mail, contacts, etc. Synchronization can also be restricted by user or device type. This optional addition to the CMG standard architecture also integrates with the Microsoft Security Feature Pack (MSFP) so that organizations can take full advantage of push e-mail to all Windows Mobile 5 devices protected by MSFP.

NEGLIGIBLE NETWORK IMPACT OF CMG INSTALLATION Communication between the CMG system components has negligible impact on network traffic and bandwidth. For example, each policy package communication from the CMG Enterprise Server to the CMG Local Gatekeeper and Policy Proxy is typically less than 10KB in size—much less than opening an average browser page on the Internet. From an initial installation perspective, the CMG Local Gatekeeper install and the CMG Shield for Windows install are each approximately 7MB, so impact is minimal, even if installed via logon scripts over the network. The CMG Shield for PDAs and Smartphones is generally downloaded and deployed locally by the companion PC’s CMG Local Gatekeeper so there is virtually no impact to the network when it is installed.

CMG FUNCTIONALITY CREDANT Mobile Guardian Enterprise Edition was designed as a standards based management system with an integrated web interface to ensure portability and reliability. The CMG Enterprise Server’s core functions are security policy management, key management, inventory management, access control management, directory management, audit and reporting. These functions are implemented with industry standards including XML, SOAP, SSL, LDAP, JDBC, SQL and Java. All CMG Enterprise Server components can reside on a single dedicated hardware server, though most production deployments require a minimum of two servers. As organizations grow, the core functions can be distributed across multiple hardware servers, resulting in a highly scalable, flexible and well balanced solution that addresses a wide range of configuration requirements and preferences. ENTERPRISE DIRECTORY INTEGRATION CREDANT Mobile Guardian integrates quickly and easily with enterprise LDAP v3 compliant directories. A variety of directories are supported, including Microsoft Active Directory, Sun ONE Directory Server, and Novell eDirectory™. The CMG Enterprise Server can use LDAP or LDAPS v3 to communicate with the directory via a read only user account. Users, groups and the relationships between them are imported and stored in the enterprise database so security policies can be applied at the global, group, or individual user level (Figure 2). LDAP username and password information is used by CMG for administrator authentication, first time mobile user authentication and device activation, but CMG never stores the user’s authentication credentials.



11

Figure 2. CREDANT Directory Browser (Group View)

The CMG Enterprise Server requires read only access to the directory so there’s no risk to your directory schema. Directory synchronization can be scheduled and automated, thus ensuring that security policies are built on the most current organizational structure without any manual action by the CMG administrator. When companies make changes to their directory structure or personnel, CMG automatically captures the modifications and makes the appropriate changes to ensure that security policies are always consistent with user and group roles. The CMG Server leverages LDAP integration to allow organizations to use already established organizational structures to manage mobile data security policies to speed mobile data security implementation and reduce ongoing maintenance. ENTERPRISE DATABASE INTEGRATION CMG uses an ODBC compliant relational database management system as its repository for mobile security infrastructure and attribute information. The database can be backed up and queried using industry standard tools and techniques for reliability and recoverability. The CMG database can reside in an existing database or database instance, or customers can choose a CMG installation package that includes Microsoft SQL Server 2005 Express Edition. Supported databases include:

• Microsoft SQL Server 2000 • Microsoft SQL Server 2005 • Microsoft SQL Server 2005 Express Edition

BROWSER-BASED CENTRALIZED ADMINISTRATION Using Internet Explorer 6.0 and above, CMG’s browser based administrator interface lets administrators securely manage their mobile data security from any system with a web browser and network access to the CMG Enterprise Server. Administrators log in to the SSL secured CMG Enterprise Server Web UI with their standard LDAP directory username and password. In a Windows networking environment, this is the Windows domain login.



12

SEPARATION OF ADMINISTRATIVE DUTIES CREDANT understands that organizations have different requirements for differing administrative duties. To support these varied needs, CMG provides five flexible administrator roles that can be assigned in any combination to any valid user. Users assigned one or more administrative roles, or types, log in to the CMG web interface with their standard LDAP credentials so they don’t have to remember another username and password or create and maintain a separate set of CMG-specific usernames and passwords. The CMG server authenticates administrators against the organizations existing LDAP server or domain controller when they access the management interface to ensure secure access at all times, even when the user is outside the corporate network. CREDANT suggests having only one overseeing administrator, which is a user who has been assigned all five administrative roles (Figure 3). Multiple CMG administrators can be logged in concurrently with the exception of an overseeing administrator, of which only one can be logged in at a time. CMG Administrator roles and responsibilities are as follows:

Security Administrators can search for and view users and groups and change and publish mobile data security policies. Users assigned this role can also access the remote device recovery system to help shielded users regain access to their mobile devices in case they fail their PIN, password, and Question/Answer authentication. System Administrators can search for and view users, groups, Gatekeepers and mobile devices. Users assigned this role can also synchronize the CMG Enterprise Server with the LDAP directory, work with Server tools, approve Gatekeeper messages, and view device support status. Help Desk Administrators can search for and view users, groups, Gatekeepers and mobile devices. Users assigned this role can also access the remote device recovery system to help shielded users regain access to their mobile devices in case they fail their PIN, password, and Question/Answer authentication. Account Administrators can view and search for users and groups and manage CMG administrator roles. Log Administrators can only work with CMG audit logs.



13

Figure 3. CREDANT Mobile Guardian Administrative Roles

AUDIT LOGS AND REPORTING CMG’s powerful security assessment tool allows properly authorized administrators to search logs based on a variety of criteria, including priority, date, time, user ID and machine name. Administrators access the CMG Enterprise Server via a web browser to see their LDAP and mobile security infrastructures combined into a single view. In addition, they can view information and create reports on mobile device inventory and CMG policies and infrastructure. This enterprise-wide view of mobile device security helps simplify device security management and compliance. CMG provides robust audit logs that track administrator activity and system events. CMG audit logs are stored in the CMG Enterprise Server database so administrators can view the information from the CMG interface or create custom reports using a variety of reporting tools already in use by the organization. To ensure traceability and accountability, the time, date and user responsible for the following actions are available in the Administrative Actions logs (Figure 4):

• Logging in to and logging out of the CMG interface • Adding, changing, or deleting administrators • Retrieving system logs • Directory synchronization activity • Changing and publishing mobile data security policies

System logs include: • All calls to run a service, such as contact with a Gatekeeper • Inventory updates • Database synchronization.



14

Figure 4. Administrator Action Logs

MOBILE DEVICE INVENTORY MANAGEMENT The CMG Enterprise Server, the CMG Policy Proxy and CMG Local Gatekeepers work together to track and maintain mobile device inventories so that organizations can see how many and what types of devices are connecting to their networks. Installed on a PC, the CMG Local Gatekeeper is “aware” of synchronization software and CMG Shield installations. It gathers a wide range of information about the Shielded Windows PCs, and the Shielded PDAs and smart phones associated with each PC. Inventory is updated every time the PDA or smart phone synchronizes with the companion PC or when a user logs into a Windows account protected by CMG Shield for Windows. CMG Local Gatekeeper then securely sends the inventory information to the CMG Enterprise Server for further reporting. Inventory information from any CMG protected Blackberry, Pocket PC, smart phone, and Windows Notebooks, Tablets, or Desktops that use the CMG Policy Proxy for policy updates is also securely sent to the CMG Enterprise Server. Device inventory includes detail about installed CMG components as well as device hardware, firmware, software, and protected users. As shown in Figure 5, inventory detail provides a wide range of useful information on your mobile device population like the host name, IP address, last poll time, mobile user ID, device type, Operating System (OS), and OS version. Specific device inventory information including available memory, total memory, and battery life (if applicable) is also collected.



15

Figure 5. Mobile Device Inventory Details (Windows System)

SECURITY POLICY DISTRIBUTION CMG supports many types of security policies to protect your mobile data, including CMG Local Gatekeeper monitoring and installation that help you gain control over your mobile device environment. CMG’s mobile security policies define the on-device access control, encryption and authorization rules as well as the CMG Local Gatekeeper monitoring policies. CMG administrators specify the security policies via the administrative interface of the CMG Enterprise Server. Structural changes or security policy updates can easily be made by simply having an authorized security administrator select the group, role or individual from the CMG Enterprise Server console, change the policies and publish them. No special user or administrative activity is required to ensure that policy updates are enforced on devices protected by the CMG Shield. The policies are then encrypted and stored, awaiting the next polling request. Upon the next polling interval, the encrypted policy updates are retrieved by the CMG Local Gatekeeper or CMG Policy Proxy, where they are stored in encrypted bundle until the next mobile device synchronization request. The next time the user authenticates and synchronizes the mobile device, the CMG Shield checks the Gatekeeper or Policy Proxy for policy updates. If updates exist, the CMG Shield retrieves, decrypts, verifies data integrity and applies the new policies to the mobile device. CMG uses SSL (HTTPS) to secure communications between the CMG Enterprise Server and the CMG Local Gatekeeper and Policy Proxy. The CMG Enterprise Server and these two components work together to automatically and securely deliver encryption keys and mobile security policies to the CMG Shield running on the mobile device. The encryption keys and mobile security policies are always encrypted by the CMG Enterprise Server for a specific CMG Shield and are transmitted in an encrypted format. The CMG Local Gatekeeper and CMG Policy Proxy never have access to the encryption keys and so are unable to decrypt the security policy files. Only a properly authenticated CMG Shield has access to this information.



16

OVER-THE-AIR POLICY UPDATES FOR POCKET PC, SMARTPHONE CREDANT’s over the air (OTA) option allows organizations to protect their mobile devices even if they never or rarely cradle sync to a PC. Once the CMG Shield is installed on a device, policy updates can be sent OTA, a process that begins just as it does for passing policies via cradle sync, with the CMG administrator modifying mobile device security policy and publishing those changes on the CMG Server. Figure 6 shows a typical OTA configuration, although there are other configuration options available to ensure a solution that fits virtually any enterprise environment. During regularly scheduled polling intervals the CMG Policy Proxy checks for policy updates that apply to devices it manages and pulls them down, as encrypted bundles, from the CMG Server. The CMG Shield automatically polls CMG Policy Proxy for policy updates at configurable intervals. If policy updates are available, the CMG Shield automatically retrieves policy updates and applies them to the device to ensure that security policy is always up to date and properly enforced.

Active DirectoryServer

Active DirectoryServer

CMG Enterprise

Server

CMG Enterprise

Server

CredActivateCommunications

Policy Updates

Server Communications

Exte

rnal

Fire

wal

l

Inte

rnal

Fire

wal

l

Internet DMZ Intranet

CredActivate Client

Windows 2000 or 2003 Server

Windows 2000 or 2003 ServerXServer

RemoteGatekeeper

Mobile Device

Mobile Device

Figure 6. Typical CMG Enterprise Edition OTA Configuration

USER AUTHENTICATION The CREDANT Mobile Guardian Shield for Windows supports the native Microsoft GINA and also provides an optional GINA replacement. In either scenario the CREDANT Mobile Guardian Shield integrates with the existing Windows login mechanism. It allows the user to have a single password for logging into Windows and for unlocking access to encrypted information protected by CMG Shield. Challenge/response parameters are established to reduce user logins and provide administrator assisted device recovery, even when the PC is disconnected from the network, ensuring that traveling employees can always gain access to their PC. For more details on the CMG Shield Access Control Policies for Windows devices, including the CMG GINA replacement option, refer to the CMG Enterprise Edition for Windows Devices whitepaper. When installed across disparate mobile devices, such as PDAs and smart phones, CREDANT Mobile Guardian enables organizations to enforce multiple levels of mandatory access control including PIN, password, and question/answer authentication. Rules governing the number of minutes a device can be idle before automatic lock down and challenge/response parameters are also established to reduce user



17

logins and provide secure, remote administrator-assisted device recovery. CMG also enforces a range of automated, fail-safe actions to protect PDA data, regardless of whether the device is connected to or disconnected from the corporate network. For phone enabled devices, CMG Shield allows users to make and receive phone calls without having to authenticate beforehand.

PIN and Password - CMG supports flexible PIN and password security parameters that address factors like whether these credentials are required, when they are required and the number of authentication attempts allowed. CMG’s policies also include settings that control the number of characters required, case sensitivity, and mixed character usage (alpha, numeric, and special) and use of sequential numbers. In addition, CMG lets administrators control timing and history rules such as the amount of time a pin/password is valid, the number of previous values the user will not be allowed to reuse, and the number of days that a user is not allowed to reuse a previous value. Questions and Answer Authentication - End users who are new to security may frequently forget PINs and passwords, resulting in large numbers of unproductive credential reset calls to help desk. CMG’s self service reset policies allow an authenticated mobile user to reset their own PIN or password based on a question they are automatically prompted to answer if they enter their PIN and password incorrectly. The questions can be created by an administrator as part of the policy settings or by the mobile user. The questions and answers are then encrypted and stored locally on the mobile device. CMG administrators can control policy settings such as the number of characters required in the answer, the number of allowed question/answer attempts, and whether to force a mandatory question/answer reset upon the next login.

Auto-lock Timers - CMG’s auto-lock timer policies determine the number of minutes a device can be idle or powered off before CMG Shield automatically locks down the device. In order for the mobile user to begin work without re-authenticating, the user must deactivate and re-activate the device using the power button within a specified time period. CMG can also be configured to re-authenticate after every power off. These policies allow an organization to balance security with ease of use by not forcing a user to re-authenticate every time they use the device. Secure, Remote Access Recovery - CMG’s secure remote access recovery policy allows authorized CMG administrators manually authenticate and restore access to a device that has been locked because the user failed the PIN, password, and Question/Answer authentication options. This also allows recovery of encrypted data in the event an employee leaves the company or is unsuccessful in gaining access. CMG’s access policies provide a challenge and response mechanism to recover access to mobile devices.

Fail-Safe Actions - CMG also enforces a range of automated, fail-safe actions to protect PDA and external media data, regardless of whether the device is connected to or disconnected from the corporate network. CMG’s access recovery policies define the number of unsuccessful access attempts allowed before it automatically invokes fail-safe actions. Fail-safe actions can include locking out the user for a specified cool down period, deleting encrypted data from the device or performing a hard reset to remove all data and applications.

MULTI-FACTOR AUTHENTICATION SUPPORT Unlike competitive host encryption products that force pre-boot authentication and require special integration with an SDK to support multi-factor authentication, CREDANT Mobile Guardian works within the authentication framework provided by Microsoft Windows and the PKCS #11 Cryptographic Token Interface Standard. CREDANT Mobile Guardian uses a patent-pending authentication method to integrate with the strong authentication mechanisms supported by these standards. This approach provides immediate interoperability with any strong authentication system that works within the Microsoft Windows or PKCS #11 standards (Biometric, Smartcard, RSA, or whatever else is invented) and requires



18

the end user to sign in only once. After the user successfully authenticates using the strong authentication mechanism of choice, they have immediate access to all encrypted data on the disk. There is no requirement to sign-in again to the CMG Shield. Because the CMG Shield works with Windows, customers and 3rd parties do not have to develop new versions of their products with special SDKs (like other host encryption products). Integration with the CMG Shield is immediate. CREDANT customers have leveraged this technology to provide out-of-the-box integration with RSA SecurID for Windows, IBM Biometric authentication, and Axalto smartcards. In all cases, the customer is able to utilize their existing authentication framework and simply add the CMG Shield into the mix to provide total data protection through encryption. The end user will not notice any changes in the authentication process.

SELF-SERVICE PIN/PASSWORD RESET AND REMOTE DEVICE RECOVERY CREDANT customers have reported significant savings in time and money thanks to the self-service PIN/Password reset and remote administrator assisted recovery options. A tedious process that negatively impacts productivity, resetting of devices in-house can now be accomplished by the end-user in seconds with CMG’s self-service PIN/Password reset—a set of pre-established, security questions and answers—no call to the help desk required (Figure 7). If authentication is successful, the user is asked to reset the PIN and/or password without requiring Help Desk involvement.

Figure 7. Self-Service PIN/Password Recovery for Smart Phone

If the end user fails CMG’s Question and Answer authentication (Figure 8), a simple phone call to the help desk and quick validation by the administrator, and the user receive a new access code to unlock the device. Once the device is unlocked, the user is prompted to reset their password/PIN via questions and answers so they can continue to access their device securely. This remote, administrator assisted challenge and recovery mechanism is much easier and more cost-effective than requiring the device to be manually unlocked, reset and redeployed at the office. Remote helpdesk recovery is also available for removable media.



19

Figure 8. Remote Helpdesk Device Recovery

POLICY-BASED INTELLIGENT ENCRYPTION™ Unlike older encryption point products, CREDANT’s patent-pending Policy-based Intelligent Encryption, with a multi-layered defense approach, provides critical business controls that ensure data is always within compliance. Data files are encrypted and decrypted transparently so there’s no change in how users work. CREDANT’s on-the-fly process decrypts files as they are accessed so data always remains encrypted on the drive and is only decrypted in memory, when in use.

FOUR LAYERS OF DEFENSE CREDANT’s defense-in-depth, or four layers of defense, Intelligent Encryption strategy extends compliance controls to mobile endpoints by ensuring that data-at-rest is protected at all times. CREDANT’s unique layered approach not only provides a comprehensive data protection solution, but it also fits nicely into a phased security implementation. This can be especially helpful for enterprises that prefer to roll out security slowly or for those who have different security policy requirements by user role or department.

1. The first layer of defense applies to the volume level, enabling organizations to

set policies that force the encryption of any data generated by the end user and written to any volume on the drive while eliminating the need to encrypt the operating system. Sensitive data is encrypted no matter where it resides on the local hard drive.

2. The second layer of defense, File type encryption (Common & User level),

automatically encrypts previously created and new files of a specified type (or multiple types) regardless of where they are stored on the hard drive. This layer is primarily configured to ensure that all application independent files such as .ini, .temp, .txt, .html, etc. are encrypted. When implemented via Common encryption policies, any authorized user can access these files once they are logged into the system. When implemented via User encryption policies, only the data owner can access these files.



20

3. The third layer of defense applies to application data, enabling organizations to set policies that force the encryption of any data written by heavily-used business applications to protect against user error or malicious renaming of a file type that would leave data exposed. This patent pending technology applies to any application that handles sensitive data without requiring any modification to the application code base. Administrators simply define a list of application executables in security policy and the CMG Shield automatically monitors for any files created by these applications and saved to disk. Independent of the application, the CMG Shield automatically encrypts the data as it is written to disk.

4. The fourth layer of defense applies to the user level, enabling organizations to

set policies that force the encryption of data for individual users who share a notebook computer or workstation. The administrator can also specify common encrypted locations that are accessible to all authorized users on the machine. This allows administrators to enforce the protection of shared, sensitive data and ensures that the data can be accessed by multiple authorized users on the same machine while user specific data remains protected. Local administrators never have access to encrypted data so IT can manage systems without exposing sensitive data.

Because mobile device operating systems differ across varying device platforms, there are some functional differences in how CREDANT Policy-based Intelligent Encryption technology operates, as described below.

Windows Desktops, Notebooks and Tablet PCs CREDANT Intelligent Encryption technology for Windows-based devices fills the security gaps left by file-folder based encryption products and avoids the management, data recovery, security and productivity issues associated with full, or hard disk encryption methods. The CMG Shield for Windows provides a single security policy that defines any/all of the five levels of encryption, both user and shared information, and allows all the data files to be encrypted automatically, wherever the data files are saved on the disk, and whatever their name. Shared data can be encrypted and shared between multiple users on a machine, or encrypted for an individual user. The CMG Shield utilizes two separate encryption keys to accomplish this flexibility: a common encryption key and user encryption key. Temporary and Windows Paging, or Swap, files are also automatically encrypted. The Windows password hash is stored securely in an encrypted location, dramatically improving the security of the Windows password mechanism and ensuring that the encrypted information stored on the PC cannot be compromised. Windows Mobile Pocket PCs These devices come with built in Calendar, Contacts, Inbox/Mail, and Tasks, also known as Personal Information Management (PIM) applications. CMG can be configured to encrypt any or all PIM databases, third party application databases, email attachments, media files, and information stored in My Documents. CMG Shield for Pocket PC also allows the administrator to create a “secured” folder on the device or on removable media. When the mobile user turns on the device and authenticates to CMG Shield, none of the data is decrypted. When the user requests a specific database or file, the CMG Shield decrypts that information “on-the-fly” so information remains encrypted at all times, except when actually in use by an authorized user.



21

Windows Mobile Smart Phones CMG can be configured to encrypt any or all PIM databases as well as third party application databases and email attachments. When the mobile user turns on the device and authenticates to CMG Shield, none of the data is decrypted. The CMG Shield decrypts that information “on the fly” so information remains encrypted at all times, except when actually in use by an authorized user. Palm OS Devices For Palm devices, where all files are stored in databases, CMG supports administrator definable policies that encrypt and decrypt each database independently as access is requested. The CMG administrator specifies which databases will be encrypted. When the mobile user turns on the device and authenticates to CMG Shield, none of the databases are decrypted. When the user requests a specific database (e.g. hits his Notes or Calendar icon), CMG Shield decrypts that specific database “on the fly” - incrementally on a record by record basis as needed – so data is only decrypted while in use by an authorized user. Symbian Smartphones CMG can be configured to encrypt the calendar, contacts and tasks databases for these devices. When the mobile user turns on the device and authenticates to CMG Shield, none of the data is decrypted. When the user requests a specific database or file, the CMG Shield decrypts that information “on the fly” so information remains encrypted at all times, except when actually in use by an authorized user. RIM OS Devices CMG can be configured to encrypt any or all PIM databases for RIM Blackberry devices. Encryption for these databases only occurs the user fails to enter the correct authentication credentials. External Media When the administrator enables CMG External Media Shield for a user, the system places the EMS client on to every piece of removable media inserted into a CMG-protected computer or handheld device. An installer is also copied to the media, allowing the user to work with encrypted external media data from another computer not protected by CMG, and still be able to securely read and write encrypted data to the external media.

FIPS VALIDATION CMG supports a variety of industry standard encryption algorithms including AES 128, AES 256, 3DES, Blowfish and Lite so organizations can balance security and performance. CREDANT has achieved FIPS 140-2 Level 1 validation for the CREDANT Cryptographic Kernel (CCK). The same CCK is used across all CREDANT supported platforms by the CMG Shield. The CREDANT implementation of the AES, 3DES, SHA-1, HMAC-SHA-1, and RNG algorithms are all FIPS approved. The certificate is available online at http://csrc.nist.gov/cryptval/140-1/1401val2004.htm#452. ENCRYPTED DATA RECOVERY One of the challenges with any type of data security solution is how to recover data if the encryption keys are lost. The simple answer is that if the keys are lost, then the data is lost too. It is therefore imperative that every precaution is taken to securely archive and protect the keys.

AUTOMATIC KEY ESCROW FOR IMMEDIATE RECOVERY Unlike competitive products, CREDANT’s key escrow process is completely automated and transparent. All encryption keys are generated and securely archived by the CMG Enterprise Server before being passed down to the device, thereby ensuring that they can never be lost. Other solutions generate the



22

keys on the device, requiring the end user to manually copy them to a floppy or USB drive and transfer them to administrators via some out of band mechanism. After collecting keys for each user in the environment, the administrator must then manually archive them. This entire process must be repeated as new users and systems are added to the organization. Another problem with this manual approach is that recovery of the encryption keys is not guaranteed immediately. The ability to recover data is placed in the hands of the end user and this entirely manual process adds to the complexity of administering a solution for IT and security groups. If the end user loses the recovery device, never sends the keys to IT, or they are misplaced once they reach the IT group then recovery of encrypted data may not be possible. Some solutions provide more automated mechanisms to archive the keys, but there’s no guarantee when or if the keys will make it to the central archive, thus subjecting the organization to an undetermined time when there is no way to recover access to encrypted data. From an Enterprise perspective, this is a significant and unnecessary risk. With CREDANT, recovery of encrypted data can be performed immediately, from the time the first bit of data is encrypted until the machine’s end of life. Recovery is facilitated through a simple installation method. It does not require decryption and encryption, nor does it require recovery by sending the system to a 3rd party, which is expensing and time consuming. CREDANT’s recovery process is efficient and completely transparent to the end user. USER AUTHORIZATION AND CONTROL FOR PDAS AND SMARTPHONES CMG’s authorization policies are transparent to the end user and enable administrators to control what an authenticated user can do on the device. Administrators can set policies that define a mobile user’s current state and determine whether access to the device will be granted. Synchronization policies can be defined that determine whether a CMG Shield protected mobile device can synchronize with companion PCs that are not protected by CMG Local Gatekeeper. CMG lets administrators set policy that specifies what applications may not be run on the device. Likewise, CMG’s communication port policies protect information contained on mobile removable media by restricting the use of external devices including Compact Flash, SD cards or PCMCIA cards. CMG policies also control whether infrared beaming is allowed, whether Bluetooth can be used, and can limit external network communications.

USER STATUS AND DEVICE ACCESS CONTROLS The CMG Shield state can be modified to activate, suspend or deactivate a user, thus impacting their ability to access the mobile device. If a device has been lost, stolen or an employee has left the company, administrators can easily change a user’s status to “suspended,” or “deactivated”. Upon the next attempted synchronization of the device, this policy change will take effect and prevent them from logging into CMG Shield, unlocking the device and accessing sensitive company information.

USER AND DEVICE MUTUAL AUTHENTICATION Transparent to the user, CMG performs mutual authentication between the CMG Local Gatekeeper and CMG Shield before allowing synchronization to occur. By authenticating both the mobile device and the workstation, CREDANT Mobile Guardian ensures that only approved mobile users and CMG enabled devices can synchronize to corporate systems. This eliminates the risk associated with inadvertent or malicious synchronization to control the flow of sensitive data from your corporate environment.



23

ON-DEVICE APPLICATION CONTROLS The availability of thousands of applications for handheld devices has made it difficult for IT control what applications end users can or can not run on the device. CMG Shield can block any application residing on the device by checking the requested application against the user’s application blocking policies (whitelists and blacklists), which are separate lists for Palm and Windows Mobile Pocket PC and Smartphone devices. If the requested application is on the disallowed list, CMG Shield will prevent the application from running or from being installed. For organizations deploying mobile devices for specific business use, using CMG’s white-list option to control applications that can run, dramatically reduces helpdesk calls and the threat of malware and malicious code introduction to the network.

COMMUNICATION PORT CONTROLS CMG Shield provides authorization controls that check for and block various device communications. Based on each user’s security policies, CMG supports a disable/enable option to protect against sensitive data being copied to external storage media. CMG also provides control over network access (wired or wireless), as well as the ability to disable/enable infrared ports controlling whether users can beam business cards, applications or documents to one another. For example, on Pocket PC, Smartphone and Palm devices, the administrator can set policy to disable the use of built-in Bluetooth or Infrared communications.

ALWAYS ON, INSTANT ACCESS CREDANT continuously strives to balance security with flexible options that enable users of mobile devices to be more productive. IT administrators can establish policy for end users to have continuous access to their Home Page to view and edit Contact and Calendar entries, dial directly from Contacts, view missed calls, and send and receive SMS/MMS messages—all without the end user being authenticated. But, when the end user attempts to access sensitive data, the user will forced to authenticate. Additionally, CMG allows end users always-on access to their stored “In Case of Emergency” (ICE) contact at the touch of a button. Users can also personalize their mobile devices for easy identification by, for example, uploading a background photo image to their device.

BLUETOOTH® PROXIMITY ACCESS CREDANT Mobile Guardian is the first mobile data security solution to provide Bluetooth Proximity Access to balance security with usability when operating a PDA or smart phone while driving (Windows Mobile 2003 and 5.0 PPC versions). The Bluetooth Proximity Access feature authenticates the end user to the CMG Shield or allows a CMG Shield to remain unlocked when a trusted Bluetooth headset or car kit is in proximity. Authentication between the trusted devices occurs transparent to the user, as access to the device and data is made immediately available, and the Bluetooth connection remains active. Real-time applications such as GPS navigation systems are always available. When the trusted Bluetooth device headset is no longer in proximity to the device, the CMG Shield will automatically lock the device to ensure the device is secure CISCO NAC SUPPORT FOR WINDOWS-BASED DEVICES CMG integration with Cisco NAC delivers the industries most comprehensive solution that protects the network from rogue mobile devices while ensuring data-at-rest is always secured. CMG Shield and Cisco NAC are complementary technologies addressing enterprise threats on two different fronts: the mobile platform and the network. CMG provides powerful security that protects data-at-rest on mobile devices, and Cisco NAC enforces adherence to corporate policies at the network level.



24

The CMG solution adds an additional layer of security to the Cisco NAC by providing network access to notebook PCs that are only verified as being fully compliant with established security policies, e.g., must have CMG Shield installed. If unshielded notebook PCs try to access the network, NAC will identify them as noncompliant devices, deny them access, and can sequester them to a quarantine network. This process allows the IT administrator to take remedial action to enforce security policy compliance. By combining information about endpoint security status with network admission enforcement, CMG and NAC integration enables organizations to protect against rogue mobile devices, strengthening IT’s ability to quickly and safely ensure security policy compliance across the entire enterprise. ADDITIONAL USABILITY FEATURES OF CREDANT MOBILE GUARDIAN, EDITION 5.3*

Feature Function Benefit/Value Today Screen Access in Locked State

Provides an option on PPC devices to allow the Today Screen to remain in the foreground after the CMG Shield idle timer has expired. As soon as the end user interacts with the device (e.g. taps the screen or presses a hardware button) the CMG Shield will immediately come to the foreground forcing authentication. Administrators can enable or disable this feature through security policy.

Allows the end user to gain the benefit of always on, instant access to summary information, while guaranteeing protection of the data if more details are needed. Balancing security and usability to meet demands of different levels of device access based on class of mobile workers and their needs.

Custom Shield Wallpaper

Provides an option for end users to set a personal background image behind the CMG Shield authentication screen on supported Palm devices. This feature is user controlled, but allowed or disallowed via administrator policy.

Allows end users to personalize their Palm protected device so it can be easily identified in a group of similar devices. In addition, end users get some personal benefits out of using the CMG Shield.

ICE Dialing Provides an option to place an ICE (In Case of Emergency) button on the CMG Shield authentication screen so that if the device is found by someone in an emergency situation he/she will be able to access the end users emergency contacts without having to authenticate to the CMG Shield. This feature is user controlled, but allowed or disallowed via administrator policy, and automatically enabled if an ICE entry exists in the user’s address book.

ICE is a new standard in the UK and US that allows emergency responders to easily access and call someone’s emergency contacts. By supporting this standard, Credant makes it secure and safe to use our technology.

(table cont)



25

Feature Function Benefit/Value

Address Book Use in Locked State

Provides an option for end users to gain complete access to the address book or contacts while the CMG Shield is in a locked state. Administrators can enable or disable this feature through security policy.

Gives end users the ability to take full advantage of the phone capabilities of a converged device without providing complete device access. Balancing security and usability to meet demands of different levels of device access based on class of mobile workers and their needs.

SMS/MMS Use in Locked State

Provides an option for end users to read and reply to SMS/MMS messages while the CMG Shield is in a locked state. Administrators can enable or disable this feature through security policy.

Gives end users the ability to take advantage of the communication functions of a converged device without providing complete device access. Balancing security and usability to meet demands of different levels of device access based on class of mobile workers and their needs.

MSFP and Exchange ActiveSync (EAS) Interoperability

Compliments MSFP security functions available through Exchange ActiveSync by overriding native device security policies that are limited to enforcing a power on password on Windows Mobile 5 devices.

Credant enhances the breadth of security policies that can be administered (e.g. authentication, encryption, and device controls) and greatly expands the platforms that can be secured (WM2003, Palm, and Symbian). Customers taking advantage of the messaging and security features available in MSFP will find that CREDANT’s Enterprise solution is a welcome addition to ensuring the complete protection and control for their entire mobile infrastructure.

Advanced Application Control

Provides the administrator capability to lock down a device so only applications specified as allowed by the administrator can be executed by the end user. End users cannot install or execute new applications on the device that are not allowed through security policy.

Provides protection against downloaded malicious code and viruses that could propagate and be executed from mobile device to mobile device. Allows administrators in FFA and Manufacturing situations to lock down a device image so it can only be used for intended purposes.

* Availability of features vary among device platforms. CREDANT MOBILE GUARDIAN SOFTWARE UPDATES The CMG Server can be upgraded to a newer version while maintaining policy information. New versions of CMG Local Gatekeeper, Policy Proxy and CMG Shield software can then be distributed easily to existing CMG users via the same process used to initially install those components. A new version of CMG Local Gatekeeper (and CMG Shield for Windows if desired) is distributed using an organization’s existing software distribution process for notebook and desktop computers. The updated version of CMG Local Gatekeeper will be installed with a command option that allows it to continue using the same policy and encryption key information previously distributed. The next time a user synchronizes their mobile device, the updated CMG Shield software will transparently be installed on any PDA or Smartphone, and the user will be able to continue to use their device with the same authentication credentials. All encrypted material on the device and any encrypted removable media will continue to be accessible using the same encryption keys. The CMG Policy Proxy can also be updated, once the CMG Server has been updated.



26

SUMMARY CREDANT Mobile Guardian provides trusted computing for the mobile enterprise by addressing the security issues associated with mobile devices. It allows organizations to benefit from the productivity increases provided by mobile devices while minimizing the risks of financial loss, legal liability, regulatory noncompliance and brand damage associated with loss or theft of sensitive information. CREDANT Mobile Guardian was designed as an enterprise solution that integrates with existing LDAP repositories and with existing enterprise security management practices. It provides robust mobile data security that is centrally controlled and ensures that users can’t disable security by simply removing the application from their PDA or Windows machine or performing a hard reset. Transparent, policy based mobile device discovery and security software deployment allows an organization to easily secure mobile devices, without requiring costly manual provisioning of security software. CREDANT Mobile Guardian is the only solution to combine enterprise management capabilities with strong mobile data security – all in a package that is easy to deploy and manage, and is easily accepted by end users. CONTACT US Please contact us for more information about how we can help meet your mobile data security needs:

CREDANT Technologies 15303 Dallas Parkway, Suite 1420 Addison, Texas 75001 1-866-CREDANT (273-3268) or 972-458-5400 www.CREDANT.com [email protected]

Disclaimer: This white paper is not intended to take the place of informed legal counsel. The information and recommendations contained herein are for informational purposes only, and should be expanded upon by trusted legal sources. For specific advice about formulating an information security policy that is compliant with current laws and regulations, or for further information about complying with information security laws, it is recommended that you seek professional counsel. © 2007 CREDANT Technologies, Inc. All rights reserved. CREDANT Technologies, CREDANT, the Be Mobile Be Secure tagline, the CREDANT logo are, or will be, registered trademarks of CREDANT Technologies, Inc. All other trademarks, service marks, and/or product names are the property of their respective owners. Product information is subject to change without notice.