SAFEND Data Protection Suite™

Reviewer’s Guide

Version 3.4
Reviewer’s Guide
SAFEND DATA PROTECTION SUITE™

Important Notice
This guide is delivered subject to the following conditions and restrictions:

 This guide contains proprietary information belonging to Safend Ltd. Such

information is supplied solely for the purpose of assisting explicitly and
properly authorized Safend Data Protection Suite users, reviewers and
evaluators.

 No part of its contents may be used for any other purpose, disclosed to any
person or firm or reproduced by any means, electronic or mechanical, without
the expressed prior written permission of Safend Ltd.

 The text and graphics are for the purpose of illustration and reference only.
The specifications on which they are based are subject to change without
notice.

 The software described in this guide is furnished under a license. The

software may be used or copied only in accordance with the terms of that
agreement.

 Information in this guide is subject to change without notice. Corporate and

individual names and data used in examples herein are fictitious unless
otherwise noted.

 The information in this document is provided in good faith but without any
representation or warranty whatsoever, whether it is accurate, or complete or
otherwise and with the expressed understanding that Safend Ltd. shall have
no liability whatsoever to other parties in any way arising from or relating to
the information or its use.

Copyright 2005-2010 Safend Ltd. All rights reserved.

Other company and brand products and service names are trademarks or registered trademarks of their respective
holders.

- Page 2 -
Reviewer’s Guide
SAFEND DATA PROTECTION SUITE™

About This Guide

This Reviewer’s Guide presents an overview of Safend Data Protection Suite 3.4. It provides an explanation of how it
works and enables you to understand how to use Safend Data Protection Suite, in order to guard your network
endpoints.

Reviewer’s Contact Information

Presale contact: Marketing contact:
Tomer Greenbaum Yael Gelberger
Pre-sales and Projects Team Leader Marcom Manager
+972-3-644-2662 Ext 201 Safend
projects@safend.com yael.gleberger@safend.com

Support contact:
Web: www.safend.com/189-en/Safend.aspx
Email: support@safend.com
Phone: 1-888-225-9193

- Page 3 -
Reviewer’s Guide
SAFEND DATA PROTECTION SUITE™

Table of Contents
About Safend ....................................................... 5
The Problem ....................................................... 6
The Safend Data Protection Suite Solution .................................. 7
Why Safend? ....................................................... 7
Features List ....................................................... 8
Safend Encryptor: Hard Disk Encryption ..................................................................................... 8
Safend Protector - Port & Device Control and Removable Storage Encryption ........................................ 8
Data Classification .................................................................... Error! Bookmark not defined.
Safend Inspector: Content Inspection & Filtering ......................................................................... 11
Safend Discoverer: Endpoint Data Discovery ............................................................................. 12
Safend Reporter: Reporting and Analysis .................................................................................. 13
Safend Data Protection Suite Management Features .................................................................... 14

Product Walkthrough ................................................ 17

System Architecture ...................................................... 17
Safend Policy Definition.................................................... 20
What Does a Policy Define? ................................................................................................. 20
How Do You Define a Policy?................................................................................................ 20
Safend Encryptor: Hard Disk Encryption Policy ........................................................................... 27
Safend Protector: Port & Device Control and Removable Storage Encryption policy ................................ 21
Configuring Data Classifications ............................................................................................. 27
Safend Inspector: Content Inspection & Filtering ......................................................................... 32
Safend Discoverer: Endpoint Data Discovery ............................................................................. 35
Safend Auditor ................................................................................................................. 36
Safend Policy Enforcement – Safend Data Protection Suite Client .................................................... 37

Safend Data Protection Suite Implementation Workflow ....................... 38

- Page 4 -
Reviewer’s Guide
SAFEND DATA PROTECTION SUITE™

About Safend
Safend software solutions protect an organization’s confidential information from loss and theft by monitoring,
detecting and restricting data transfers from the endpoint. It also allows encrypting both detachable devices and
internal hard disks.

Safend's solutions, available through channel partners worldwide, are deployed by multi-national enterprises,
government agencies and small to large scale companies across the globe.

Safend Data Protection Suite

Safend Data Protection Suite is centrally managed using a single management server, single management console
and single, lightweight agent. The combination of the Safend Data Protection Suite license-activated components,
Safend Protector, Encryptor, Inspector, Discoverer, Auditor and Reporter, provides a comprehensive endpoint
protection solution, thus protecting an organization’s sensitive data residing on PCs, laptops and detachable devices.

 Safend Encryptor ensures that mobile users’ data is secure, by

encrypting any data stored on internal hard disks.
 Safend Protector applies customized, highly-granular security
policies over all ports: physical ports, wireless ports and devices. It
can also mandate the encryption of all data transferred to
removable storage devices and CD/DVD media.
 Safend Inspector provides an additional protection layer for data
transferred over approved data transfer channels, such as a white-
listed storage device, an approved WiFi connection, or even a
machine’s LAN connection. It enforces an accurate, data-centric
security policy on data transferred via these endpoint channels,
without disrupting legitimate business processes and disturbing
end user productivity.
 Safend Auditor provides organizations with the visibility needed to
assess and manage vulnerabilities in an enterprise’s PCs and
laptop environment, by identifying and logging all devices that are
or have been locally connected, before the Safend Data Protection
Agent has been deployed to these endpoints.
 Safend Discoverer allows security administrators to locate
sensitive data stored on organizational endpoints. It helps identify
gaps in data protection and compliance initiatives, and provides
insight into what policies should be implemented, using other
components of the Safend Data Protection Suite.
 Safend Reporter provides security and IT personnel with built-in
reports that provide visibility into an organization’s security status
and operational needs.

- Page 5 -
Reviewer’s Guide
SAFEND DATA PROTECTION SUITE™

The Problem
Business survival and success is built on data security. Organizations depend on the security of their data, from
intellectual property such as business plans and trade secrets, to sensitive customer data like health records,
financial information and social security numbers.

Regulatory security initiatives such as Sarbanes Oxley (SOX), HIPAA, PCI, FISMA, and the UK Data Protection Act
(DPA), require organizations to maintain ongoing visibility into endpoint activity. In today’s sensitive regulatory
climate, organizations are expected to demonstrate a comprehensive data protection strategy and understanding of
all data transfer activities.

Industry statistics consistently show that the most significant security threat to the enterprise comes from within. With
over 60% of corporate data residing on endpoints, gateway solutions and written security policies alone cannot
mitigate the risk.

Growing numbers of laptops, removable storage devices, interfaces (physical and wireless), and users with access to
sensitive data have made data leakage via endpoints, both accidental and malicious, a very real threat. An inevitable
fact of life is that laptops are sometimes lost or stolen. It is simply too easy for sensitive data to walk out the door on
an iPod or be uploaded to the Web. According to Forrester, data loss through endpoints is now a leading endpoint
security concern, ahead of Malware, Spyware and other threats.

Despite the clear and present danger of data leakage and loss, implementing effective endpoint data protection
remains an uphill battle for most organizations. Securing endpoints, without impacting employee productivity and
system performance, demands a highly flexible solution that takes into account the dynamics of real-world work
environments.

Many end users view external devices and outbound communications as personal, and view encryption of any kind
as a headache, often balking at and circumventing imposed security measures. As a result, today’s data protection
solutions need to be transparent without compromising the data security of an organization. All possible endpoint
data leakage avenues must be managed with powerful, enforceable, tamper-proof security.

Endpoint data can exit organizational boundaries in any number of ways: it can be carried away on an unencrypted
storage device, mistakenly sent to unauthorized email recipients, or stolen with the laptop it is stored on. An effective
endpoint security program must address the entire range of risks in order to properly protect an organization’s data.

- Page 6 -
Reviewer’s Guide
SAFEND DATA PROTECTION SUITE™

The Safend Data Protection Suite Solution

Safend Data Protection Suite provides complete endpoint data protection in a single product, with a single
management server and a single, lightweight agent. Featuring easy deployment, seamless maintenance for
administrators, and maximum transparency for end users, Safend Data Protection Suite provides comprehensive
endpoint data security without sacrificing productivity.

Safend Data Protection Suite eliminates data leakage from endpoints, delivering comprehensive visibility, complete
data protection and total control over all available avenues to sensitive data.

Only with detailed visibility of endpoint activity, ongoing and historical, can security administrators effectively monitor
and enforce a security policy that is in-line with real world usage. With Safend Data Protection Suite, security
administrators can rapidly query all organizational endpoints while locating and documenting all devices that are or
have ever been locally connected. Safend Data Protection Suite’s advanced reporting capabilities provide ongoing
insight into the organization’s security status.

Safend Data Protection Suite monitors real-time traffic and applies granular security policies over all physical,
wireless and removable storage interfaces. Safend Data Protection Suite detects, logs, and restricts unapproved data
transfer from any computer in the enterprise. Each computer is protected 100% of the time, even when it is not
connected to the network. Safend Data Protection Suite’s control is built from the ground up to enforce a
comprehensive security policy which is appropriate for all organizational security needs. Sensitive data transfers can
be controlled at different logical levels: redundant physical and wireless ports can be blocked, devices and wireless
networks can be approved or denied by their types and specific characteristics, storage device’s functionality can be
partially or completely disabled, and the data which exits the organizational boundaries through approved data
transfer channels can be controlled according to its actual content.

Safend Data Protection Suite guards the data stored on hard drives with its innovative, easy to manage hard disk
encryption. Safend Data Protection Suite also ensures that mobile users and data are secure by encrypting any data
written to removable media such as USB flash drives, external hard drives and CD/DVD.

Why Safend?
 Control all your data protection measures with a single management
server, single management console and a single lightweight agent.

 Operationally friendly deployment and management.

 Best-of-breed port and device control.

 Hard disk encryption is completely transparent and does not change

end user experience and common IT procedures.

 Comprehensive and enforceable removable media encryption.

 Full control over sensitive data both inside and outside the
organizational network.

- Page 7 -
Reviewer’s Guide
SAFEND DATA PROTECTION SUITE™

Suite Components
Safend Data Protection Suite provides complete endpoint data protection with a single software product. It includes
several, license activated components. Each component within the Safend Data Protection Suite can be
implemented stand alone or in combination and compliments your existing security infrastructure.

The following are the main features of the product, divided according to the different components:

Safend Protector - Port & Device Control and Removable Storage Encryption
Safend Protector, a license-activated component of the Safend Data Protection Suite, protects endpoints by applying
customized, highly-granular security policies over all ports: physical ports, wireless ports and devices. It can also
mandate the encryption of all data transferred to removable storage devices and CD/DVD media.

 Port Control – intelligently allows, blocks or restricts the usage of any or all
computer ports in your organization, according to the computer on which they
are located, the user who is logged in and/or the type of port. Safend controls:
USB, PCMCIA, FireWire, Secure Digital, Serial, Parallel, Modem (e.g., dialup,
3G, etc.), WiFi, IrDA and Bluetooth ports.

 Device Control – Highly granular identification and approval of devices,

including a comprehensive list of device types and robust white listing of
device models and even distinct devices (by serial number).

 Storage Control – Special control over external and internal storage devices,
including Removable media, External Hard Drives, CD/DVD media, Floppy
and Tape drives. A policy can block usage of device types, models and even
distinct devices (by serial number), restrict usage for read only, or enforce
encryption (see below).

 Removable Media Encryption - Unique to the Safend Data Protection Suite

solution is the ability to restrict the usage of encrypted storage devices to
company computers by use of encryption. This extends the security borders
of organizations and prevents rogue employees from deliberately leaking data
through removable storage devices and media.

 Offline Usage of Encrypted Devices - Specific, pre-approved users can

access encrypted devices outside the protected organization on unprotected
machines using an access password.

- Page 8 -
Reviewer’s Guide
SAFEND DATA PROTECTION SUITE™

 Track Offline Usage of Encrypted Devices - Safend Data Protection Suite

provides administrators with improved visibility on the usage of encrypted
devices outside the organization. With this unique feature, every offline
access to an encrypted device is tracked, providing a comprehensive log of
each file transfer to/from this device. With this powerful log, administrators
can audit users' actions even on non-company computers, in order to validate
legitimate use of corporate data.

 Configurable Password Policy – Administrators can define the security

criteria for the device access password. Administrators can predefine
password parameters such as minimal password length and the types of
characters it contains, in order to comply with the organization's security
guidelines.

 Inbound File-Type Control – This feature provides an additional layer of

granularity and security by inspecting files for their type as they are
transferred from external storage devices, and blocking dangerous or
inappropriate content from being used inside the organization.

 Granular WiFi control - by MAC address, SSID, or the security level of the
network.

 Block Hybrid Network Bridging - Safend Data Protection Suite allows

administrators to control and prevent simultaneous use of various networking
protocols that can lead to inadvertent or intentional hybrid network bridging
(such as WiFi bridging and 3G card bridging). Configuring Safend Data
Protection Suite Clients to block access to WiFi, Bluetooth, Modems or IrDA
links, while the main wired TCP/IP network interface is connected to a
network, enables users to employ the various networking protocols only when
they are disconnected from the network. This avoids the creation and
potential abuse of a hybrid network bridge.

 U3 and autorun control - Turns U3 USB drives into regular USB drives while
attached to organizational endpoints, and protects against dangerous auto-
launch programs by blocking autorun.

 Block USB and PS/2 Hardware Key-Loggers - block or detect the widest
variety of USB and PS/2 hardware keyloggers in the industry, which are
devices that can tap and record every keystroke in your endpoints.

- Page 9 -
Reviewer’s Guide
SAFEND DATA PROTECTION SUITE™

Safend Encryptor: Hard Disk Encryption

As incidents of stolen and lost computers continue to make the headlines, it is crucial for organizations to secure the
data stored on the hard drives of PCs and laptops. Safend Encryptor, a license-activated component of the Safend
Data Protection Suite, encrypts the data stored on PCs and laptops and the result is that sensitive data cannot be
read by any unauthorized user, in the case of loss or theft.

 Enforced by Policy - Encryption of data on internal hard drives is controlled

by policy, and cannot be bypassed by the end user.

 Key Management - Safend Encryptor incorporates a fully automated key

management solution. All encryption keys are centrally generated and
securely stored on the management server before encryption is initialized.
Encryption keys are generated using a FIPS approved PRNG.

 Transparent to End Users – Transparently uses Windows login to

access the encrypted data and therefore does not require any end-
user training.

 Transparent to Help Desk - Transparently uses the generic AD

domain password reset process. No dedicated password recovery
procedure is required.

 User Authentication - Safend Encryptor transparently supports any multi-

factor authentication device supported by Windows (smart card, USB token,
biometric, etc.), including multi-factor devices that change the Windows GINA
or use a custom one.

 Encryption Technology - Safend’s encryption concept utilizes Total Data

Encryption technology. Using this technology, Safend Encryptor encrypts only
files which may contain sensitive data while avoiding encryption of the
operating system and program files. The encryption is performed in real time,
with minimal performance impact on the endpoint and utilizes the industry
standard AES algorithm with 256 bit key length.

 Data Recovery - Offers an intuitive, easy to implement recovery process in

case of malfunction.

 Full Audit Trail - Comprehensive logs are provided for all activities.

- Page 10 -
Reviewer’s Guide
SAFEND DATA PROTECTION SUITE™

Safend Inspector: Content Inspection & Filtering

Safend Inspector, a license-activated component of the Safend Data Protection Suite, provides an additional
protection layer for data transferred over approved data transfer channels. It enforces an accurate,
data-centric security policy on data transferred from the endpoint without disrupting legitimate
business processes and disturbing end user productivity.

 Permanent Protection - Whenever a user attempts to extract

data from the endpoint, Safend Inspector monitors the action and,
if necessary, enforces the appropriate security policy. This
protection is activated whether the machine is connected to the
organization’s network, a home network or used offline.

 Applying Security Actions - According to the security policy,

Safend Inspector can enforce the following security actions:

Block - prevents the user from extracting the information from the
endpoint.

Ask User - warns the user of their problematic action, and asks
them if they are sure they want to continue.

Encrypt - ensures that the data is encrypted when it is extracted

from the endpoint (This security action can be enforced only on
external storage devices).

 Multiple Channels Control - Safend Inspector controls data transferred

over the following channels: Email (using Microsoft Outlook), Web (using
Windows Internet Explorer), external storage devices, local printers, and
network printers. Security administrators can control additional channels
using Application Data Access Control, which controls the access of pre-
defined applications to sensitive data.

 Channel-Specific Exemptions - Security policies are highly granular, and

can include specific exemptions for different protected channels. For
example, a security policy can be set to prevent users from downloading
confidential data to all external storage devices, except for company issued
hardware encrypted devices.

- Page 11 -
Reviewer’s Guide
SAFEND DATA PROTECTION SUITE™

Safend Discoverer: Endpoint Data Discovery

Safend Discoverer, a license-activated component of the Safend Data Protection Suite, allows security administrators
to locate sensitive data stored on organizational endpoints.

 Policy-Based Endpoint Discovery - the endpoint discovery process is

triggered by applying a discovery policy on the protected endpoint. This policy
indicates which data classifications should be searched for on the
organizational endpoints. The discovery policy also specifies the type of log
record that will be sent to the management server when sensitive data is
discovered.

When a discovery policy is applied on an endpoint, the Safend Data

Protection Agent scans and classifies all data files on the machine. When a
classified file is discovered, a log record is sent to the Management Server.

 Limit Logs From a Single Endpoint - the administrator can limit the amount
of data sent from a single endpoint in order to balance allocation of network
and storage resources.

Safend Inspector & Discoverer: Data Classification

An effective data-centric security policy requires reliably identifying the data which the policy aims to protect. The
Safend Inspector and Safend Discoverer components of the Safend Data Protection Suite both utilize the
mechanism, which its features described below:

 Multiple Classification Techniques - Safend Data Protection Suite

provides multiple data identification techniques which can be used
individually or in combination to create an effective data
classification scheme:

Keyword Lists – keyword lists are used to identify data transfer

incidents which contain specific keywords or keyword sequences. A
sophisticated “weight” mechanism facilitates the identification of
logical content, by using dictionaries with different importance
levels assigned to different phrases.

Textual Pattern Recognition – Textual pattern recognition is

used to identify incidents which contain a pre-defined textual
pattern, such as an email address, a phone number, a serial
number or a credit card. The patterns are defined using Regular
Expressions (.net).

- Page 12 -
Reviewer’s Guide
SAFEND DATA PROTECTION SUITE™

Mathematical Verifiers – Mathematical Verifiers are applied to

content which matches a pre-defined pattern (such as a credit card
number or an ID number), and are used to ensure that the content
was not falsely matched.

File Types – Individual file types are recognized according to a full

analysis of the file format.

File Properties – Multiple meta-data parameters can be used to

identify sensitive content, including full or partial file name, file
size, and more.

Data Fingerprinting – Data fingerprinting is used to identify

known content, even if the data has been partially modified.

 Built-in Classifications - Safend Data Protection Suite includes

out-of-the-box, pre-configured classifications which identify
common types of sensitive data, such as Patient Health Information
(PHI), Personally Identifiable Information (PII), and credit card
numbers.

 Deep Content Inspection – files are analyzed in depth, including

data stored inside compressed folders and embedded objects.

Safend Reporter: Reporting and Analysis

Safend Reporter, a license-activated component of the Safend Data Protection Suite, includes several built-in reports
that are designed to accommodate the security and operational needs of the organization and its security and IT
personnel. The information is provided in a clear, easy to understand format for the benefit of non-technical viewers,
such as executives within the organization.

 Security Reports – the security reports allow easy detection of specific

employees and departments that frequently disregard internal security
policies,

 Administrative Reports – the administrative reports assist in the

deployment, policy distribution and overall visibility of endpoint activity within
the organization.

 Drill down reports - the Safend Reporter interface allows a step-by-step drill
down into different aspects of the report, and enables a quick and intuitive
transition from a high-level view to specific detailed information.

 Reports Export - the reports can either be viewed from within the Safend
Data Protection Suite Management Console or be exported to one of several
popular formats for viewing and analysis outside of the Management
Console.

- Page 13 -
Reviewer’s Guide
SAFEND DATA PROTECTION SUITE™

 Report Scheduling - the reports can be scheduled and sent periodically by

email to pre-defined recipients in order to ensure continuous tracking of the
organization’s data security status and compliance with internal security
policies.

Safend Data Protection Suite Management Features

 Safend Data Protection Suite Management Server - A single Management
Server can be used to manage tens of thousands of endpoints, and can be
accessed through the Safend Data Protection Suite Management Console.

 Safend Data Protection Suite Management Console - All Safend

management tools are combined into a single Management Console, which
can be installed and run from any computer on your network. The
Management Console provides unified management of policies, logs and
Clients. The management console supports one-click deployment from the
server website.

 Extensive Logging - enables you to view and analyze the logs collected
from all the endpoints in your organization, both immediately and over time.

 Flexible Monitoring Level - Data-related security incidents are recorded and

sent to the Management Server. The administrator can set the record level to
be kept: log record only, the incident including all transferred text, or the full
incident, including a hidden copy (shadow) of the data. The appropriate
monitoring level can be set according to the available storage resources and
the expected volume of information.

 Logs Data View – Data-related security incidents are filtered, viewed and
analyzed from the Management Console. This incident information contains
all incident data (subject to activating the appropriate monitoring level), and
allows security administrators to analyze easily the incident and understand
why it was triggered.

 Client Management - allows you to browse the status of your machines and
check whether they are protected by the latest version of the Client, what
policy they are using, when they were last updated and more.

 Immediate Updates – Enables you to push a new policy to Clients without

having to wait for the policy update interval to complete. The new policy
becomes effective immediately on all connected Clients. In addition, collect all
the logs that were accumulated by the Clients on endpoints immediately,
without having to wait for the log sending interval to complete.

- Page 14 -
Reviewer’s Guide
SAFEND DATA PROTECTION SUITE™

 Active Directory Synchronization - Allows you to look at Logs and manage

Clients from your native organizational units view, through the organizational
tree. The tree is continuously synchronized with your Active Directory to
ensure it remains current at all times.

 Built-In Real-Time Alerts – Enable you to issue alerts of your choice (e. g.,
e-mail, SNMP and more) to desired destinations. Administrators can set the
destinations for sending alerts on a per-policy basis. For example, it is
possible for alerts from different computers/users to be sent to different email
addresses.

 Rich End User Interaction - Proper end user information security education
is a vital component in a successful security program. Safend Data Protection
Suite provides security administrators with the tools necessary for ensuring
end user education and involvement in the data protection process.

When a policy violation is detected, a customizable message is displayed to

the end user. This message can be configured to require end users to enter
the justification for their action, by choosing it from a list of options or inserting
free text. This is a highly effective method of deterring users from committing
potentially harmful actions, without disrupting legitimate business procedures.
The information provided by the end users is sent to the Management Server
together with the incident record, dramatically improving the incident
management process.

 Monitoring Actions Based on End User Decisions – subject to the security

policy configuration, end user decisions can change the monitoring action
applied to a specific incident. For example, the administrator can set the
policy to send logs only for data transfer incidents which the user was warned
about but decided to commit anyway, and avoid sending logs for incidents
which the user aborted.

 Internal Database – Safend Data Protection Suite includes a built-in MySQL

database in order to simplify the installation of small/medium systems. This
database is automatically installed with the Management Server and is fully
maintained by the application. No user maintenance is required.

 Database Management – Administrators can set the amount of days for logs
to be stored, as well as set a quota for the database files. Safend Data
Protection Suite Management Server also features manual as well as
scheduled backups for its keys, configuration and logs (logs backup only
available for Internal Database). These backups can be used when
recovering from hardware failures as well as when upgrading hardware
platforms.

- Page 15 -
Reviewer’s Guide
SAFEND DATA PROTECTION SUITE™

 External Database - Customers with existing database infrastructures may

prefer to use these for storing the Safend Data Protection Suite configuration
and log information instead of using the built-in internal database provided
with the Management Server installation package. This provides higher
system scalability and leverages existing infrastructures and know-how.
When installed, Safend Data Protection Suite Management Server can
connect to an existing Microsoft SQL (MSSQL) database instead of creating
its internal database. Day-to-day maintenance of this database is still handled
by Safend Data Protection Suite including indexing, purging, and
key/configuration backup. However, in this case it is the administrator's
responsibility to backup log data.

 MSI-Based Client Deployment – The client installation is packaged in an

MSI file, featuring silent as well as manual installation. The client can be
deployed with any 3rd party tool for MSI deployment, and more specifically
Active Directory GPO, Microsoft SMS and IBM Tivoli.

 Suspend Client – enables you to suspend Client operations temporarily,

without having to uninstall it, even when the endpoint does not have any
Internet connection. All user actions (such as accessing storage devices or
sending a classified email) are allowed and monitored for the duration of the
suspension, after which the original policy enforcement is resumed.

 Stealth Mode – Safend Data Protection Suite Agent can be configured to be

invisible on endpoints. In this mode, the user doesn’t see the product icon
and no end user messages are shown.

- Page 16 -
Reviewer’s Guide
SAFEND DATA PROTECTION SUITE™

Product Walkthrough

System Architecture
The system architecture is presented in the following figure:

- Page 17 -
Reviewer’s Guide
SAFEND DATA PROTECTION SUITE™
The system comprises the following components:
Component
Safend Data Protection Suite
Management Server(s)
Internal/External Database
Safend Data Protection Suite
Management Console
Safend Data Protection Suite
Client
Safend Auditor
Description
Safend Data Protection Suite Management Server(s) store policies
and other definitions, collect logs from Clients, enable Client
management and distribute policies to Clients. The Management
Server(s) uses either an internal/external database for its
repository (see below).
The Management Server(s) use IIS to communicate with Clients
and Management Consoles (over SSL). Controlling Clients is
performed via WMI. LDAP compliant protocols are used to
synchronize with the existing organizational objects stored in
Active Directory.
The Management Server(s) distributes policies directly to Clients
(via SSL).
Standard databases are used for storing system configuration,
policies and log data. Administrators may opt to use an internal
MySQL database supplied in the Management Server installation
package or to connect to existing MSSQL database
infrastructures. Even though using the internal database is simpler
and maintenance free, connecting to an external database
provides better performance and scalability.
This enables you to manage Clients, view logs, define policies and
administer the system. The Management Console can be installed
and run from any computer on your network and uses SSL when
communicating with the Management Server. The Management
Console supports one-click deployment from the server website.
This protects and monitors the endpoints in your organization and
alerts/reports about user activity. The Client communicates with a
Safend Data Protection Suite Management Server using SSL.
Although not an integral part of Safend Data Protection Suite,
Safend Auditor is a light-weight client-less tool that goes hand in
hand with Safend Data Protection Suite and completes it by
providing you with a full view of what ports, devices and networks
are (or were previously) in use by your organization's users. You
use the output of a Safend Auditor scan to select the devices and
- Page 18 -
Reviewer’s Guide
SAFEND DATA PROTECTION SUITE™
Component
Safend Data Protection Suite
Management Server Cluster
Description
networks whose usage you want to approve.
A server cluster enables the installation of several Safend Data
Protection Suite Management Servers connected to a single
external database, so that they seamlessly share the load of traffic
from the endpoints, as well as provide redundancy and high
availability.
- Page 19 -
Reviewer’s Guide
SAFEND DATA PROTECTION SUITE™

Safend Policy Definition

What Does a Policy Define?

Using the Safend Data Protection Suite, the administrator can create different types of policies. Each type of policy
configures a different component of the Safend Data Protection Suite:

Hard Disk Encryption Security Policy defines whether or not the data on your internal Hard disks will be encrypted.

Port & Device Control Security Policy specifies your organization’s policy regarding the usage of physical ports,
wireless ports, devices and WiFi networks. It also specifies whether the data on removable storage devices and
CD/DVD media will be encrypted.

Data Control Security Policy specifies your organization’s policy regarding sensitive data transferred out of the
protected machine using endpoint or network data transfer channels.

Data Control Discovery Policy defines the parameters for the data discovery process, which locates and maps
sensitive data stored on the organizational endpoints.

How Do You Define a Policy?

Safend Data Protection Suite Policies are defined in the Safend Data Protection Suite Management Console. You
can define one policy for your entire organization, or define different policies for different organizational object defined
in your Active Directory. Policies need to be defined once and then updated on an as-needed basis when the need
arises in your organization.

Once you have defined and distributed a policy to the Safend Data Protection Suite Clients you can view activity logs
from each client through the Logs World in the Safend Data Protection Suite Management Console.

After analyzing the logs, you may wish to adjust your policies.

- Page 20 -
Reviewer’s Guide
SAFEND DATA PROTECTION SUITE™

Safend Protector: Port & Device Control and Removable Storage

Encryption policy

Port Control

Safend Data Protection Suite can intelligently allow, block or restrict the usage of any or all computer ports in your
organization, according to the computer on which they are located, the user who is logged in and/or the type of port.
Safend controls: USB, PCMCIA, FireWire, Secure Digital, Serial, Parallel, Modem (e.g., dialup, 3G, etc.), WiFi, IrDA
and Bluetooth ports.

A blocked port is unavailable, as if its wires were cut. An indication that a port is blocked is given when the computer
boots or when a policy is applied that disables a previously allowed port.

- Page 21 -
Reviewer’s Guide
SAFEND DATA PROTECTION SUITE™

Device Control

In addition to controlling port access, Safend Data Protection Suite provides another level of granularity by enabling
you to define which devices can access a port.

For USB, PCMCIA, FireWire ports you can define which device types, device models and/or distinct devices can
access a port, as follows.

 Devices Types: This option enables you to restrict access

to a port according to the type of device that is connected
to it. Examples of device types are printing devices,
network adapters, human interface devices (such as a
mouse) or imaging devices.

The device types that are available for selection are built
into Safend Data Protection Suite. If you would like to
allow a device that is not of one of the types listed here,
you can use the Models or the Distinct Devices option,
described below.

 Models: This option refers to the model of a specific device type,

such as all HP printers or all M-Systems disk-on-keys.

 Distinct Devices: This option refers to a list of distinct devices each with their
own unique serial number, meaning each is an actual specific device. For
example: the CEO's PDA may be allowed and all other PDAs may be
blocked.

- Page 22 -
Reviewer’s Guide
SAFEND DATA PROTECTION SUITE™

Protection against Hardware Key Loggers

Hardware Key Loggers are devices that can be placed by a hostile entity between a keyboard and its host computer
in order to tap and record keyboard input and steal vital information, especially identity and password.

With Safend Data Protection Suite you can block or detect the widest variety of USB and PS/2 hardware keyloggers
in the industry.

Storage Control

Storage control provides an additional level of detail in which to specify the security requirements of your
organization. This can apply to all storage devices regardless of the port to which they are connected. You can block
storage devices completely, allow read-only access or encrypt the device.

Like non-storage devices, removable storage devices can also be white listed according to the device module or the
specific device serial number.

- Page 23 -
Reviewer’s Guide
SAFEND DATA PROTECTION SUITE™

Safend Removable Storage Encryption

Safend Media Encryption allows administrators to mandate the encryption of all the data being transferred off
organization endpoints to approved storage devices, such as USB flash drives, memory sticks and SD cards, as well
as CD/DVD media and external hard drives, using the 256-bit AES encryption algorithm. This provides organizations
with comprehensive protection from both accidental data loss and deliberate leakage of corporate assets.

Unique to the Safend Data Protection Suite solution is the ability to restrict the usage of encrypted devices to
company computers. This extends the security borders of organizations and prevents rogue employees from
deliberately leaking data through these high-capacity devices.

Within the organization, media encryption is completely transparent and encrypted devices can be read and used
interchangeably on any computer in the organization. End-users are able to read and write to storage devices just as
they would do normally. However, when the same device is plugged into a computer that is not part of the
organization, the data on it will not be accessible.

The Safend Data Protection Suite administrator can choose whether or not to allow specific users password-
protected access to the data on non-authorized computers. If allowed, individual users are able to set their own
device password, which is required for accessing the device on non-company computers. When plugging in the
device outside the organization, a utility residing on the device is used to validate this password and provide access
to encrypted information.

File Control

File Control includes an additional layer of granularity and security by monitoring and controlling file transfers to/from
external storage devices. Definitions are set at the level of file type, providing the ability to allow or block specific file
transfers as well as to generate logs and alerts, or even to send a hidden copy of the file to the Management Server.

With File Type Control a highly reliable classification of files is performed by inspecting the file header contents rather
than using file extensions, thus preventing users from easily bypassing the protection by renaming file extensions.

File type control and logging is enabled both for files written to external storage devices and files read from them.
However, if you are using the complete Safend Data Protection Suite, including Safend Inspector for Data Control, it
is recommended to use the Port and Device Control Security Policy only for files read from the device, and use the
Data Control Security Policy to control files written to the device according to their classification.

By inspecting both the files downloaded to external storage devices and those uploaded to the protected endpoint,
multiple benefits can be achieved:

 An additional protection layer for preventing data leakage (see comment

above)

 Prevention of viruses/malware introduced via external storage devices

 Prevention of inappropriate content introduced via external storage devices.

Examples of such content: Unlicensed software, Unlicensed content (e.g.,
music and movies), Non work-related content (e.g., personal pictures).

- Page 24 -
Reviewer’s Guide
SAFEND DATA PROTECTION SUITE™

The file control aspect of the policy will apply to approve storage devices which were configured to
apply file type control in the Devices tab of the policy:

For these devices, the relevant file type control configurations will apply:

- Page 25 -
Reviewer’s Guide
SAFEND DATA PROTECTION SUITE™

WiFi Control

WiFi control ensures that users only connect to approved networks. You can specify which networks or ad hoc links
are allowed access by the MAC address of the access points, SSID of the network, authentication method and
encryption methods to define approved links.

- Page 26 -
Reviewer’s Guide
SAFEND DATA PROTECTION SUITE™

Safend Encryptor: Hard Disk Encryption Policy

Safend Encryptor enforces an enterprise wide policy which protects the data stored on PC and laptop hard drives, so
that sensitive data cannot be read by unauthorized users in the case of loss or theft.

Safend Encryptor utilizes Total Data Encryption technology that encrypts all data files, while avoiding unnecessary
encryption of the operating system and program files. This innovative concept minimizes the risk of operating system
failure, and poses negligible performance impact on user productivity.

Leveraging this unique encryption technology, Safend Encryptor provides a genuinely transparent Hard Disk
Encryption solution, by using the existing Windows login interface for user authentication.

Safend Encryptor utilizes industry standard AES-256 encryption, and is Common Criteria Certified (Evaluation
Assurance Level 2 for Sensitive Data Protection), and FIPS 140-2 Certified. Encryption of data on internal hard drives
is controlled by policy and enforced by the Safend Client on the endpoint.

Applying Hard Disk Encryption using Safend Encryptor is performed with a few simple steps, described below. The
encryption process is completely transparent to both end users and security administrators.

Safend Encryptor Encryption Flow:

Here is a description of the Safend Encryptor encryption flow:
1. Create a new Hard Disk Encryption Security Policy, set the Internal Hard Disk Encryption to Encrypt and
associate the policy with the appropriate machines, groups or OU’s.

- Page 27 -
Reviewer’s Guide
SAFEND DATA PROTECTION SUITE™

2. Click OK. This will apply the encryption policy to all computers associated with the security policy the next
time the Client will communicate with the Management Server.
3. Once the policy is updated on the Client, the system automatically conducts machine and user
authentication. This phase is comprised of two steps:
a. Machine registration – makes sure that the machine is listed only once in the domain computer
list.
b. User authentication – ensures that the currently logged on user is a valid domain user, which will
be able to access the encrypted data.
4. The Safend Server creates encryption keys and securely distributes them to the Client.
5. The encryption process begins automatically. This process runs in the background, and therefore does not
require any user action, and the user can continue working normally. The user can shut down or restart the
endpoint during the encryption process; encryption will resume the next time the computer is powered on.
The encryption status and progress is continuously updated on the Management Server, and can be
viewed in the Clients World.
6. The machine is now protected, and secure data will not be compromised in case the computer is lost or
stolen. Security administrators can view the current encryption status of the organizational endpoints, either
through the Clients World or with the Safend Reporter, by running the Encryption Status Report.

Key Management and Distribution

The system encryption mechanism and Key Management is presented in the following figure:

Safend Management Server

n
tio
i ca
un
SSL

m
m
Co
Co

L
SS
mmu
nicatio

SSL Encrypted Log

n

Machine Encryption Keys Safend Management Console

One Time Access Key, Secret

n
tio
i ca
un
m
Co
m All Safend Administrator’s
L
SS actions are audited and logged
Endpoint Computer

File Key is Encrypted with Machine

Encryption Key and Protected with User
Credentials and Recovery Secrets

Document Encrypted
with File Encryption Key

Document

- Page 28 -
Reviewer’s Guide
SAFEND DATA PROTECTION SUITE™

Preparations before Encrypting Hard Disks

Before implementing hard disk encryption using Safend Encryptor, it is recommended to follow several steps to
ensure smooth and easy product implementation, while enabling swift data recovery in all failure scenarios:

1. Backup Server Secrets - create a backup server’s private and public keys in order to be able to re-install
the server in case of a hardware or software failure.
2. Backup Server Configuration (Scheduled Backup) – define a scheduled backup for the server
configuration file. All encryption keys are centrally generated and securely stored on the Management
Server before encryption is initialized.

- Page 29 -
Reviewer’s Guide
SAFEND DATA PROTECTION SUITE™

Safend Inspector & Discoverer : Configuring Data Classifications

An effective data-centric security policy requires reliably identifying the data which the policy aims to
protect.

Data classification is a set of definitions which is used by the system to automatically identify data.
Safend Inspector and Safend Discoverer components both utilize the Data Classification Mechanism.

Safend Data Protection Suite includes out-of-the-box, preconfigured classifications identifying

common types of sensitive data such as Patient Health Information (PHI), Personally Identifiable
Information (PII), and credit card numbers. Organizations can use these classifications as is, or
customize them according to their requirements.

To customize a built in classification, right click the classification you want to modify and click
Customize:

Alternatively, organizations can configure their own custom classifications from scratch.

- Page 30 -
Reviewer’s Guide
SAFEND DATA PROTECTION SUITE™

Data classification consists of one or more classification rules and the Boolean relationship between
them (and, or, not):

The administrator can add additional rules to the classification. Each type of classification rule uses a
different method of identifying the data:

Together, these rules can be used to create highly accurate data classifications, which
will be used to locate and control sensitive data within your organization.

- Page 31 -
Reviewer’s Guide
SAFEND DATA PROTECTION SUITE™

Safend Inspector: Content Inspection & Filtering

Safend Inspector provides an additional protection layer for data transferred over approved data transfer channels,
such as a white-listed storage device, an approved WiFi connection, or even a machine’s LAN connection. It
enforces an accurate, data-centric security policy on data transferred via these endpoint channels, without disrupting
legitimate business processes and disturbing end user productivity.

A Data Control Security Policy defines how the Safend Data Protection Suite reacts when classified data is
transferred through controlled channels. Each data control policy defines how the Safend Data Protection Suite
reacts to a specific Data Classification.

This tab is divided into two sections. The first section, Data to Control, allows you to select the classification to which
the policy will refer. The bottom part of the tab, Channels Where this Data is Restricted, allows you to define what will
happen when the user attempts to transfer classified data using the specified channels.

- Page 32 -
Reviewer’s Guide
SAFEND DATA PROTECTION SUITE™

Safend Data Protection Suite controls data transferred over the following channels:

 Email: controls outgoing email using Microsoft Outlook.

 Web: controls web posts using Windows Internet Explorer.

 External Storage: controls data transfer to external

storage devices (DOK, external HD, SD cards, etc.).

 Local Printers: controls data printed to local printers.

 Network Printers: controls printing data using a network

printer.

 Application Data Access Control: controls pre-defined

application access to confidential data via direct file access
or the clipboard. Applications are divided into application
groups, and each application group can be added to any
policy and controlled as a data transfer channel.

Channel Configuration

For each channel, you can define what happens when the user attempts to transfer classified data out of the machine
(Security Action):

 Allow: Allows the action to be performed.

 Block: Stops the action the user is trying to perform.

 Encrypt: Allows the data transfer action, only if the device

is encrypted (Only for external storage).

 Ask User: Prompts the user with an "are you sure?"

question, and allows the action to be performed only if the
user selected "yes".

You can also configure what kind of event will be sent to the server following the user action. You can decide if the
action will generate a log or an alert (monitoring action), and what information will be included in it (monitoring level).

In addition, you can configure the message which will be displayed to the end user following their actions. This
message can be configured to require end users to enter the justification for their action, by choosing it from a list of
options or inserting free text. This is a highly effective method of deterring users from committing potentially harmful
actions, without disrupting legitimate business procedures. The information which is provided by the end users is sent
to the Management Server together with the incident record, dramatically improving the incident management
process:

- Page 33 -
Reviewer’s Guide
SAFEND DATA PROTECTION SUITE™

Finally, you can configure exemptions for each channel. For example, you may want to apply the data control policy
to all emails except for those sent only to recipients in your company, or prevent users from downloading confidential
data to all external storage devices except for the CEO’s hardware encrypted device. Different parameters are used
to define exemptions for the different channels.

To define the channel specific exemption, mark the channel and click Edit Channel. In this window, you can
configure the data destinations you wish to exempt from inspection.

- Page 34 -
Reviewer’s Guide
SAFEND DATA PROTECTION SUITE™

Safend Discoverer: Endpoint Data Discovery

Understanding where sensitive data is located is the foundation of any data protection project. Safend Data
Protection Suite allows security administrators to locate sensitive data stored on organizational endpoints. This
process helps identify gaps in data protection and compliance initiatives and provides insight into what policies
should be implemented using other components of the Safend Data Protection Suite.

The endpoint discovery process is triggered by applying a Discovery Policy on the protected endpoint. This policy
indicates which data classifications, should be searched for on the organizational endpoints. The Discovery Policy
also specifies the type of log record that will be sent to the Management Server when sensitive date is discovered.

When a Discovery policy is applied on the endpoint, the Safend Data Protection Suite Agent scans and classifies all
data files on the machine. When a classified file is discovered, a log record is sent to the Management Server. The
discovery process runs in the background, with minimal affect on endpoint performance.

The status of the discovery process conducted on each endpoint is displayed in the Clients World.

- Page 35 -
Reviewer’s Guide
SAFEND DATA PROTECTION SUITE™

Safend Auditor
Safend Auditor is a tool that goes hand in hand with Safend Data Protection Suite and complements its capabilities
by providing you with the visibility needed to identify and manage endpoint vulnerabilities: a full view of what ports,
devices and networks are (or were previously) in use by your organization's users. Organizations can use the output
of a Safend Auditor scan to select the devices and networks whose usage they want to approve.

- Page 36 -
Reviewer’s Guide
SAFEND DATA PROTECTION SUITE™

Safend Policy Enforcement – Safend Data Protection Suite Client

Safend Data Protection Suite Client is a lightweight software package that transparently runs on endpoint computers,
at the kernel level, and enforces protection policies on each machine on which it is applied. It has a minimal footprint
(in terms of file size, CPU and memory resources) and includes redundant, multi-tiered anti-tampering features to
guarantee permanent control over endpoints.

Safend Data Protection Suite Clients can be silently installed on all endpoints. Once policies have been distributed,
the Client immediately starts protecting the computer.

When a violation of a Safend Data Protection Suite policy occurs or during certain usage activities, a message is
displayed on the endpoint computer. A log entry may be created to record this event, according to the preferences
you defined in your policy.

If you wish, you may install the Client in Stealth Mode, hiding both Safend tray icon and messages and making
Safend Data Protection Suite Client invisible to the user at the endpoint.

- Page 37 -
Reviewer’s Guide
SAFEND DATA PROTECTION SUITE™

Safend Data Protection Suite Implementation

Workflow
The following is an overview of the workflow for implementing and using Safend Data Protection Suite.

 Step 1: Install the Safend Data Protection Suite Management Server and
Console.

 Step 2 (optional): Install Additional Management Consoles.

 Step 3: Define General Safend Data Protection Suite Administration

Settings.

 Step 4 (optional): Scan Computers and Detect Port/Device

Usage. Use Safend Auditor to detect the ports that have been used
in your organization and the devices and WiFi networks that are, or
were connected to these ports.

Step 5: Define Safend Data Protection Suite 1st Policies. In this stage, is it
recommended to create a permissive policy for the entire organization, which
monitors end user activities. This policy will allow you to learn how devices
and data are used in your organization for legitimate business processes
before enforcing a more restrictive policy.

 Step 6: Install Safend Data Protection Suite Client on Endpoints.

 Step 8: Discover Sensitive Data. In this stage, you create and associate a
discovery policy to organizational endpoints to determine which endpoints
store sensitive data.

 Step 9: Analyze Initial Logs. In this stage, you review the logs received from
the endpoints and determine which user activity is an appropriate business
process which should be allowed by policy and which is a potentially harmful
action which should be blocked.

 Step 10: Create and distribute enforcement policies. In this stage you
define how data is protected in your organization: which machines and
removable storage devices are encrypted; how ports, devices and WiFi
networks are used and which data can be transferred out of protected
endpoints.

 Step 11: Endpoints are Protected by Safend Data Protection Suite

Policies: In this stage, all security policies are enforced on the endpoints.
Logs about attempts to violate these policies, as well as tampering attempts,
are created and sent to the Management Server.

- Page 38 -
Reviewer’s Guide
SAFEND DATA PROTECTION SUITE™

 Step 12: Monitoring Logs and Alerts, View the log entries generated by
Safend Data Protection Suite Clients. Analyze these logs and maintain
ongoing visibility into the organization’s security status, using Safend
Reporter.

- Page 39 -