PGP® Endpoint Device Control

Overview

Removable digital storage devices (such as USB flash drives and CD/DVD drives) and mobile connection technologies (such as Wi-Fi, FireWire, and Bluetooth) are increasingly popular in the enterprise environment. They are convenient and enhance productivity, but present new security risks to the enterprise. The data on these removable endpoint devices and media may contain intellectual property or sensitive customer information. Company policy and employee education can be insufficient to safeguard the data from insider threats and accidental data leakage. The exposure of sensitive data that results from the loss or theft of a removable storage device or medium can result in financial expenses, legal ramifications, and brand damage.

PGP® Endpoint Device Control provides built-in security that detects, authorizes, and secures removable storage devices and media (such as USB drives, CDs, and DVDs).

• Easy, automatic operation–Permits safe and authorized removable storage use, without changing the user experience or reducing productivity.
• Enforced security policies–Enforces policies for device usage via USB, FireWire, Wi-Fi, and Bluetooth connections; automatically encrypts removable storage based on policy; can also log usage and demonstrate compliance to auditors.
• Accelerated deployment–Reduces setup time and speeds enterprise protection without requiring user intervention and by leveraging existing enterprise directory infrastructure.
• Reduced operation costs–Result from fast deployment, ease of use, centralized management, and automated enforcement of security policies.

Technical Specifications

Supported Operating Systems

PGP Endpoint Client

• Windows Vista RTM and SP1
• Windows XP Professional SP2 (32 bit and 64-bit versions)
• Windows 2000 Professional SP4
• Windows 2000 Server SP4
• Windows Server 2003 SP1/SR2 (32 bit and 64-bit versions)
• Windows XP Embedded SP2
• Windows Embedded Point of Service
• Windows XP Tablet PC Edition SP2

PGP Endpoint Administration Server

• Windows 2000 Server SP4
• Windows Server 2003 SP1/SR2

PGP Endpoint Administration Server Console (GUI client for PGP Endpoint Administration Server)

• Windows 2000 Server SP4
• Windows Server 2003 SP1/SR2

Database (for PGP Endpoint client)

• SQL 2005 Express SP2 (free)
• SQL Server 2000 SP4
• SQL Server 2005 SP2(32bit and 64-bit versions)

Supported Device Types

• Biometric devices
• COM/serial ports
• DVD/CD drives
• Floppy disk drives
• Imaging devices/Scanners
• LPT/parallel ports
• Modems/Secondary network access devices
• Palm handheld devices
• Plug and Play devices
• Printers (USB/Bluetooth)
• PS/2 ports
• Removable storage devices
• RIM BlackBerry® handhelds
• Smart Card readers
• Tape drives
• User Defined devices
• Windows CE handheld devices
• Wireless network interface cards

Supported Connectivity

• USB
• FireWire
• Bluetooth
• WiFi
• PCMCIA
• PS/2
• LPT
• IrDA
• IDE
• COM
• S-ATA
• SCSI

Supported Languages

The following languages are supported for the status, permissions, and notification information on PGP® Endpoint client machines:

• English
• Dutch
• French
• German
• Italian
• Japanese
• Portuguese
• Russian
• Simplified Chinese
• Spanish
• Swedish
• Traditional Chinese

FAQ

General

What is PGP Endpoint Device Control and why is it important?

PGP Endpoint Device Control is data protection and encryption software for endpoint devices. PGP Endpoint Device Control prevents data loss from removable storage and portable device connections.

What business problem does PGP Endpoint Device Control solve?

PGP Endpoint Device Control provides built-in security that detects, authorizes, and secures removable storage devices and media (such as USB drives, CDs, and DVDs). It enforces centrally defined device usage policy and stops data losses from network and peripheral connections (such as Bluetooth, WiFi, and FireWire). PGP Endpoint Device Control helps enterprises with their compliance and to monitor data exchanged between the endpoint, devices, and the network.

How does PGP Endpoint Device Control work? What is the end-user experience?

As a comprehensive endpoint data loss prevention solution, PGP Endpoint Device Control provides three ways to secure data:

• Permits safe and authorized removable storage use, without changing the user experience or reducing productivity.
• Automatically detects devices without disrupting the user.
• Reduces setup time and speeds enterprise protection without requiring user intervention.
• Allows data to be shared across the enterprise, including by users without PGP® software; access to data is enforced by policy.

How does PGP Endpoint Device Control fit into the PGP Encryption Platform?

PGP Endpoint Device Control is an extension of the PGP Encryption Platform. The PGP Encryption Platform provides an enterprise encryption framework for shared user management, policy, and provisioning that is automated across multiple, integrated encryption applications. Together with PGP Whole Disk Encryption, PGP Endpoint Device Control provides the enterprise with a complete endpoint data loss prevention solution.

Technical

What operating systems are supported?

For a detailed list of operating systems and other technical specifications, please refer to the PGP Endpoint Device Control Technical Specifications.

What is client hardening, and why is it important?

PGP Endpoint Device Control client is a hardened client. Client hardening prevents unauthorized un-installation or tampering of the client software; only an administrator can remove a hardened client. This prevents unauthorized users from removing protections that are in place.

What is a whitelist approach? Why is it important?

A whitelist is a list of accepted items or persons in a set. This list is inclusionary, confirming that the item being analyzed is acceptable. It is the opposite of a blacklist which confirms that items are not acceptable. By using a whitelist approach, enterprises can literally turn their backs on the volumes of unwanted applications, malware, and unauthorized devices and instead focus on what is authorized and approved.

What is the White List Driver (WLD) in PGP Endpoint Device Control?

The PGP Endpoint Device Control WLD controls a number of known device classes. It controls all read/write classes but there might exist devices that do not fit into those classes and can still be used to harm the organization. WLD closes the gap as it allows an organization to define what devices are authorized: all other devices will be simply ignored and unusable.

What is a kernel level driver and why does PGP Endpoint Device Control install this?

A kernel level driver runs at the operating system kernel level. It is difficult for user mode software to penetrate and bypass kernel level drivers. Kernel level drivers also improve performance when compared to user level drivers. PGP Endpoint Device Control installs a kernel level driver to intercept device access and binary execution requests at the kernel.

Can PGP Endpoint Device Control protect plug-and-play devices?

Yes, PGP Endpoint Device Control is able to detect Plug and Play devices, even when they are added on the fly or require a reboot (like some removable devices connected to the parallel port). These devices are subject to the same access controls set for fixed devices of the same type.

How does PGP Endpoint Device Control protect USB, Firewire, and PCMCIA (cardbus) devices?

Since USB, FireWire, and PCMCIA are bus types, and not true ports, devices attached using these bus systems are recognized based on their device type, not on how they are connected. For example, an external CD-ROM drive attached to a PC per USB will be recognized as device type CD-ROM, and will therefore be controlled using the same mechanism and settings as an internal CD-ROM drive. Also, since most MP3 based devices (like iPod) behave to the OS as removable drives, you may have the choice to ban them from your network blocking them as a generic removable, or as an iPod specifically.

How does CD / DVD encryption work?

Using the PGP Endpoint Administration Server, an administrator can grant access and specify encryption options for removable media, including CDs and DVDs. Users can then leverage Windows Explorer or use the Secure Volume Browser interface (included with the PGP Endpoint client) to access / share / decrypt / encrypt removable media. For more information, please refer to the PGP Endpoint Device Control user documentation.

Does PGP Endpoint Device Control store keys in an encrypted format?

Yes. PGP Endpoint Device Control stores all keys in an encrypted format.

Does PGP Endpoint Device Control use the Microsoft Windows domain SAM (Security Account Manager) or is another database required?

The SAM (Security Account Manager) is a component of Windows NT/2000/XP/2003 that stores and manages the user account database. This database contains information for all user and group accounts. SAM also provides user validation services, which are used by the Local Security Authority. PGP Endpoint Device Control uses the SAM but stores a copy of selected parts of users, groups, and computer accounts in the PGP Endpoint database. The PGP Endpoint database also holds the relationships between users/groups/machines and specific permissions. Storing this information in a database rather than accessing the SAM each time that user/group/computer information is required offers several advantages: Besides offering far better performance than direct SAM accesses, it also reduces the load on the Domain Controllers and minimizes network traffic. For a list of supported databases, please refer to the PGP Endpoint Device Control Technical Specifications.

Does PGP Endpoint Device Control write to the Windows event log?

PGP Endpoint Device Control provides an option that allows you to log attempts to use a device to the Windows Event Log, which can be used by several third party programs to group and manage events on a more centralized basis.

What languages does PGP Endpoint Device Control support?

PGP Endpoint Device Control and PGP Whole Disk Encryption together support English, German, and Japanese. PGP Endpoint Device Control deployments alone support more languages. Please refer to the technical specifications for more information.

Interoperability

I just want USB device protection. Why do I need PGP Endpoint Device Control if PGP Whole Disk Encryption provides USB encryption?

With PGP Whole Disk Encryption, an administrator can protect USB devices with a policy that specifies read only, or forced encryption. PGP Endpoint Device Control provides administrators a granular control of removable device (not just USB) usage. For example, an administrator can specify users, permissions, make and model of devices, and much more in a removable device policy.

How does PGP Endpoint Device Control work with PGP Whole Disk Encryption?

PGP Whole Disk Encryption used in conjunction with PGP Endpoint Device Control allows an administrator to set flexible, granular device policies. For example, an administrator can specify a policy disallowing all mp3 players with a USB interface while at the same time permitting usage of certain USB devices. An administrator also has the ability to specify multiple encryption options: PGP Whole Disk Encryption for removable devices, or PGP Endpoint Device Control removable device encryption. The latter option allows users to share an encrypted USB with a user not running any PGP client software. With PGP Endpoint Device Control and PGP Whole Disk Encryption installed, when a removable device is used, the PGP Endpoint Device Control client will query the PGP Whole Disk Encryption client and enforce policy accordingly.

What version of PGP Whole Disk Encryption is compatible with PGP Endpoint Device Control?

PGP Endpoint Device Control is compatible with PGP Desktop version 9.7 and higher.

Does PGP Endpoint Device Control interfere with other systems or application software?

No. Both PGP Endpoint Device Control and PGP Whole Disk Encryption operate transparently and do not interfere with the operating system or other application software.

Does PGP Endpoint Device Control integrate with LDAP directories?

Yes. PGP Endpoint Device Control is compatible with Microsoft Active Directory and Novell eDirectory.

Does PGP Endpoint Device Control work with systems management tools?

Yes. PGP Endpoint Device Control is compatible with system management tools such as Microsoft SMS that support Microsoft MSI installers.

Management

How much administration does PGP Endpoint Device Control require?

There is no one-size-fits-all. The administration depends on the complexity of the policies set, how dynamic the client environment is, etc. Once up and running in a relatively stable environment, it requires only monitoring.

Does PGP Endpoint Device Control require PGP Universal Server?

When using PGP Endpoint Device Control alone, PGP Universal Server is not required. However, when PGP Endpoint Device Control and PGP Whole Disk Encryption are used together, the full advantage of PGP Whole Disk Encryption is achieved with a centralized policy managed by PGP Universal Server.

Where can I find release notes and other product-related documentation?

Release Notes and Quick Start Guides are available at http://support.pgp.com/?faq=589. In addition, customers with a current support contract can download User, Administrator, and Programmer Guides from the same link.