1

Understanding Northwestern University’s contract with Symantec

Symantec Solutions for Cost Reduction & Optimization

Chris Hagelin and Shane ScholesSymantec Account Manager and Symantec Sales Engineer

Presentation Identifier Goes Here

Agenda

• Symantec Overview

• Agreement Overview

• Symantec Endpoint Encryption

2Presentation Identifier Goes Here

Industry Recognition 

Datacenter Optimization 3

• Consumer Endpoint Security                                          (#1 market position1)

• Endpoint Security                                                             (#1 market position2, Positioned in Leader’s Quadrant in Gartner Magic Quadrant3)

• Messaging Security   (#1 market position4, Positioned in Leader’s Quadrant in Gartner Magic Quadrant leader5)

• Policy & Compliance                                                             (#1 market position6)

• Email Archiving  (#1market position7, Positioned in Leader’s Quadrant in Gartner Magic Quadrant8, Forrester Wave leader9)

• Data Loss Prevention  (#1 market position, Positioned in Leader’s Quadrant in Gartner Magic Quadrant10 and Forrester Wave leader11)

• Security Management     (#1 market position12)

• Security Information & Event Management (SIEM) (Positioned in Leader’s Quadrant in Gartner Magic quadrant13)

Security Leadership

Storage and Availability Management Leadership

• Storage Infrastructure Software                                        (#1 market position14)

• Core Storage Management Software                            (#1 market position15)

• Data Protection                                                                  (#1 market position 16)

Deliver an increasing number of business services with significantly fewer resources than last year.

Federated vsConsolidated Education

Delivery of Open 

Education 

Confidential Data 

Exposure 

Technical ‐data growth, 

data duplication

We Understand Your Reality

Datacenter Optimization 4

Compliance

Facilities cost

end-point evolution

Personnel -lack of

resources

Symantec and Northwestern University Partnership

• Working in partnership with Northwestern University to provide a comprehensive and sustainable solution for all aspects of member’s requirement.

• Ensuring successful projects and minimizing risk for all member’s information risk management initiatives.

• Providing support and advice to NU members after deployment to ensure smooth operation and continued protection.

Presentation Identifier Goes Here 5

Symantec is committed to:

Symantec and Northwestern University Partnership

A three‐year Agreement (expires: June 30, 2013)

Symantec Security and End Point Management Solutions

FTE‐based license model

Perpetual and Subscription options

License, Support and Competitive Replacement Models

Delivered thru Software Partner: SHI

Presentation Identifier Goes Here 6

Agreement Outline:

Symantec and Northwestern University

Technology Solutions include:Symantec Protection SuiteAnti‐Virus (SEP)Anti‐spam (SEP)Anti‐spyware (SEP)Network Access Control (SEP)Mail Gateway Security (Brightmail)Back‐up Exec for end‐points

Additional Options Available on ContractEncryptionData Loss PreventionAltiris

Presentation Identifier Goes Here 7

Agreement Outline:

Obtaining the Software

• SEP available for download via NUIT Web site– www.it.northwestern.edu/software/sav/index.html

– www.it.northwestern.edu/software/secure/index.html

• Requests for additional quotes go to teamshi@shi.com

Presentation Identifier Goes Here 8

Symantec Endpoint Encryption 7.0

10

Data is Pervasive and Portable:

– Desktops and Laptops

– Computer hard drives

– Removable storage devices, such as CDs and USB drives

Risk for organizations:

– Loss of data and associated expenses

Data at Risk puts your Business at Risk

The Problem with Data

11

Where’s the biggest risk?

Lost or stolen laptops

Data sent to wrong recipient

Lost CD or other removable media

External attacks

Otherincludes paper

Data stolen without authorization

Fifty six data cases were investigated by the Financial Crime Operations team at the

FSA in 2007, according to FOI statistics obtained by Computer Weekly.

Oct 2008 Sarah Hilley

12

What customers are looking for…..

• Centralized Management

• AD Integration/No AD Integration

• Non Intrusive User experience

• Data secured from review by external persons

• The ability to share data with external persons

• Device Control

• Certifications (FIPS, CC….)

• Full/Whole Disk*

• Integration with….

12

TECHNICAL

What they are really looking for….

• The ability to deploy a solution with minimal trouble.

• The ability to say that a lost or stolen system will not be compromised.

• Advice….How other people are deploying.

• Something that will not break another solution they have deployed.

• To know “What is Encryption?” (no joke)

• To do this in this easiest way possible.

13

NON-TECHNICAL

14

Endpoint Encryption Terms

• Full Disk Encryption secures all data stored on a PC’s hard drive

• File‐based Encryption secures individual files on a PC’s hard drive or on removable storage devices such as CD/DVD, USB memory sticks, iPods, portable hard drives, etc.

• Data‐in‐use—data  that is currently being accessed and used. 

• Data‐in‐motion—data that is being transmitted via IM, email, etc.

• Data‐at‐rest—data that exists on PCs that are in shutdown, sleep, or hibernate mode or that have invoked screensaver passwords

The bottom line is that a significant number of PCs and media devices carrying business data will not be properly encrypted and are fated to cause disasters for companies and

the individuals who are affected. The odds suggest that this will happen to your organization, whether it is small, midsize or large. The rosters of companies listed in

various public sources and blogs touch business entities of all types in countries around the world. Gartner, Nov 2008

15

Symantec Endpoint Encryption

Symantec Endpoint Encryption

Symantec Endpoint EncryptionFull Disk Edition

Symantec Endpoint EncryptionRemovable Storage Edition

Advanced encryption for desktops, laptops and removable storage devices offering scalable security and prevention of

information compromise.

16

• FIPS 140‐2 validated, CC EAL4 pending

• Pre‐boot authentication

• Password recovery

–Self‐Service Authenti‐Check™ 

–Remote one‐time password recovery

• Advanced enterprise ready capabilities

–Multiple user / administrator accounts

–Software setup and installation tools

–Administrative drive recovery

–Wake on LAN

Endpoint Encryption – Full Disk

Symantec Endpoint EncryptionFull Disk Edition

•OS and system files•Swap / hibernation files•Data / multiple partitions

17

• Full partition or disk encryption– Encrypts boot disk– Encrypts up to 26 partitions on system boot disk

• FIPS 140‐2 validated AES cryptography– 256‐bit key (default) or 128‐bit key for disk encryption

• Excellent performance– Partition or disk level encryption

• Initial encryption after installation

• Runs in low priority background

• Users can continue to use their machine

• Power loss feature always enabled

– Run‐time encryption• Users typically do not notice performance

• 5% to 15% depending on variety of factors

Endpoint Encryption – Full Disk

18

• Encrypts all disk sectors– Includes swap files, hibernation files, temporary files

• Supports standby and hibernation modes– Encrypts hibernation file– Prompts for user credentials when resume from hibernation if pre‐boot 

authentication enabled

• Low level encryption driver– Intercepts all Windows calls to read and write files

• Encrypts data from memory and writes to disk• Decrypts data from disk and writes to memory

– Completely transparent to all Windows applications– Completely transparent to Windows operating system– Data stored on disk is always encrypted

• No temporary files with decrypted data

Endpoint Encryption – Full Disk

19

Pre‐boot Authentication

• Hardened pre‐boot operating system

– Small footprint and attack surface

– Adds extra layer of security when enabled

– Users authenticate to pre‐boot logon dialog

• Key management included

– Does not require separate key management infrastructure

– User logon credentials securely stored in PB environment

• Single sign‐on

– Windows Single Sign‐on integration

– Novell Single Sign‐on – Supports version 4.9.1 SP3 or later

– User password changes automatically synchronized

• Recovery

– Recovery keys automatically encrypted and escrowed in server

• Optional per installation by administrator

– Customers can elect to deploy without it

– Windows responsible for user authentication

– Drive fully encrypted even if pre‐boot authentication is disabled

20

Password recovery

• Self‐service recovery for lost or forgotten passwords

– Authenti‐Check™ challenge/response questions and answers

– Administrator or user provisioned questions

– User provisioned responses

– Administrator option to deploy

• Help Desk assisted One‐Time Password

– Challenge/response keys

– Unique to each workstation

– Keys automatically escrowed to server during client check‐in

– Separate administrative role with read‐only access to necessary key information

– Separate application for Help Desk personnel only

– Administrator option to deploy

– Requires user to change password after OTP gives access to machine

– Enables recovery for registered users if machine locked due to missing required reporting period

21

• File level encryption

• FIPS 140‐2 certified algorithms

• 256 bit and 128 bit AES

• File Encryption Key (FEK)

– Unique key per file

• Key protection / user authentication

– Passwords

– Certificates

– Workgroup key

– Administrative data recovery certificate

Endpoint Encryption – Removable Storage

Symantec Endpoint EncryptionRemovable Storage Edition

22

• Transparent end user operation

• Comprehensive encryption support

– Policy based encryption for removable media

– FIPS certified AES 256 bit or 128 bit, CC EAL4 pending

– Encrypt plain text data on devices

• Best‐in‐class storage media support

– Flash drives, Hard drives, SD cards

– CF cards, CDs/DVDs, iPods, etc.

• Portability

– Access utility – Install by policy, read / write encrypted data

– Self‐extracting archives

• Group and Kiosk mode operation

• Centrally managed data recovery

Endpoint Encryption – Removable Storage

23

Key Management

24

• Key considerations:– Data files only– One password per CD/DVD– Up to 12 levels of nested folders– One session per disc– Will not block unencrypted writes from other burning applications

• Leverages SEE policies:– Encryption– Encryption Method– Group Key– Administrative Data Recovery Certificate– Auto‐copying of Access utility

Endpoint Encryption – Removable Storage

25

• Administrative access to encrypted data 

– Lost / destroyed password

– User left company

• Recovery Key

– Certificate distributed with software install

– Administrator controls private key

• Requires Certificate Authority but not PKI 

Endpoint Encryption – Removable Storage

26

Symantec Endpoint Encryption Management Server

• Application services: deployment, policy management, reporting, database operations, directory

services integration (LDAP)• Web services: IIS enabled client

communications

Client / Server Communications

• SOAP over HTTP• SOAP over HTTPS (optional)

Database• Microsoft SQL Server 2005

(Express Edition with Advanced Services, Standard Edition,

Enterprise Edition) • Familiar, robust, and scalable data

management• Enables fast and comprehensive

reporting

27

Deployment and administration

• Server installation– Standard MSI installer packages

• SEE Management Server (SEEMS)• Microsoft Internet Information Service (IIS)• Microsoft SQL Server 2005 (Express, Standard or Enterprise)• SEE Manager and administrative tools

• Client installation– Standard MSI installer package– Supports Active Directory, eDirectory and non‐domain endpoints– Supports installation through GPO or any enterprise software deployment tool

• E.g. Altiris, Tivoli, SMS, etc.– Silent installation– Automatically launches disk encryption– Automatically reports back to server

• Escrows encrypted recovery keys• Periodically reports state of encryption for all partitions

– Audit trail for validating endpoint state when it goes lost or missing

28

Multiple user and administrator accounts

• Supports multiple users– Over 250+ registered users per endpoint

• Option for automatic user registration– Supports public machines or kiosks– No prompt for user during registration 

process

• Clear separation of administrative accounts and roles– Server administration

• Installation, administration, password management

– Endpoint policy administration• Creating and deploying security policies to endpoints

• Leverages Active Directory by using Group Policy Objects

– Assisting users with One‐Time Password access• Help Desk personnel

• Read‐only access to OTP challenge/response keys

– Hands‐on endpoint administration• User lockout recovery, data recovery, decryption

• Over 250+ Client Administrators per endpoint

29

Policy Administrators

Symantec Endpoint Encryption Policy Administrators

•Create Client Setup (.msi) files and deploy to users’ computers•Create and deploy policy updates to clients

•Audit clients with Symantec Endpoint Encryption Client Monitor•Establish Symantec Endpoint Encryption Client Administrators

30

Client AdministratorsSymantec Endpoint Encryption Client Administrators

•Perform administrative tasks on clients•Unregister users

•Extend a scheduled lockout condition•Initiate data recovery operations

•Unlock a machine

31

Client reporting and Auditing

The Group View and global reporting features display comprehensive audit information on the state of endpoint encryption

32

Operating system support

• Support for enterprise Windows 32‐bit and 64‐bit versions– Client

• Microsoft Windows 2000 SP4

• Microsoft Windows XP Professional SP 2 and SP 3, Tablet PC

• Microsoft Windows Vista R1 and SP 1– Business, Ultimate and Enterprise Editions

• Microsoft Windows 7– Professional, Ultimate, or Enterprise; 32‐bit or 64‐bit

– Server• Microsoft Windows Server 2003– All service packs

33

Advanced management tools

• Comprehensive suite of administrative tools– Remote machine access

• Supports Wake On Lan• Pre‐boot authentication suppressed for machine maintenance• Deployed by administrator policy or MSI

– Local machine access• Enables local machine administration while disk remains encrypted

– Data recovery• Enables local data recovery for failed or corrupted disks• Uses escrowed recovery keys if local keys damaged• Includes ability to force disk or partition decryption

– Forensic data recovery• Integration with Guidant Software EnCase forensic data recovery solution

34

Security validations

• FIPS 140‐2 validated cryptographic library– AES encryption algorithm

• Industry and government standard

• Fast symmetrical encryption algorithm

• Primarily used for data encryption and decryption

– SHA‐1 hash algorithm• One‐way hash

• Primarily used for credential and key management

• Securely encrypts user credentials in pre‐boot environment

– Pseudo‐random number generator• Generates unique workstation keys for encryption

• Common Criteria– EAL 1 validated, EAL 4 pending

NU TechTalk – Symantec Series

Symantec Protection Suite ‐ September 28

Data Loss Prevention ‐ October 26

Altiris Overview ‐ November 30

Presentation Identifier Goes Here 35

Upcoming Events – NUIT Tech Talk Symantec Series