Using Harddisk Encryption and Novell® SecureLogin
Troy Drewry Dirk StrauchTechnical Sales Specialist Senior ConsultantNovell, Inc. cv [email protected] [email protected]
© Novell, Inc. All rights reserved.2
Overview
Focus Shifts from Protecting the Network to Protecting Data• The Challenge of Data at Rest
– Enterprise Data on Desktops, Laptops and Servers
– Stolen and Lost Laptops
– Data in Transit
– Security Breaches
• Regulations and Governance– Corporate and Industry
– Local, State and Federal Government
– International Considerations
• Corporate Impact– Security breach consequences on client mind-set
– Negative media exposure outcome on corporate profits
• Using Hard Disk Encryption and Novell® SecureLogin for ESSO– Stronger Alternate to Microsoft Windows Security
– Don’t Touch that Application
© Novell, Inc. All rights reserved.3
Encryption Technology
• Hardware-Based Solutions– Intel® Anti-Theft Technology (Intel® AT) Stolen
http://www.intel.com/technology/anti-theft
– Seagate DriveTrust™ (Self-Encrypting Drives) Technology
http://www.seagate.com/docs/pdf/whitepaper/TP564_DriveTrust_Oct06.pdf
– Geo Location and Others
http://www.absolute.com) (http://www.computersecurity.com/laptop-tracking
• Software-Based Solutions– Pre-Boot Authentication (PBA)
– Full Drive Encryption (FDE)
– File and Folder Encryption (FFE)
– Port Security (USB/Firewall/Etc.)
– External Drive Protection
– File Sharing Safeguards
• Auditing– Logging and Forensics Preparation
– Reporting and Compliance
© Novell, Inc. All rights reserved.4
Implementing Hard Disk Encryption
• Workstations • Virtual Machines• Mobil Devices
• Laptops• Kiosks (Terminal Services and Citrix)• Others
• Windows• Linux/Unix
• Mac• Mobile (at least 4)
• Credentials• Biometrics
• Smart Cards• Tokens
Components• Servers
– Key Storage – Directory Interoperability– Administration and Management– Scalability
• Endpoint Platforms
• OS Considerations
• Authentication Mechanism
© Novell, Inc. All rights reserved.5
Weighted Options to Implementation
• Enterprise and Remote Roaming User Solutions• Pre-Boot Authentication Effects• Full Disk Encryption v. File and Folder Encryption• OS Handshake/Hand-Off Options• Port and Disk Access Control or Free Range Users• Logging and Reporting as a Requirement
© Novell, Inc. All rights reserved.6
Demonstration
Cryptovision Smartcard
PKI Security
WinMagic Pre-Boot
Authentication
MicrosoftActive DirectoryAuthentication
Novell®
SecureLogin
Cryptovision Configuration
© Novell, Inc. All rights reserved.8
Overview
• PKI Infrastructure Overview
• PKI in a Novell® Environment with cv act PKIntegrated
• cv act sc/Interface middle-ware
• Smart Card
© Novell, Inc. All rights reserved.9
Public Key Infrastructure Overview
Public Key
Digital Certificate
Private Key
CA
Certification Repository
User
RA
Application
© Novell, Inc. All rights reserved.10
LDAP
PKI in a Novell® Environment:cv act PKIntegrated
CA Engine
PKIntegratedAdministration
PKIApplications
Novell Identity Manager
OCSP, SCEP
Novell Identity Manager
iManager
Novell eDirectory™
Siemens DirX,Microsoft ADS
SAP HR,Peoplesoft
Lotus Notes,LDAP
© Novell, Inc. All rights reserved.11
Additional Components
cv act PKIntegrated - managing digital certificates in an Novell® environment
• Included seamlessly in Novell infrastructure
• Using Novell products
– Novell eDirectory™ (data store)
– iManager (administration)
– Novell Identity Manager (cryptographic functions)
© Novell, Inc. All rights reserved.12
Additional Components
cv act sc/interface – providing access to smart cards– Smart card middleware– Providing access to the most common smart cards
including Java Card: G&D Sm@rtCafé Expert, G&D Micro SD Card microSD, StarCOS, IBM JCOP, CardOS, ACOS, AustriaCard JCOP, Gemalto TOP IM GX4, Infineon JTOP, Aladdin eToken, G&D StarSign, Siemens HiPath, A.E.T. SafeSign, Nexus Personal, D-Trust
WinMagic Configuration
© Novell, Inc. All rights reserved.14
Overview
• SecureDoc Overview and Features
• SecureDoc Solution
© Novell, Inc. All rights reserved.15
SecureDoc Overview and Features
Third Party Management Applications
SecureDoc Enterprise Server
Passwords Full DiskEncryption
Windows
Seagate FDE
Tokens
Smartcards
Biometrics
PKI
TPM MXI
SanDisk / Kingston
Ironkey
New Crypto Device
Data LeakProtection
RemovableMedia Encyption Email
File / FolderEncryption Call Home
Port Control Anti virus
Mac / EFI Linux Symbian
API
Interface
API
New Crypto Device
SecureDoc Client Software
© Novell, Inc. All rights reserved.16
SecureDoc Solution
Active Directory
Key Escrow
Disk Sector
USB/CD/DVD Removable Media
Folder
File
Container
LDAPServer
PKI
Security Policy Manager
User / GroupManagement
System
KeyManagement
System
SoftwareDistribution
Tools
UserSupportTools
Consolidated Audit Log
Multi-FactorUser Authentication
(Pre-Boot) andAccess Control
SD CONNEXSecure Client Server
Communications
SeagateDriveTrustDrive
3rd PartyEncryptionUSB Stick
AES SoftwareEncryption Engine
SecureDoc Enterprise Server
SecureDoc Client
Novell® SecureLogin
© Novell, Inc. All rights reserved.18
Overview
• Microsoft Active Directory Data Store
• SecureLogin Workstation Agent
• Novell® SecureLogin Hard Disk Encryption Implications
© Novell, Inc. All rights reserved.19
Microsoft Active Directory Data Store
• Active Directory is being used in this demonstration • We could have used Novell® eDirectory™ or any other LDAP v3• Schema Extensions made Using ADSchema.exe
– Prot:SSO Auth– Prot:SSO Entry
(LDAP:protocom-SSO-Entries)– Prot:SSO Entry Checksum
(LDAP:protocom-SSO-Entries-Checksum)– Prot:SSO Profile
(LDAP:protocom-SSO-Profile)– Prot:SSO Security Prefs
(LDAP:protocom-SSO-Security-Prefs)– Prot:SSO Security Prefs Checksum
(LDAP:protocom-SSO-Security-Prefs-Checksum)
© Novell, Inc. All rights reserved.20
SecureLogin Workstation Agent
• Installed in Active Directory Mode
• Configured to Run at Login
© Novell, Inc. All rights reserved.21
Novell® SecureLogin Hard Disk Encryption Implications• Pre-Boot Authentication
• Full Disk Encryption v. File and Folder Encryption
• OS Handshake/Hand-Off
• Advanced Authentication Integration
© Novell, Inc. All rights reserved.22
Demonstration – How it Works
Authentication during boot process– Laptop is switched on
– Logon screen of hard disk encryption comes up (PBA)
– User places their smart card in reader
– User types in their PIN
– PBA encryption authenticates user and decrypts hard drive
– PBA performs handshake to Windows OS and user is logged in
– Novell® SecureLogin Agent starts
– SSO is operational with no additional logins
© Novell, Inc. All rights reserved.23
For More Information
• Visit table A5 in IT Central• Attend the following complementary sessions:
– BOF106: SecureLogin in the Real World Panel Discussion– IAM205: Novell SecureLogin Installation, Deployment and Lifecycle
Management– IAM207: SecureLogin and Your Active Directory Setup– IAM302: Using Hard Disk Encryption and SecureLogin– IAM303: Enhancing SecureLogin with Multi-factor Authentication– IAM304: Securing Shared Workstation with SecureLogin
• Walk through the SecureLogin demo in the Installation and Migration Depot
• Visit www.novell.com/securelogin
Try SecureLogin for Yourself
We'll install SecureLogin on your machine (for free).
Unpublished Work of Novell, Inc. All Rights Reserved.This work is an unpublished work and contains confidential, proprietary, and trade secret information of Novell, Inc. Access to this work is restricted to Novell employees who have a need to know to perform tasks within the scope of their assignments. No part of this work may be practiced, performed, copied, distributed, revised, modified, translated, abridged, condensed, expanded, collected, or adapted without the prior written consent of Novell, Inc. Any use or exploitation of this work without authorization could subject the perpetrator to criminal and civil liability.
General DisclaimerThis document is not to be construed as a promise by any participating company to develop, deliver, or market a product. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions. Novell, Inc. makes no representations or warranties with respect to the contents of this document, and specifically disclaims any express or implied warranties of merchantability or fitness for any particular purpose. The development, release, and timing of features or functionality described for Novell products remains at the sole discretion of Novell. Further, Novell, Inc. reserves the right to revise this document and to make changes to its content, at any time, without obligation to notify any person or entity of such revisions or changes. All Novell marks referenced in this presentation are trademarks or registered trademarks of Novell, Inc. in the United States and other countries. All third-party trademarks are the property of their respective owners.