Lumension Security™ (formerly SecureWave) Sanctuary Device Control is
an End-Point Policy Enforcement solution that stops security
breaches before they can even start. With SecureWave Sanctuary, all users
are denied access by default. You simply authorize access to
only the devices that the user needs. No one can plug into your
network without approval. No one. Control is absolute. Sanctuary
also audits I/O device use as well as attempts to use
unauthorised devices.
Hardware such as USB memory sticks,
FireWire external hard-drives, scanners, music players (for
example, mp3 players and iPods), digital cameras, PDAs, and CD
and DVD burner drives are scattered throughout offices around
the world. Their proliferation amplifies the threats posed by
outsiders or users who plug in devices that could compromise the
security of sensitive corporate data. Here, too, Sanctuary does
what you want it to do - it precludes the use of all devices
that haven't been authorised and also allows if needed complete
FireWire and USB port lockdown for maximum security, avoiding
any data leakage or malware intrusion.
Build it to Scale
Sanctuary has three-tier architecture and loadbalancing
capability already supports companies ranging in size from 50 to
more than 100,000 seats. It integrates with the existing
technical infrastructure and logical organisation by mapping
permissions to an existing Microsoft Active Directory domain or
Novell Directory Services (eDirectory).
“Since we’ve installed Sanctuary we have never had a call out to a PC. This solution has never let us down.”
Hampshire Country Libraries
“With Sanctuary’s proactive default deny approach to security, customers no longer
have to react to every new device, vulnerability alert or emerging threat.”
VP, Motta
Network Experts
“ Restricting the devices that can be
plugged into the terminals has enabled the bank to meet FSA compliances requirements.”
Project Manager
Barclays Bank
Features & Benefits
Access
Control List (ACL) Based Permissions
Per user and per user group based permissions
User/group permissions on all/specific machine
Device White List
Prevent the installation of unknown devices
Authorize only specific device types within a class
Uniquely identify one specific device*
Scheduled and Temporary Device Access - Read and/or Write access
Scheduled access for a predefined time
Temporary device access (same day or planned for future
timeframe)
Uniquely Identify and Authorize Specific Removable Media
Create DVD/CD-ROM collections and grant access to users or
user groups
Create lists of specific Removable Media with unique ID's and
grant access to users*
Authorize any removable media to any user using encryption
technology* (grant access to encrypted media devices with SADEC
for users that do not have Sanctuary Device Control installed on
their machine)
Plug and Play Devices: Hot Plug Support
Detect Plug and Play Devices 'on the fly'
Apply ACL's in real time
Shadowing(tm) Option
Ability to shadow all data copied to external devices or
specific ports (file names only or full copy of files transferred)
Supported for all CD/DVD recording types
Shadow rules can be applied to Device/Device Group(s) and per
user
Powerful Audit & Reporting Capabilities
Full auditing of all Administrator actions
Advanced reporting possibilities (on ACLs, device collection,
etc.)
Access Rights Updates
Updates to Access Rights are implemented at each connection
Possibility to implement Access Rights on the fly or to a
newly defined device without need to re-logon
Flexible Administration
Granular administrative roles
Distributed administration
Disconnected/Remote Computer Protected
A local copy of the latest device access permission list is
stored on the disconnected workstation or laptop, which provides
full protection when disconnected. Updates (if any) will be
implemented at the next connection
Restrict the Amount of Data Copied
Ability to restrict the amount of data copied from the PC (or
network) to an external device (Removable Media such as USB memory
key and Floppy Disk)
Apply Copy limit in a per-user basis
Scalability
Use of three-tier architecture (Application server, Database,
Client) allows for flexible deployment options and scaling for the
enterprise
Microsoft Active Directory and Novell eDirectory Support
Map permission to use I/O devices to an existing Active
Directory domain or Novell Directory Services (eDirectory)
Delegation of administrative rights for Active Directory
organisational Units is automatically incorporated into Sanctuary
Device Control administration
Silent Unattended Installations & Deployment
Use any deployment tools that support the MSI technology (i.e.
Microsoft Systems Management Server (SMS), Group Policies,
WinInstall, etc.)
Deploy tool capable of installing, uninstalling, upgrading and
querying client status
Prevention from PS/2 hardware keyloggers
Ability to block the PS/2 port, enforcing the usage of USB
keyboards to avoid the threat caused by PS/2 hardware keyloggers
Ability to detect and block USB keyloggers
Online and Offline permissions/updates
Use different policies when the user is online or offline
Send updates to computers not connected to the network using a
file (e.g. via email)
Customizable notifications to users when access is denied
Easy Exchange encryption mode
authorised users can access encrypted removable devices
outside the company without the need to install any kind of
software whatsoever, and without administrative privileges
FireWire, Bluetooth and USB port protection / control
USB blocking / USB port blocking: ability to completely block
the USB port
Ability to also lockdown any other ports or BUS such as
Bluetooth, WiFi, FireWire, etc.
