McAfee Data ProtectionTotal Protection Suite for Data (ToPS Data)

McAfee Data Loss PreventionYou need• To prevent users from accidentally or maliciously

leaking sensitive data• Full visibility and control over usage & movement of

confidential data• To enable your infrastructure and data to protect itself

McAfee offers• Protection against accidental leakage via everyday

user tasks• Complete spectrum of actionable responses upon

detecting loss of confidential data such as– Detailed logging & forensic evidence gathering– Real-time prevention & blocking– User and administrator notification– Quarantine of confidential data

Copy & Paste

Monitor Usage

USB Copy

Print Screen

Printer

Data Loss PreventionData Loss Prevention

DeviceControlDeviceControl

Encrypted USBEncrypted USB

EndpointEncryption

EndpointEncryption

2

McAfee Data Loss Prevention

By location

By content

By file-type

Classify confidential data

Monitor sensitive data transfer

Build content-based, reaction rules

Prevent confidential data from leaving the enterprise

Quarantine confidential data

Notify administrator and end users

Enforce encryption

3

McAfee Device Control

You need• To monitor and allow only authorized devices to

connect to endpoint• Restriction and blocking capabilities of the use of

unauthorized devices such as iPods• Enforcement control over what data can be copied onto

authorized devices

McAfee offers• Fine-grained control of data and devices

– Only allow company-authorized devices

– Enforce control over what data can be copied to devices

• Policies per user, group or department, i.e. allow CEO to connect any device while other employees can only connect sub-set of devices

• Detailed user and device-level logging for auditing and compliance needs

®

FireWire

Data Loss PreventionData Loss Prevention

DeviceControlDeviceControl

Encrypted USBEncrypted USB

EndpointEncryption

EndpointEncryption

4

McAfee Device Control

• Based on McAfee Data Loss Prevention (DLP) technology

• Complete content-aware, and context-aware device-blocking capability

• Regulate how users copy data to external devices

• Increase productivity and the ability to safely use any USB devices as part of daily work activities

• Ensure control of all external devices

Serial/Parallel

CD/DVD

FireWire

USB

Bluetooth

WI/IRDA

Other

ePO Management Console

Policies Device and Data Events

5

McAfee Endpoint Encryption EEPCv.6.X

You need• Encryption for laptops, desktops, and mobile devices

with the flexibility to choose full-disk or file/folder encryption

• Confidence in integrity of sensitive data when a device is lost or stolen

• Safe Harbor protection (i.e. Loss of encrypted data = non-event and does not require public disclosure)

McAfee offers• Broad support for laptops, desktops, and mobile

devices

• Full audit-trails for compliance & auditing needs

• Support for multiple strong authentication methods

• Certifications: FIPS 140-2, Common Criteria Level 4 (highest level for software products), BITS, CSIA, etc.

Data Loss PreventionData Loss Prevention

DeviceControlDeviceControl

Encrypted USBEncrypted USB

EndpointEncryption

EndpointEncryption

6

McAfee Endpoint EncryptionFile and Folder Encryption

Administrator

File Server Terminal

Server

Client Computer

2

3

5

Client Computer

Client Computer

Corporate Directory

1• Full Windows Explorer integration

• Automatic encryption and decryption with no performance loss, transparent enforcement of information security policies to end-users

– No end-user managed data security

• Protect files and folders on desktops, laptops, and servers

• A minimum of user interaction

• Effortless strong encryption of sensitive information

• No security at the end-users’ own discretion

• Easy sharing of encrypted documents among authorized users

4

7

File & Folder Encryption Features

• Policy controlled, user transparent encryption of:– Local documents and folders– File server documents and folders– Removable media– Encrypted e-mail attachments (user initiated)

• Internal (Recipients with client)• External (Recipients without client)

• True on-the-fly encryption & decryption when accessing and saving protected documents

• Flexible policy assignments and management– Encryption keys and encryption settings managed from McAfee

Encryption Manager– Amount of end-user options subject to policy control– Policies cannot be circumvented by end-users

8

Key Differentiators - Summary

• Central Management– No user decisions. Policy enforcement

• Management Centre– One powerful admin console for all products

• Document location and/or type– Encryption based on location and/or file type

• Client side activity monitor– Allow the user to see how a policy is enforced

• One client for multiple purposes– One-stop-shopping for file encryption

• Persistent Encryption– Encryption “travels” with the document

• All action on client side– No software or payload on file servers

• Encrypt at all levels– Individual files or entire folders, or both

• Sharing of encrypted documents– Transparent sharing between auth. users

• Automatic pagefile encryption– No information leakage in virtual memory

9

McAfee Endpoint EncryptionMobile Device Encryption

• External/Removable Media EncryptionEnsures that data stored on removable cards can only be accessed from the device from which it came

• Removable Media Options– Allow encrypted media only

– Allow full access to encrypted media and read-only access to un-encrypted media

– Block all access to all media

– Deny access to un-encrypted cards

Removable Media

10

What is McAfee Endpoint Encryption for PC v.6?

• Full Disk Encryption (FDE)

• Software to encrypt every sector of internal hard disks

• Guarantees data is encrypted while at rest on the disk

• This assurance is used to claim safe harbor from most data protection regulations

Average cost of a lost laptop is $49,246. If you can prove it was encrypted, the cost is reduced by at least $20,000.

Average cost of a single lost record is $204.

Average total cost of a data breach in 2009 was $6.75 million.

Source: 2009 Ponemon Institute “Cost of a Data Breach Report” commissioned by Intel.

.DOC .XLS .APPS

2

3

1

4

Files/APPS

Operating System

Encryption Driver

Hard Disk

Lo

rem

ipsu

m d

olo

r si

t a

me

t#

$$%

%#%

%&

&

Lo

rem

ipsum

do

lor sit a

me

t #

$$%

%#%

%&

&

11

Proactive Reporting in ePO – The Difference

Prior to ePO, SafeBoot reporting was limited to SafeBoot installed machines – no information about the machines which are NOT secured

– Reactive Reporting: check protection status of a laptop post theft; if machine not listed in the report it means not secured

NEW integrated ePO reporting of Endpoint Encryption reports on the entire ePO managed machine network

– Proactive Reporting: embedded Endpoint Encryption reporting through ePO presents machines which are not protected with Endpoint Encryption. ePO can then deploy the client to these machines directly.

12

Proactive Reporting in ePO – Discovery

• Compliance reporting with other vendors is limited to installed machine or an application running on the machine itself

• With the proactive ePO reporting approach McAfee can go one step further and find non-secured machines, although no agent is running on the machine

• Use the built-in “ePO Rogue System detection” option to determine the machines in your organization not running the McAfee Agent (MA)

13

Default Dashboard for Endpoint Encryptionfor PC

14

Installation Status Report Endpoint Encryption Installed: Yes/No?

This report shows the encryption technology installed with Endpoint Encryption

New Endpoint Encryption Architecture in ePO

McAfee ePO v4.5 Secure

Communication Channel

Ho

st C

om

pli

ance

An

ti-V

iru

s

An

ti-S

pyw

are

Des

kto

p F

W

Ho

st I

PS

NA

C

Rem

edia

tio

n

ePO Agent (MA) Framework

Ho

st D

LP

En

dp

oin

t E

ncr

ypti

on

fo

r P

C

En

dp

oin

t E

ncr

ypti

on

fo

r F

iles

and

Fo

lder

ePO provides central policies, key management and central user provisioning for Endpoint Encryption products.

User and Machine Import

Active Directory&

LDAP

One Client Manager (MA – McAfee Agent) handling multiple Endpoint Security products.

15

ePO Integration Goals

• Objective reduce overall operational costs associated with an encryption product and to make an Administrator’s life easier

–Deployment–Reporting–Same tasks and policies regardless of operating

system or software/hardware encryption technology

• Improved support for

–Clustering–Scalability–Virtualization

16

Endpoint Encryption Policy in Catalog

The new Endpoint Encryption Common Policy has two categories (Product Settings, User Based Policies)

17

Logon Settings per Platform

Endpoint Encryption Logon Section with settings for the PreBoot Logon

Windows specific Logon Section

18

Full Disk Encryption Features for PC v.6

Management Features McAfee

System audit for proof of encryption

Secure key backup

Enterprise scalability

Role based access control

Centrally managed policies

Directory and PKI integration

Web based console

Management dashboards

Reports and custom reports

Administrator audit

Endpoint event audit (failed logon attempts, etc)

19

Full Disk Encryption Features for PC v.6

20

Agent Features McAfee

Transparent to end user

Cannot be removed or disabled by end user

Encryption keys stored securely

Pre-boot authentication

Active Directory integration & Single Sign On

Fault tolerant, can survive reboots during encryption

Multi-factor authentication

Windows 7 32bit & 64 bit support

v.6.0 - AES 256 bit encryption

Secure hibernation

Secure client to server communication

Agent can sync while off the network

End user access can be revoked on the fly by administrator

20

Why McAfee?

Sustained product leadership

• #1 choice for enterprises

• Over 8,000,000 nodes encrypted worldwide

• Mature product, original code launched in 1992

• Part of comprehensive data protection product suite

• McAfee Total Protection for Data suite won over Gartner with best-in-class execution, integration and vision as compared to other vendors in the data protection industry.

21

Why McAfee?

Phased approach to data protection

Block unauthorized devices

Encrypt laptops

Monitor and secure all data routes

Discover and Classify Data

Intelligent Audit and Forensics

Total Protection for Data Suite Function

Endpoint Encryption for PC Full Disk Encryption

Endpoint Encryption for Files & Folders Encrypt files and removable media

Endpoint Encryption for Mobile Encrypt smart phones

Device Control Block and manage devices

Host Data Loss Prevention Discover and protect data in use

22

Users in version 6.0

• Users are referenced not created

– Referenced from Active Directory or LDAP

– No local users

– Quicker provisioning times possible

– Can be used with Auto-Discovery of users functionality

• ePO support– 4.5: Active Directory only

– 4.5 Patch 2: Will include LDAP support

23

Encryption Settings

Encryption Policy to encrypt:- None- All- Boot Disk only- All except Boot Disk

Policy to define Encryption Provider Priority. If you want to manage various hardware technologies via ePO you can configure and order the preferred provider here.

TCG Opal DriveEEPC Software Encryption

24

Trusted Computing Group Opal Self Encrypting Drives

• McAfee are an active contributor and voting member of the TCG Storage Working Group and provide input to the Opal and Marble specifications

• EEPC Version 6.x products will support Self-Encrypting Drives that adhere to the Opal (and Marble) specifications from TCG

• McAfee is currently working in conjunction with various manufacturers on incorporating their Opal Drives into EEPC V6.x

25

Client Supported Platforms and Languages

• Management (ePO)– Japanese, French, Spanish,

Chinese (Traditional and Simplified), Russian, German, Korean.

– Fully localized and supported

• Client– Same languages and support as

Management section– Additional client languages fully

localized and available by NOT supported at GA date

– Portuguese, Brazilian Portuguese, Italian, Dutch, Greek, Swedish, Norwegian, Danish, Finnish, Polish, Arabic, Estonian and Thai

– Supported as of version 6.0.1

32-Bit Only 32 and 64-Bit

32 and 64-Bit 32-Bit Only

32 and 64-Bit

26

McAfee Encrypted USB

• Deploy easily on an enterprise-wide scale

• Easily deploy and track devices through a single console

• Streamline workflow to save time and money

• Leverage Active Directory to match users and devices

• Encrypt data on-the-fly

• Enable secure data portability

27

28