Guest User!

You are not Sophos Staff.

Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 2 replies
  • Subscribers 5 subscribers
  • Views 9394 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Data Exchange (Removeable Media Encryption)

Robl216

Having recently moved to a new company I have been tasked with evaluatiing products to try and replace our multiple ones with a single suite if possible.

I have used Endpoint Protection from Sohpos before and also SafeGuard.

One requirement here is that external media is encrypted for certain users and any files that are written to it either in the office or externally are automatically encrypted.  From memory when using SG Portable although files can be accessed using the SGP utility when writing to the device it is not automatically encrypted unless the user uses SGP.

Is this still the case? 

Our current solution will encrypt any files that are written to the device even if the user uses Windows Explorer.  This is what we would want with any new product.

Thoughts?

Rob.

:33569


This thread was automatically locked due to age.
  • 0

    I'm using SafeGuard 6.01 and by policy I have the following settings

    File Encryption with AES256

    NO assigned user or group keys

    Encrypt new files

    SGN creates an MEK (machine encryption key) that's user specific, usable with SGN, and all new file coppied to the flash drive are encrypted.  If you're paranoid you can force encrypt all files on the flash drive no matter what however that's usually a bad idea, it creates problems with embedded devices like phones and other devices that look like flash drives to windows but aren't. If USB encryp[tion creates issues with a specific device you have to whitelist the USB device and Vendor ID in safeguard. 

    :33797
  • 0

    Hi Rob,

    Joel is quite right in that if you use auto encryption then you face the problem that storage on mobile devices maybe automatically encrypted too.

    There are a couple of ways around this...

    1. Using Sophos End-Point protection 'Device Control' you can block all removable media storage devices, and then whitelist based on Vendor ID of the devices or the unique ID of the device.

    This way you can allow devices of a particular model or specific individual devices. However you'd be blocking the non-exempt devices from connecting and transferring data. This might be a good thing though as you'd be a step closer to safeguarding against Data Leakage.

    Then as soon as an exempted device connects and data is transfered to it SGN (SafeGuard Enterprise) would automatically encrypt the data (provided you have the SGN policies set correctly), even when using Explorer.

    NB: End-Point protection policies are machine based and not user based, so they aren't as flexible as the next option:

    2. Using Configuration Protection in SGN.

    Not only are CP policies assigned to users, but you can block all storage devices and create different whitelists. For example, you could create a whitelist for 'Mobile phone storage' and place the model or unique ID of the storage cards of the phones into this list, and create another whitelist for 'USB sticks'.

    Then create a DX (Data Exchange) policy in SGN to automatically encrypt and point this policy to the 'USB sticks' whitelist.

    This way everything listed in the 'Mobile phone storage' whitelist will be allowed to transfer data, and everything listed in the 'USB sticks' whitelist will allow data transfer but be automatically encrypted using the encryption key you specify in the policy. Just remember data leakage for the mobiles though ;)

    NB: Auto encryption only works on SGN enabled machines. Although SafeGuard Portable will nag a user is they eject a device with new unencrypted data on it, and give them a chance to correct this by encrypting the data.

    Obviously creating various policies and assigning them to different user groups / OU's etc. will give you more flexibility.

    I can't remember the versions but this functionality in Configuration Protection and Data Exchange was only introduced in the later versions.

    Also, if you're considering using Configuration Protection then I'd suggest fully testing it first. Personally I've found numerous defects in Configuration Protection which take a very long time to get resolved as it's a product made by SafeEnd and licensed to Sophos as a feature in the SGN suite.

    Good luck!

    John

    P.S. If you also go down the route of using Data Control in Sophos End-Point protection to control data leakage you  need to be aware that data copied to USB sticks etc. must be copied using the Windows Explorer process and not an application. So saving data directly to a USB stick from Microsoft Word won't work as End-Point protection will block it and moan that you need to user Explorer. - Thus you would need to save to the file system on the machine / server and then use Windows Explorer to COPY (not move) the data to the USB stick.

    I think this is because Data Control in End-Point hooks into the Malware scanning engine and wants to be able to read the data (to check against it's policies) before it allows the data to be written to removable media.

    Just thought I'd point this out - seeing as you are looking at the Sophos suite.

    P.P.S. Now if only SGN DX worked for Apple Mac OSX ;)

    :34307
Unfiltered HTML