Laptops and mobile devices—carrying more business-critical data than ever before—are frequently the target of theft or accidental loss. And with a host of removable media devices connecting to networks every day, keeping your data safe has never been more important. In this session we'll discuss the capabilities Novell ZENworks Endpoint Security Management provides to do just that. You'll learn about the product's unique file and folder-based encryption (with advanced data encryption key management), removable storage device controls, USB device controls, and other features designed to protect data residing on lost or stolen devices.

1. Protection Against Lost or Stolen
Data with Novell ZENworks ® ®
Endpoint Security Management
Brent Beachem Merrill Smith
Software Consultant Engineer Software Consultant Engineer
Novell, Inc./bbeachem@novell.com Novell, Inc./mksmith@novell.com
Steve McLain
Senior Software Engineer
Novell, Inc./stmclain@novell.com

2. Agenda
• Overview of current reality of “mobile data”
• Examples of recent and common lost or stolen data scenarios
• Simple examples of ZENworks Endpoint Security Management
®
(ZESM) features to mitigate these security breaches
• Detailed discussion and examples of using native ZESM Features
to resolve these security breaches
– Encryption
– USB Controls
– Adapter Controls
• Discussion on unique 3rd party integration options for ZESM
NOTE:
PLEASE... Ask questions and interrupt!
2 © Novell, Inc. All rights reserved.

3. Mobile Endpoints = Mobile Data
• “There used to be this thing called the ‘Network Perimeter’”.
Exhibit 2.
The B orderless Enterprise
Source: Yankee Group, 2009
Desktop Pager
video
E-mail
Mobile Phone
Conferencing Audio
Your Business Conferencing
Front Back Fax
Suppliers SCM Office ERP Office CRM Customers
Collaboration
Software
Employees
Voice Mail
Messaging
Software Laptop
Phone
PDA Room Based
video
3 © Novell, Inc. All rights reserved.

4. Mobile Devices + Mobile Endpoints =
Even More Mobile Data
• USB-enabled electronics device annual shipments will double from 1.4
billion in 2005 to 2.8 billion in 2010.
– Storage devices (flash drives as large as 256 GB today)
– Networking adapters (rapid rise in Wireless USB)
– Printers, scanners, webcams (all with storage devices embedded)
– MP3/iPods – over 240 million iPods alone have been sold by Jan 2010
• Bluetooth – over 12 million Bluetooth enabled devices are sold every
week.
• eSATA, PCMCIA, 1394a/b, USB, etc – Removable storage device
interfaces offering up to several Terabytes in data storage capacity
USB Products Other Devices
Source: In-STAT/MDR
4 © Novell, Inc. All rights reserved.

5. Key Areas Of Sensitive Data
File shares, Servers, Laptops 300+ File Typed Databases and Repositories
-Microsoft file shares -Microsoft Office Files -SharePoint, Documentum
-Unix file shares -PDF's -Lotus Notes, Exchange
-NAS/SAN storage -PSTs -Microsoft Access
-Windows 2000, 2003 -Zip Files -Oracle, SQL, DB2
Data at Rest -Windows XP, Vista -Contact Mgmt Systems
File shares, Servers, Laptops Instant Messages Web Traffic
-SMTP email -Yahoo IM -FTP
-Exchange, Lotus, etc. -MSN Messenger -HTTP
-Webmail -AOL Messenger -HTTPS
-Text and attachments -TCP/IP
Data in Motion
Print and Burn USB Copy and Save As
-Local printers -External hard drives -Copy to Network shares
-Network printers -Memory sticks -Copy to external drives
-Burn ro CDs/DVDs -Removable media -Save As to external drives
Data in Use
5 © Novell, Inc. All rights reserved.

6. Examples of Recent and Common
Lost or Stolen Data Scenarios
• Stanford University
– Stolen Laptop with unencrypted data
• Cal State Los Angeles, CA
– Employee USB Storage Device stolen with unencrypted data
• Veterans Administration
– Stolen Laptop with unencrypted data
– USB Storage Device used to move data from work to home
• TJ Stores (TJX)
– “War Driving” parking lot hacking of WEP keys
6 © Novell, Inc. All rights reserved.

7. Stanford University
• 72,000 personal records
• Names, SSN’s, birth dates, addresses, salary info, etc
• Questions Remain: “Has the information been used?”
• School issued credit monitoring service – $3.6 M
• Breach:
– Stolen laptop contained unencrypted records
7 © Novell, Inc. All rights reserved.

8. Cal State Los Angeles
• 2,500 Student and Faculty ‘personal records’
• CSLA immediately issued ‘User Guidelines for Portable
Electronic Storage Media’
– “All confidential, personal, and proprietary information stored on
portable electronic storage media must be encrypted.”
• Breach:
– Unencrypted USB drive stolen from car
8 © Novell, Inc. All rights reserved.

9. Veterans Administration
• 28.6 M records stolen
• Class-action lawsuits filed on behalf of every veteran
• Breach:
– Data removed from unencrypted (stolen) laptop
– Employee removed data from office on USB storage device to
‘work from home’
9 © Novell, Inc. All rights reserved.

10. TJ Stores (TJX) - TJMaxx, Marshalls, Winners,
HomeSense, AJWright, TKMaxx, Bob’s Stores
• 47.5 M credit / debit card numbers stolen
• Largest data breach in US history
• $216 M ‘breach cost’ (estimate)
• Transaction data from 2003 – 2006 compromised
• Data used in $8 M ‘Gift Card’ scheme
• Breach:
– ‘War Driving’ – parking lot Wi-Fi hacking
– Wireless transmissions only protected by ‘broken’ WEP protocol
10 © Novell, Inc. All rights reserved.

11. High Profile Breaches
Source: Privacy Rights Clearinghouse
11 © Novell, Inc. All rights reserved.

12. Resolutions for Recent and Common
Lost or Stolen Data Scenarios
Data Breach Resolution
Lost or stolen laptop with Require fixed disk data
unencrypted, sensitive data encryption
Lost or stolen RSD with Require encryption of RSD or
unencrypted, sensitive data control use of RSD
Unauthorized movement of data Control use of USB devices
with USB device
Wi-Fi hacking of WEP keys Prevent connections to insecure
(or less secure) Wi-Fi devices
12 © Novell, Inc. All rights reserved.

13. Details of ZENworks Endpoint Security ®
Management Fixed Disk Encryption Solution
Encrypt Safe Harbors on Fixed Disks
– What we do
> File and Folder based encryption
> Policy define “safe harbors”
> User selectable “safe harbors”
> Secondary authentication for decryption
> Simplified encryption key management
– What we don't do
> Directly compete with Full Disk Encryption (FDE) - see comparison table for
trade-offs
> Cost as much as FDE
13 © Novell, Inc. All rights reserved.

14. Trade-offs of Full Disk Encryption
(FDE) Verses file/folder Encryption
Full Disk Encryption ZENworks Endpoint Security
®
– Automatically ensures entire hard drive (or Management File/Folder Based
partition) is encrypted (you don't have to force Encryption
sensitive data to be stored in a “safe harbor”
location – Specified “safe harbor” folders are designated
for saving sensitive data (most commercial
– Automatically encrypts pagefile, hibernate file, grade applications allow for mandating files to
and other OS files containing sensitive be saved in specified locations. Microsoft
information loaded in memory and written to disk applications can be controlled by Group Policy
during power state transitions. Objects (GPO) settings.
– Decryption requires Pre-boot authentication – The allowance (and use) of pagefile, hibernate
(PBA) login when the machine boots up. This is file, and other OS files containing sensitive
a HUGE COST for corporations wanting to do information can be controlled by GPO settings.
remote computer diagnostics, patches, etc.
– No PBA required. Administrators always have
– Data recovery options can be cumbersome or the ability to access and decrypt data through
difficult normal remote administration tools.
– Some disk encryption implementations – Data recovery options is built into the policies
controlled only by username/password (others and separate, simple tools exist.
have smart card, or certificate based
authentication). Simple authentication – Secondary authentication and strong password
mechanisms can easily be compromised. requirements exist for file/folder decryption.
14 © Novell, Inc. All rights reserved.

15. Details of ZENworks Endpoint Security ®
Management RSD Encryption Solution
Encrypt Removable Storage Devices (RSD)
– What we do
> General, simple control (Any RSD gets encrypted)
> Password based folder encryption (simplifies workflow when dealing with
outside customers needing access to data when not running ZESM)
> Simplified encryption key management
> Seamlessly use the encrypted RSD throughout your corporation (decryption
within the same “encryption key island' is transparent
– What we don't do
> “White list” RSD that do not get encrypted, while encrypting all other – This is
under investigation for a future feature
> Automatically launch an application to decrypt RSD data after a successful
authentication (like U3 devices with encryption do) - In the ZENworks ®
Configuration Management 11 version, we will provide an option to copy a
stand-alone decryption tool to the RSD
15 © Novell, Inc. All rights reserved.

16. Example ZENworks Endpoint Security ®
Management Encryption Policy
16 © Novell, Inc. All rights reserved.

17. Example ZENworks Endpoint Security ®
Management RSD Policy
17 © Novell, Inc. All rights reserved.

18. Details of ZENworks Endpoint ®
Security Management USB Controls
• Removable Storage Devices (RSD) Encryption
– Mandate all RSD are encrypted
– Password based folder
• USB General Connectivity
– Stop ALL USB devices
– Control by USB Device Groups
– “White-list” only approved USB peripherals (certificate
providers, printers, RIM devices for syncing, 3G/Broadband
modem devices, etc)
• USB
– Integrate with 3rd party USB RSD providers with portable
encryption (Examples: Kingston DataTraveler2 Private)
18 © Novell, Inc. All rights reserved.

19. Example ZENworks Endpoint Security ®
Management USB Policy
19 © Novell, Inc. All rights reserved.

20. Details of ZENworks Endpoint Security ®
Management Adapter Controls
• Unique Network Adapter Control
– Wireless Ethernet
> Disable Wi-Fi when Wired (help prevent dual homing, bridging into corporate
connections)
> Disable AdHoc connections (stop peer-to-peer connections and control
MESH networking)
> Block Wi-Fi connections (Prevent connections, but allows for wireless
reporting information)
> “White-list” specific approved Wi-Fi adapters (allow wireless connections with
only approved devices having adequate security implementations and/or
administrative controls)
> Network utilization control (through SSID, MAC, and Key management
approaches)
> Mandate a minimum level of Wi-Fi security for endpoints to connect to
20 © Novell, Inc. All rights reserved.

21. Example ZENworks Endpoint Security ®
Management Wi-Fi Adapter Policy
21 © Novell, Inc. All rights reserved.

22. Example ZENworks Endpoint Security ®
Management Wi-Fi Control Policy
22 © Novell, Inc. All rights reserved.

23. Example ZENworks Endpoint Security ®
Management Wi-Fi Security Policy
23 © Novell, Inc. All rights reserved.

24. Details of ZENworks Endpoint Security ®
Management Adapter Controls (cont.)
• Unique Network Adapter Control (cont.)
– Wired Ethernet
> Disable Wi-Fi when Wired (help prevent dual homing, bridging into corporate
connections)
> “White-list” specific approved Wired adapters (allow wired connections with
only approved devices having adequate security implementations and/or
administrative controls)
> Disable adapter bridging (help prevent dual homing, bridging into corporate
connections)
• Hardware Device Control (Firewire, serial, parallel, etc)
• VPN Enforcement (simple model with
connect/disconnect commands)
• Integrity Rules (simple tests and quarantine)
24 © Novell, Inc. All rights reserved.

25. Example ZENworks Endpoint Security Management
®
Communication Hardware Control Policy
25 © Novell, Inc. All rights reserved.

26. Have You Ever Wanted to do These With
Your Currently Deployed Applications?
• Ensure services and applications to always run despite end users
having local administrative privileges.
• Initiate A/V and Anti-Spyware scans based off network locations,
other applications running, network connectivity, etc and not just
time of day/week.
• Ensure diverse VPN solutions are running in hot-spots, hotels,
airports, and other public locations.
• Provide user messages, warnings, information based on various
security events.
• Require VBScripts and/or Jscripts to be run without end user
modification, intervention, or circumvention.
26 © Novell, Inc. All rights reserved.

27. rd
Unique 3 Party Integration Options
• Integrate and leverage ZENworks Endpoint Security Management native security options:
®
– ZESM is always loaded and running, so it can ensure other security events happen as well.
– Location Awareness (determination, changing, triggering)
– Firewall control
– Adapter Controls (connection, types, disabling/control)
– Simple User Interface (UI), message dialogs, and/or workflow controls
– Custom dialogs/UI
• Advanced Scripts examples:
– Various Patch, A/V, and Anti-Spyware integration
– Customer's use of Microsoft VPN Enforcement to save money
– Wireless UI controls
– Remote Admin tools/services running
– Policy enforced and controlled VB Scripts and JScripts
27 © Novell, Inc. All rights reserved.

28. Example ZENworks Endpoint Security Management
®
3rd Party Integration Through Scripting Policy
28 © Novell, Inc. All rights reserved.

29. Questions and Answers

30. Questions and Answers
• What other security issues are you dealing with now?
• What would you like ZENworks Endpoint Security
®
Management to do for you?
• What other detailed questions or information about the
product or features do you need answered at this time?
30 © Novell, Inc. All rights reserved.

31. Detailed Data Slides

32. Inside ZENworks Endpoint Security
32 © Novell, Inc. All rights reserved.

33. Unpublished Work of Novell, Inc. All Rights Reserved.
This work is an unpublished work and contains confidential, proprietary, and trade secret information of Novell, Inc.
Access to this work is restricted to Novell employees who have a need to know to perform tasks within the scope
of their assignments. No part of this work may be practiced, performed, copied, distributed, revised, modified,
translated, abridged, condensed, expanded, collected, or adapted without the prior written consent of Novell, Inc.
Any use or exploitation of this work without authorization could subject the perpetrator to criminal and civil liability.
General Disclaimer
This document is not to be construed as a promise by any participating company to develop, deliver, or market a
product. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in
making purchasing decisions. Novell, Inc. makes no representations or warranties with respect to the contents
of this document, and specifically disclaims any express or implied warranties of merchantability or fitness for any
particular purpose. The development, release, and timing of features or functionality described for Novell products
remains at the sole discretion of Novell. Further, Novell, Inc. reserves the right to revise this document and to
make changes to its content, at any time, without obligation to notify any person or entity of such revisions or
changes. All Novell marks referenced in this presentation are trademarks or registered trademarks of Novell, Inc.
in the United States and other countries. All third-party trademarks are the property of their respective owners.