cynapspro

Endpoint Data Protection2010

Technical Specifications

and Modules

.

Cynapspro Endpoint Data Protection

DeviceDeviceDeviceDeviceProProProPro prevents data loss by controlling all kinds of ports and external storage devices.

CryptionCryptionCryptionCryptionProProProPro protects your company data by efficiently encrypting data stored on external devices.

ApplicationApplicationApplicationApplicationProProProPro controls the use of applications based on a white list or black list.

EraseEraseEraseEraseProProProPro ������������������� �� ���������������������������.

PowerPowerPowerPowerProProProPro cuts energy costs and reports suspicious activity.

Core BenefitsCore BenefitsCore BenefitsCore Benefits of cynapspro of cynapspro of cynapspro of cynapspro TTTTechnoechnoechnoechnologylogylogylogy

Sophisticated Rights Management

Rights Management can be user centered, machine centered or a combination of both. Flexible inheritance structures allow the transfer of group rights to users and the exemption of individual users or devices. Permissions may be assigned to Active Directory Groups that are automatically synchronized or to individually generated groups, which substantially reduces the management overhead. In addition, user permissions may be defined for different scenarios, i.e. users may have different online or offline rights.

Real-Time Management

The cynapspro® client server architecture is based on a real-time solution without group policies and schema extensions. All changes to access permissions will be immediately pushed out to the clients and stored in the cynapspro database. Users don’t need to restart their machines or even connect to the company network in order to upgrade their usage rights. Just consider the manufacturing sector, which requires uninterrupted processes (production lines or the like), where changing the logged on user or even a restart is simply not an option. cynapspro is the right solution for these workplaces, as it ensures that IT management guidelines are implemented and that there are no security risks.

Complete Offline Support

Even disconnected systems remain manageable. Unblocking codes can be uses to temporarily or permanently change user rights. CryptionPro Mobile allows the encryption and decryption of data on mobile devices anytime and anywhere, e.g. when working from unmanaged computers.

Secure Kernel Driver Technology

The secure cynapspro® kernel driver technology is loaded into the operating system during the boot sequence and thus ensures that the service running on the client is not visible to the end user. It can only be stopped or uninstalled by an authorized Administrator.

Minimal Network Load

All changes, such as the allocation of access permissions, updates to application white lists or encryption policies, become effective immediately using “Push and Pull” technologies, which have definite advantages over “Polling intervals”. Solutions using 'Polling intervals' (regular queries from Client to Server in order to check for updates) can cause unnecessary network load which may impact system performance and affect the user in his daily work.

Minimal System Requirements

Apart from a SQL database (the free MSDE or SQL Server 2005 Express edition are fully sufficient), there is no additional software required, such as the IIS Server or .NET client. Consequently, no new vulnerabilities are introduced by installing additional back office software and memory and CPU utilization is minimal.

Integration into 3rd Party Applications

The XML interface allows the allocation of access permissions from an existing customer Helpdesk or Service Desk implementation in a fully automated way, leveraging existing processes, approval workflows, notifications and management reports. There will be no need for service desk workers to use an additional console.

cynapspro cynapspro cynapspro cynapspro ArchitectureArchitectureArchitectureArchitecture

cynapspro Server and DatabaseThe cynapspro server is responsible for managing all DevicePro clients. The Cynapspro server can be installed on any available physical or virtual server (or even a Windows XP Professional system) in your network environment. For large environments or in order to have a backup, devicepro can be installed on several servers that replicate each other.All records are stored in a SQL database (MSDE, MS SQL Server Express, MS SQL Server 2000 or 2005) and managed by the cynapspro server.

cynapspro Agent Installation and UpdateThe Administration Console enables you to create an MSI-package which can be rolled out to all clients using the usual software distribution mechanisms or AD policies. Once installed, the agent will automatically receive updates from the cynapspro server.

Secure and efficient CommunicationThe communication between server and clients uses XML – RPS (optional encryption). All passwords and encryption keys are encrypted (RSA 1024 Bit) without exception.

The cynapspro agent communicates all rights changes made in the management console and takes over complete communications between the server, the kernel driver and, if necessary, with the user. The cynapspro agents use a Push/Pull process to communicate with the server, which ensures that all changes are transferred immediately. There is no client polling, which significantly reduces the network load. Only the machines of those users, whose access rights have been changed, will be contacted and updated.

User and Group ManagementThe directory structure of your existing MS Active Directory or Novell eDirectory is synchronized by the cynapspro server and a local copy will be maintained in the database. No LDAP schema extensions to MS Active Directory or Novell eDirectory are needed. cynapspro only creates a local copy of the structure, which will be updated either on a schedule or on an ad hoc basis. All it takes is a user account with read-only permissions to the AD.

Secure Permission ManagementPermissions to external devices and applications will be controlled by the kernel driver. Systems that are disconnected from the network can receive changes to access permissions via a secure TAN.

Functional OverviewFunctional OverviewFunctional OverviewFunctional Overview

DevicePro�

- Release of individual devices by serial number, Hardware ID,- Device White List (Certification)- Individual release of media (CD/DVD) based on hash value- Device access can be set to read- Content header filter (black/white list)- Password protected Logging of Data Transfer

CryptionPro�

- File-based encryption- Automated on-the-fly encryption- AES 256 encryption- Triple DES encryption- Central key management- Device Blacklist (will always be encrypted, even if users may temporarily disable encryption)- Mobile Client for encryption/de- Centrally managed password policies for mobile - Individual encryption limits decryption to authorized

cynapspro Endpoint Data Protection

Architecture- Secure kernel driver technology- MS AD, NDS, workgroup synchronization- Bidirectional communication (push and pull)

Rights Management- Allocation of rights by groups, usersor machines- Role-based allocation of rights- Temporary or scheduled permissions

Functional OverviewFunctional OverviewFunctional OverviewFunctional Overview

by serial number, Hardware ID, Volume ID, or name Device White List (Certification)- Integrated device discovery ndividual release of media (CD/DVD) based on hash valueevice access can be set to read-only mode

filter (black/white list)ng of Data Transfer

fly encryption

Device Blacklist (will always be encrypted, even if users may temporarily disable encryption)encryption/decryption (without installation on the client)

Centrally managed password policies for mobile clientsdecryption to authorized employees only

Endpoint Data Protection

Management Console & Agentkernel driver technology - Multilingual, intuitive user interface

orkgroup synchronization - MSI-Packager 32Bit/ 64BitBidirectional communication (push and pull) - Role-based display of functionality

- Audit-ready Compliance Repor- Reports and Analysis

llocation of rights by groups, users - Alternative user login – “Log on As” (to avoidsystem downtime)

based allocation of rights - Ticket system for changesemporary or scheduled permissions - Offline support (intelligent Cache and

Volume ID, or name

Device Blacklist (will always be encrypted, even if users may temporarily disable encryption)

Endpoint Data Protection2010�

Management Console & Agentnterface

based display of functionalityready Compliance Reports (SOX,Basel II)

“Log on As” (to avoid

ntelligent Cache and secure TAN)

ApplicationPro

- Black/White lists for applications- Application learning mode (manual and scheduled mode)- Free application package definition- Temporary non-blocking mode- Audit of application usage- Centralized version control- Automated hash value creation for applications

ErasePro�

- Support for various data erasion methods such as simple overwriting,random order, Peter Gutmann method

- Optimization of the erasion speed- Secure deletion of files, shadow copies, directories and drives- Support for internal and external storage media- Scheduled deletion of specific directories such as TEMP, recycle bin, etc.- Reports & Analysis and audit-proof logs- End of Life Management

PowerPro�

- Intelligent management of the computer states ‘hibernate’, - Activity-based regulation and control of monitors, USB devices, …hard drives, fans, CPU, etc.- Alarm system is triggered by suspicious activities- Flexible and individual definition of idle time based on a variety of criteria- Intelligent exemption rules – based on the computer state, active programs or network activities

- Scheduler with several adjustable actions- Central management and reporting- Savings calculator in Dollars, kWh and CO2 emissions for the entire company, OU,

Pro�

lists for applicationsApplication learning mode (manual and scheduled mode)Free application package definition

blocking mode

Automated hash value creation for applications

Support for various data erasion methods such as simple overwriting,random order, Peter Gutmann methodOptimization of the erasion speedSecure deletion of files, shadow copies, directories and drives

and external storage mediaScheduled deletion of specific directories such as TEMP, recycle bin, etc.

proof logs

Intelligent management of the computer states ‘hibernate’, ‘standby’, etc.based regulation and control of monitors, USB devices,

Alarm system is triggered by suspicious activitiesFlexible and individual definition of idle time based on a variety of criteria

based on the computer state, active programs or network activitiesScheduler with several adjustable actionsCentral management and reportingSavings calculator in Dollars, kWh and CO2 emissions for the entire company, OU, Savings calculator in Dollars, kWh and CO2 emissions for the entire company, OU, group or user

FFFFeature Highlightseature Highlightseature Highlightseature Highlights

Intuitive Management Console

The single user-friendly Management Console is largely self-explanatory and only a minimum of training is required. The clear and concise structure allows the compilation of complex setting with just a few mouse clicks. The console and the locally installed agent are available in various languages.

Helpdesk

Changes requested by the user will automatically create a ticket. The assignment of the requested change can be initiated directly from the ticket. Email notifications can be leveraged to integrate into existing 3rd party Helpdesk or Service Desk Tools.

Easy-to use Statistics, Records and Reports

Information on rights assignments, access control, rights requests etc. can be evaluated, analyzed and exported.

Flexible Device Management

The definition of permissible devices can be done by device types, device models or specific devices allowing the usage of trusted equipment without compromises on security issues.

Content Header Filter

In addition to devices or ports, transmission of data can be allowed or blocked according on file types, file names or size. This way you can prevent the copying of internal data or large amounts of data to external storage and thus reduce potential abuse or loss.

Audit-Ready Security

Password-protected, detailed access statistics with filter and sort order functionality. In case of suspected data abuse or loss, cynapspro knows which files have been accessed, by whom and when. Access to the transmission protocol can be protected by up to three passwords in case workers’ committees need to be accommodated. All actions of the cynapspro administrators will be logged.

LDAP Integration

Existing users and user group definitions from Microsoft Active Directory or Novell eDirectory are imported by the cynapspro server thus reducing the workload for defining user groups for Access Client Lists (ACLs) as well as the sources of error.

Distributed Environments

Several mutually replicating cynapspro servers provide load balancing capabilities in enterprise environments.

Supported Devices

Floppy Disc, CD/DVD, USB Mass Storage, SD/MMC Cards, Infrared, Bluetooth, WiFi, PDA, Blackberry, ISDN cards, Modem, Printers, Scanners, Digital Cameras, Sound, Video and Game Controller, etc.

Supported Ports

FireWire, Parallel Port, Serial Port, PCMCIA cards, USB ports, etc.

System Requirements: Server

Operating System: Windows Server 2000, 2003, 2008 or Windows XP, Vista, 7

Supported LDAP Directories:

Microsoft Active Directory, Novell eDirectory 4.91 SP2 and above, proprietary Directory

Database Server: SQL Server 2000 SP3a, 2005, 2008, SQL Server 2005 Express Edition, MSDE

Free memory: 512 MB RAM

Free hard disk Space: 100 MB

System Requirements: Client

Operating System: Windows 2000 (SP4 + RollUp 1) Windows XP + SP2/SP3 Windows Vista (+ SP1) Windows 7

Free Memory: 128 MB RAM

Free hard disk space: 5 MB

Contact cynapspro GmbH Am Hardtwald 1 76275 Ettlingen Germany

contact@cynapspro.com