Taking Control

Following several high profile cases of the loss of person identifiable data by English Government departments, the Information Commissioner’s office published the “Data Handling Procedures in UK Government” report in June 2008. This highlighted the need to restrict access to public sector data and encrypt data held on removable storage media such as CDs, USB keys and laptops. The report led to rigorous product specifications being developed for the procurement of information security products by public sector departments throughout the UK. In response to the report, the Scottish Government made £1million available to the Scottish Health Boards to enable them to comply with the latest data handling requirements.

“Essentially, we needed a product that would prevent anyone from storing patient data or any other health board information, onto a CD, DVD, USB stick or laptop, without having express permission to do so.”
Mark Salveta, NHS National Services Scotland

Following the Information Commissioner’s report, NHS National Services Scotland looked at the English specification and approved this with Scottish NHS IT specialists. IT then undertook a rigorous product evaluation process in which Mark Salveta and his team specified recommended products for the NHS Scotland based on their features, cost and service. The Information Commissioner’s report also specified the need to encrypt data where it was  necessary to store it on removable storage media.

“Essentially, this was an exercise to ensure that all 22 Health Boards were able to access the best security products at the best price. We reviewed products from 10 vendors using a technical score; cost; and the quality of vendor’s service and Lumension scored the highest,” says Salveta.

Device Control

Lumension’s device control software enforces NHS security policies through its “default deny” approach, creating an IT environment in which no data can be transferred from the server to a laptop, CD, DVD or USB storage device, without the express permission of the IT manager. This allows the IT manager to pinpoint exactly which employee has transferred files and reinforces the responsibility of named NHS employees to protect the data that they are transferring. In addition, Lumension’s integration with PGP ensures that authorised data transfers can be encrypted on laptops and other portable storage media.

Lumension provides centralised control, giving NHS IT teams total visibility of all data transferred to removable storage media. It allows IT managers to specify exactly which devices can be connected to the network, blocking all others by default. This feature is sufficiently granular to restrict data transfer to specific USB keys with specific serial numbers.

An auditing feature within the product can create a report of all devices that have ever been connected to a department’s network and flags up any attempted connections. The software also enables NHS Health Boards to quickly create reports to demonstrate compliance with Government legislation regarding secure data handling.

IT managers can also use Lumension to set file copy limits, to prevent entire databases being moved onto portable devices, even by authorised employees. Certain file types can be blocked from being transferred. So for example, an authorised NHS employee could store Word documents onto an encrypted USB stick, but be blocked from copying image files onto the same stick. Using Lumension, IT departments have absolute control over the storage of data onto portable devices.

Importantly, this helps to alleviate the need for an ICT department to "do away" with the existing stock of unencrypted USB keys or mobile hard drives in exchange for hardware encrypted versions. The solution automatically encrypts any data being transferred onto the transfer media, locking it down with 256 bit encryption, making the safe storage and movement of data easier and accessible, as users require.

Solution Overview

The Lumension Endpoint Protection solution stops endpoints from becoming a doorway for security threats to enter and sensitive data to escape. Lumension Application Control™, which is the primary component of Lumension Endpoint Protection solution, allows only authorized applications to run, so your endpoints are fully protected from malware and unknown threats.

Operational desktop management is improved by eliminating unnecessary support calls and performance issues that come with managing unauthorized and illegal software. And, you’ll easily demonstrate compliance by enforcing software license compliance, providing a detailed audit trail of all application and device execution attempts, while safeguarding confidential information from being leaked.

1. Discover: identify all removable devices that are now or have ever been connected to your endpoints through the use of a “learning” mode that allows you to collect information without disrupting business.

2. Assess: define rules at both default and machine-specific levels for groups and individual users with regards to device access by class, model and/or specific ID and uniquely identify and authorize specific media. These permissions can be linked to the user and user group information stored in Microsoft Active Directory or Novell eDirectory.

3. Implement: enforce device and data usage policies by: file copy limitations (amount per day, time of day) and file type filtering. You can also enforce the encryption of data moved onto removable devices / media and apply permissions to specific and/or groups of endpoints, ports, devices and users (both on- and off-line), including scheduled / temporary access.

4. Monitor: continuously monitor the effectiveness of device and data usage policies in real time and identify potential security threats by logging all device connections, recording all policy changes and administrator activities and tracking all file transfers by file name and content type. You can even keep a copy of every file that is transferred to or from a removable device using our patented bi-directional shadowing technology.

5. Report: create both standard and customized reports on all device and data activity showing allowed and blocked events, which can be saved into a repository, shared via email, and/or imported into 3rd party applications. Detailed forensic reports and comprehensive auditing capabilities enable you to demonstrate compliance with internal security policies and external government and industry regulations such as SOX, HIPAA or PCI DSS.

Try it...

We can set up a 30 day trial, with no software charge. This can help you quickly and easily identify potential issues on a zero risk basis. Trials have taken a place amongst some UK trusts and organisations with some eye opening results;

Example case study of 2 week trial for NHS Organisation;

• 18gb of data was transferred from Feb 1st to Feb 14th On / Off CD and Removable Storage Devices (That is over 1gb  per day)
• The largest file written to a CD was 375mb
• 19.avi files were copied
• 58 .bmp files including - shin_splints_piccy.bmp,Barbie-Swan Lake.bmp
• 1889 .Doc files, including- RIP’s July 2007.doc, lovetoshop.doc, Signaturelist.doc
• 5468 Jpeg files , including - Glad and Cyrils Birthday.Jpeg, Many digital camera files (DCIM), TeenGirl2Black.Jpeg
• All data movement un-encrypted

Increased levels of detail are available when using the audit service, such as the frequency of data transfers, and even pinpointing the number of times an Ipod/MP3 player was plugged in...

Instances can be monitored, and ultimately managed centrally, therefore reducing the chance of the end user introducing Malware to his/her or even the network PC, as well as providing an encrypted, managed platform to allow secure acess and transportation of data. Through working with Equanet and Lumension to provide the industry leading solution, we can help you to reduce the number of incursions and off policy activity in your organisation.

Data Security features;

To set up your trial, or to speak to your account manager please call 0161 447 3183