Matthias Pankert

1
SafeGuard Enterprise What is next ?
Matthias Pankert Head of Product Management
2
Agenda

• Review of current status of SGN
• SGN 5.40 what is new ?
• Beyond 5.40

3
SafeGuard EnterpriseCentral Key to Data Security
SafeGuard CMF/DLP
7. Content inspection
SafeGuard FileShare
6. FileFolder encryption - local and on network
shares
4
SGN 5.35.3 Released Feb. 2009

• Default encryption keys proposed
• E.g. Machine key for system drives
• Instead of not configured
• Standalone Password recovery improvements
• logon without _at_ (e.g. userid instead of
  userid_at_domain)
• PortAuditor doesnt any more require separate
  license key on computer with SGN Management
  Center
• Proper handling of SD Card Bus
• Better hardware / laptop coverage
• Pre-configured .NET for the IIS
• Further improvements in AD Synchronization
• KB article for SGN interoperability with
  hardened IIS configurations according to
  Microsofts recommendations
• More SmartCards (see FAQs)

5
SGN 5.40 what is new ?
In beta testing now
6
Headlines of SGN 5.40

• Hardware compatibility improvements
• Improved Data Exchange module - usability
• Improved Configuration Protection module file
  type policies
• SafeGuard LAN Crypt compatibility
• Local Selfhelp for Standalone mode
• Multi-Tenancy in management center
• Multi-boot (run-time installation for secondary
  OS)
• Smartcard logon for Vista SafeGuard credential
  provider

7
Improved Hardware Compatibility

• Reduce hardware / BIOS dependency
• Structural improvements to cope with hardware
  implementation variations
• Blacklists / Whitelists
• Based upon hardware profiles of known computer
  models
• Preconfigured POA flags
• POA flags displayed for easier debugging
• Extended test coverage
• Supported by HW vendors

8
SafeGuard Data Exchange

• Single Media Passphrase to easily access all
  used local keys in offline mode via SG Portable -
  Introduction of Media Encryption Key (MEK)
• Simplification of DX User Interface
• New behavior of initial encryption optional
  timeout of 30 seconds before initial encryption
  starts
• Optional plain text folder on encrypted removable
  media
• API for automation of recurring tasks and for key
  recovery of stand alone mode clients

9
SafeGuard Data Exchange

• Introduction of Media Passphrase and Media
  Encryption Key
• One Media Passphrase to open the Media
  Encryption key and all local keys used for
  encryption on a removable device in offline use
  (SG Portable)
• Media Passphrase can be changed or recovered by
  the user
• Media Encryption Key (MEK) is a unique default
  key for data encryption
• Media Encryption Key gets created automatically
  on the client
• Still possible to share encrypted data
  transparently within groups, OUs, etc. on the SG
  DX client within the company
• Gets automatically backed-up as all other locally
  generated keys

10
SafeGuard Data Exchange

• Visible name Internal name

11
SafeGuard Data Exchange

• New behavior of initial encryption - timeout of
  30 seconds - if user has the right to cancel
  initial encryption
• Ensures that user can cancel initial encryption
  prior start (e.g. for iPod)
• Initial encryption starts automatically after 30
  seconds. User can start it immediately by
  pressing OK button
• If central policy does not allow users to cancel
  initial encryption, it starts immediately
• API for automation of recurring tasks and for key
  recovery of stand alone mode clients

12
SafeGuard Data Exchange

• Optional plain text folder on removable device

13
SafeGuard Configuration Protection File Type
Control

• Prevents -
• Data Leakage (Write)
• Virus/Malware (Read)
• Inappropriate content (Read)
• File header based classification
• Not only by extension (tamper resistant)
• Over 250 file extensions in 14 categories
• updated code base and read-only policies for
  SGN 5.40

14
(No Transcript)
15
SafeGuard Enterprise and SafeGuard LAN Crypt

• SafeGuard Enterprise Data Exchange and LAN Crypt
  use the same file filter driver
• Data Exchange policies apply to volumes
• LAN Crypt policies apply to folders and file
  types
• So far undefined behavior, when used on same
  client
• Now (as from SGN 5.40 and LAN Crypt 3.70)
• Data Exchange policies have priority over LAN
  Crypt policies
• Where no Data Exchange policy is defined, LAN
  Crypt policies will apply

16
Local Selfhelp for Standalone mode

• Password recovery without helpdesk interaction

17
(No Transcript)
18
For standalone clients only, in 5.40! Managed
clients in 6.00
19
Multi Tenancy

• Each tenant has a separate DB and SGN Server
• Full separation, no common objects
• Same Management Center can administer multiple
  tenants (Configurations)
• Credentials will be prompted for each
  configuration change

20
Multi-boot

• Multiple Windows systems can be installed
• Primary system is a regular SGN client
• Secondary systems can access all volumes that are
  encrypted with machine key but no other SGN
  capabilities
• Boot Manager (Microsoft or third party) after POA
• Smartcard logon for Vista
• SafeGuard credential provider can now be used
  for Vista smartcard logon similar to how it
  worked for Windows XP already
• Works also for Vista UAC rights elevationlogon

21
Simplified Standalone Policy Editor

• Default policies offered for standalone client,
  e.g.
• "Default Device Encryption Policy"
• all internal disks, volume based, removable
  devices, AES256
• "Default Authentication Policy"
• max. no. of failed logons ? 5
• "Default Logging Policy"
• only log errors in the event log, discard others
• Wizard allows to easily create config.msi package
  using default settings
• SQL Express setup included in SGN Standalone
  Policy Editor setup

22
Other Improvements

• Performance improvements in boot time
• Better fault tolerance in AD Sync
• Extended Absolute Software Computrace
  compatibility
• API extended for automated provisioning of
  smartcard credentials
• New smartcards and reader types (see smartcard
  FAQ)
• SQL Server 2008 support in Management Center
• Demo licenses can be added in addition to
  purchased modules in a later step
• Documented options for hierarchical DB system
• load balancing and performance in large
  organizations

23
Beyond SGN 5.40
24
Beyond SGN 5.40

• 64 bit (Vista, Windows7, and possibly XP64bit)
• Rollout- and Service accounts deployable by MSI
• MacOS Device Encryption
• Improvements to Standalone mode
• SafeGuard FileShare
• Integrates LAN Crypt capabilities into SGN
  Management Center
• Simplification of Security Administration
• Further improved robustness and performance
• DLP SharePoint security
• Device Encryption integrated with Sophos products
  

25
SGN Roadmap
This roadmap is for informational purposes only
and should not be deemed a commitment by Utimaco
or Sophos. Utimaco and Sophos reserve the right
to change this roadmap, add or subtract features
or functionality, or modify their products, at
their sole discretion.
Q3/2010
Q4/2009
Q3/2009
Q2/2009
Q1/2010
Q2/2010
Q4/2010
Q1/2011
LC 3.70
SGN SAV integration (phase 1) New SharePoint
Security module DLP add-on to File Share
(tagging) Hardware-supported encryption 64-Bit
support for other SGN modules

• New File Share Module incl. Hierarchical
  Officer Management
• Simplification of Security Management

LC DX compatibility (hot fix for SGN 5.35.3)
SGN 5.40
SGN 5.50
SGN 6.0

• Improved Hardware Compatibility
• Improved ease-of-use for DX
• Filetype based DLP in Config Prot.
• Multi-Tenancy
• Local Selfhelp for Standalone
• Runtime Install for Multi-boot Env.
• LC-DX compatibility

SAV 9.5
SGN 6.10

• Windows 7 support
• 64 bit support (Vista Win7) for SGN DE
• Roll-out of admin accounts
• Addtl. SmartCards
• Local Selfhelp for managed
• Scheduled AD sync

SGN 6.20
Sophos SAV 9.5, incl. Simple Disk Encryption
for local drives managed by SEC
SGN SAV Integration (Phase 2) Network-aware POA
SGN DE
SGN DXFS
SGN DE
MacOS
Linux
Legend
Release
Service release
Still in planning
26
SafeGuard Roadmap (April 24th, 2009)
Q3/2009
Q2/2009
Q1/2009
Q4/2008
Q4/2009
H1/2010
H2/2010
LAN Crypt for Vista.

• Terminal Server Support
• SGN DX compatibilityincl. patch for SGN 5.35.3
• Better shielding from admin
• Bug fixes

LC 3.60
LAN Crypt
LC 3.80
LC 3.70
Windows 7 (32 bit) Stability, Bug fixes
SG PP

• Service release

SGPP for 64-bit
SGPP 3.3 SP1
SDE 4.60
Sophos SafeGuard Disk Encryption (SDE)(based on
SG Easy)

• Simplified variant of SG Easy and SG
  PrivateCrypto for SMB
• Part of Sophos Endpoint Security and Data
  Protection (periodic license)
• Simplified Simpler policy, no
  smartcards/tokens/FP, no central server etc.
• Will be based in future on SGN / SAV 9.5

• 64 Bit OS (XP, Vista)
• NTFS enabled portable
• SGN keyring

• Vista support
• - Windows OS CD Burning Wizard (like in SG DX)

PD 2.30
SG RM /SG PD

• Vista logo certified
• - Minor improvements

RM 2.0
PC 2.31.1
Legend
Release
Service release
Still in planning
27
SafeGuard CryptoServer / MailGateway (March 11th,
2009)
Q3/2009
Q2/2009
Q1/2009
Q4/2008
Q4/2009
H1/2010
H2/2010
SafeGuard CryptoServer
Se200 PCIe card LAN
Se10/50/1000 PCIe card
Se10/Se50/Se1000 LAN
CSe-Series PCIe card LAN
FIPS certification
2.00
2.10
2.20
2.01
SafeGuard SecurityServer
Support for PCIe card on Windows Linux,
Failover for Microsoft appl.
Port Se-Series-improvements to CS-Series,
Failover for JCE / OpenSSL / CSI / CXI, Microsoft
SQLEKM Provider
PCIe card driver on Solaris, LinuxSolaris
installation packages, CryptoServer image
CSI interface for Se-Series
5.60.2
Service Release
SafeGuard MailGateway
PKI/TrustCenter-Integration
5.80
5.70.1
Multi-Tenancy Support GUI for Multi-Tenancy
Multi-Byte Support
6.00
Legend
Release
Service release
Still in planning
28
Vielen Dank!
Matthias Pankert Head of Product Management