Issuu on Google+

Dell Data Protection|Encryption and Dell KACE Integration Technical Reference Steps to integrate Dell Data Protection | Encryption and the Dell KACE™ Appliances


Table of Contents 1.0 Introduction ......................................................................................................................................... 3 2.0 DDP|E Windows Shield Deployment using KACE software deployment tools .......................4 3.0 How to create DDP|E custom inventory fields for analysis and reporting ............................ 13 4.0 Demonstrate the ability to use WOL and update OS or deploy software ............................. 18 Dell KACE Corporate Background ...................................................................................................... 20

2

Copyright Š 2012 Dell KACE. All rights reserved.


1.0

Introduction

In the face of increasing security risks, organizations of all sizes must include the protection of sensitive data among their many competing top priorities simply because ignoring these risks threatens the continued existence of the enterprise. The motivations for implementing a solution for securing data may include: • • •

Compliance with government or commercial regulation Protection of the intellectual property upon which all future successes rely Maintain the critical trust given to the organization by its customers and business partners

Regardless of what drives this decision, the ultimate goal of securing data is to minimize all associated risks so that our attention may be returned to the strategic objectives that will propel the enterprise forward. To do this, we must not only act upon securing critical data, but must also have the means to validate that all systems have been properly secured while not disrupting other activities within the network. This technical paper illustrates how a combined solution leveraging Dell Data Protection|Encryption (DDP|E) Enterprise Edition with the Dell KACE Family of Systems Management Appliances provides the protection required to secure the critical data generated and processed by employees. This task must be performed while also keeping these systems up-to-date by applying operating system and software patches, software deployments and maintaining consistent configurations. DDP|E provides softwarebased data-centric encryption that applies encryption policies to groups of users for the data they generate, consume, and process. This approach allows system updates to occur without requiring complex procedures to disable and enable encryption during these processes. Security of sensitive data is essential for businesses of all kinds, and ensuring that the systems housing that data are correctly configured, and that the applications on them are performing correctly presents a number of benefits: • • • • •

Reduced workload through centralization of critical tasks Greater confidence that data and systems are secure Simpler compliance reporting and auditing Less risk of a breach occurring through an incorrectly configured system or poor security management Assurance that other systems management tasks may be performed easily and reliably while continuing to maintain a secure environment

Dell KACE and Dell Data Protection|Encryption are ideally suited to operate in close harmony, to reinforce the security of sensitive data through encryption and to simplify and streamline compliance management, systems maintenance, and reporting by a centralized systems management solution.

3

Copyright © 2012 Dell KACE. All rights reserved.


DDP|E Windows Shield Deployment using KACE software deployment tools

2.0

The Dell Data Protection|Encryption client protects information on physical or virtual windows desktops. By providing encryption of files on the hard drive, or files transferred to removable media, the DDP|E client (shield) significantly reduces the risk of a breach of sensitive information. It can also provide centralized management of other security technologies such as Windows BitLocker. However, it must first be correctly deployed and configured. The deployment and configuration management of encryption services relies on a user with a defined encryption policy to authenticate on a computer that has the DDP|E endpoint client installed. Therefore, the first phase in setting up DDP|E protection for the enterprise is to install the DDP|E server and integrate it with Active Directory.

Once you have DDP|E connected to your Active Directory or other LDAP infrastructure, you can define data encryption policies that are specific to individual users or groups of users, to each domain in your environment, or that are applicable across the entire enterprise. Policies may be defined for each type of endpoint and may target specific volumes, ports, and removable storage devices. The following defined policy illustrates basic protection for all fixed drives within the dc.dellkace.com domain established in Active Directory.

4

Copyright Š 2012 Dell KACE. All rights reserved.


These policies will not be put into effect until the DDP|E client has been deployed and installed on the endpoint, and a user has authenticated to the device. The authentication of a user to a device that has the DDP|E client deployed causes the effective policies for that user to be activated on that device.

5

Copyright Š 2012 Dell KACE. All rights reserved.


The Dell KACE K1000 Management Appliance will have a complete inventory of the hardware and software found on every endpoint in the environment where the K1000 agent has been deployed. As the endpoint agent checks in to the K1000 server on a defined periodic interval, the hardware and software inventory will be automatically updated. The following screen illustrates machines that have the agent installed on them and that are connected and checking in to the K1000 Appliance.

This inventory may be used to identify the endpoints that need to have the DDP|E client installed and to manage the deployment and installation process automatically. This reduces both the work for your administrators and the risk to your business. 1

6

There are two installation packages available for the DDP|E client to accommodate 32-bit and 64-bit operating system versions. Both may be deployed by the Dell KACE Appliances, but care should be taken to ensure that endpoints receive the appropriate installation package. The first step in this process is to upload the installation package into its corresponding software inventory record. The easiest technique for completing this step is to manually install the package on a test endpoint and to request an inventory update for the endpoint so that the software inventory record for the DDP|E client is collected into the K1000 software inventory. The resulting software inventory record may then be edited to attach the installation payload:

Copyright Š 2012 Dell KACE. All rights reserved.


Once this software record has been updated with the payload, you may manually uninstall the DDP|E client from the endpoint in order to use the same test endpoint for testing the automated installation that will be configured within the KACE K1000 Appliance. The software inventory record will be retained within the K1000 even after the associated software has been removed from the endpoint. 2

A Managed Installation is a process within the K1000 that examines the software inventory for a computer and determines if the computer should install the targeted software. If the machine needs the software package, the Managed Installation will control the deployment and execution installation as part of the agent check-in process. The example below shows the configuration of a Managed Installation to perform a silent install of the DDP|E agent with the reboot suppressed. The DDP|E administrator’s guide has a complete list of all command line options that are available. Note that the server name should be modified to fit your environment.

7

Copyright Š 2012 Dell KACE. All rights reserved.


If preferred, the installation may be configured to take place only when the user is logged off. If the installation will occur while a user is logged on, an approach that is common for laptops that are only connected to the network when the user is also present, then installation messages and controls may be configured to manage the process in a manner that does not inconvenience users. The deployment may be limited to specific machines, or to machines defined in a dynamic grouping, referred to as a Label in the K1000.

8

Copyright Š 2012 Dell KACE. All rights reserved.


3

9

A good use of the Label configuration may be to define the separate installations that are required for 32-bit and 64-bit machines. In the example below, we have a Smart Label configured to match a query based on the K1000 inventory of the systems processor architecture.

Copyright Š 2012 Dell KACE. All rights reserved.


To create your Smart Label, go to Inventory, Computers then Create Smart Label. Use the “OS architecture” field in your query. If you have non-Windows platforms in your environment, you should also add criteria from the OS name field.

10

4

Once this configuration is complete, the DDP|E agent will be deployed to the computer when the K1000 agent on that computer checks in on its scheduled interval. Because the agent check-in process is automatically load balanced across all endpoints in the environment by the K1000 server, this results in a minimal consumption of network resources during the software deployment. Then, as users authenticate to machines that have the endpoint installed, they will automatically activate endpoint encryption on that device for the data they produce and consume.

5

Alternatively, the DDP|E installation may occur as a post-installation task to a scripted installation or image deployment within the Dell KACE K2000 Deployment Appliance. In this fashion, incorporating the installation of the DDP|E endpoint as part of operating system or image provisioning ensures that protection of the device begins as soon as the first user logs onto that device. The following screen illustrates what the configuration of the DDP|E installation would look like as a post-installation task.

Copyright © 2012 Dell KACE. All rights reserved.


Once this task is defined, it may be incorporated into a scripted installation (for bare-metal provisioning across heterogeneous systems) or system image deployment (for image deployment to like systems) by simply dragging it into the deployment from the list of available post-installation tasks. Note that this task requires a preceding task to join the appropriate Active Directory domain since the installation must point to that domain to be completed.

11

Copyright Š 2012 Dell KACE. All rights reserved.


12

Copyright Š 2012 Dell KACE. All rights reserved.


How to create DDP|E custom inventory fields for analysis and reporting 3.0

While DDP|E provides extensive reporting capabilities to easily demonstrate that systems are encrypted and data protected, there may be times when you want to examine the encryption status of an individual client within the KACE Appliance console and take action based on that information. Using the KACE K1000 Appliance, it is possible to query a system encrypted with DDP|E and gather a log of the current encryption status along with the DDP|E configuration settings. 1

The first step is to deploy a registry key to the DDP|E clients that enables a dump of the current encryption status. An offline K-script (which is a script in the K1000 that operates under the control of the agent on the endpoint) will be used for this task that will look for the DumpInventory registry setting. If it’s not found, the registry key will be set to a value of ‘1’ so that the resulting Inventory_Upload.xml file will be created by the DDP|E Client. Just like with the Managed Installation, the script may target specific machines or use a defined machine label to determine where the script should be deployed.

The script may be scheduled according to the time on the endpoint, and use events such as when the machine boots up to perform the check. These settings may vary depending on the location or set of machines being targeted. Running the script on a periodic basis will ensure that the DDP|E Client configuration is updated in the K1000 inventory.

13

Copyright © 2012 Dell KACE. All rights reserved.


In order to collect the full configuration from the DDP|E client, we look for whether the DumpInventory registry key has been set. If not, we set the value to “1” to request the configuration be written to a file for subsequent upload.

2

14

The uploaded file will appear in that machine’s inventory under Software -> Uploaded Files. By clicking on the file link, the contents may be examined. In this fashion, all information regarding a machine in the environment can be tracked in a single interface for quick examination and verification.

Copyright © 2012 Dell KACE. All rights reserved.


3

Additionally, specific details regarding the process of managing encryption sweeps across machines may be collected into inventory using custom inventory fields. Three examples are illustrated below, but many different attributes may be collected in this same manner. The DDPE Device ID provides the identifier used by DDP|E, in combination with the user ID, to manage the encryption process and any subsequent decryption or recovery tasks. The Last Sweep Time tells us the last time a protection sweep of the device took place. The Machine ID is the hostname reported by the device and should match the hostname recorded by the K1000. A difference in these two values may indicate a configuration issue that needs to be evaluated.

15

Copyright Š 2012 Dell KACE. All rights reserved.


To obtain these values, custom software inventory records are created to collect the desired information. In these cases, values are being retrieved from registry settings within “HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\CMGShield” for the DCID, MCID, and LastUpdate keys. The following example illustrates this configuration for the DDP|E Device ID:

Data may also be collected from files and property list files (plists) in the installation, environment variables on the endpoint, or by executing a shell command to run a script or other command. 4

16

Once the desired custom inventory fields have been defined, they may be used within the K1000 reporting module to define reports of machines that have been encrypted. When a new report is created, or an existing one is modified, the custom fields that have been created to identify DDP|E encrypted machines may be used to select and filter data for the report, as well as including these custom fields in the report listing.

Copyright © 2012 Dell KACE. All rights reserved.


5

The following filter is used to identify those machines that have DDP|E deployed and activated.

The resulting reports may incorporate not only data about the encrypted device but how that device is being managed, updated, and configured within the K1000 Management Appliance.

17

Copyright Š 2012 Dell KACE. All rights reserved.


Demonstrate the ability to use WOL and update OS or deploy software 4.0

Every system needs to be updated or patched at some point, and automating this work is one of the benefits of deploying systems management tools such as the KACE Appliance. However, this work can be complicated if the target system is encrypted, as access to the disk may be locked unless the user is logged in. DDP|E and Dell KACE, however, can work together to enable remote “Wake-on-LAN� capabilities, to remotely activate a system, unlock the necessary system files, then automate patching and updating. This process enables system to be powered down and left unattended, and then powered up to keep them up-to-date, saving potentially millions of dollars in power consumption and significant administrator time and effort. 1

A Wake-On-Lan request may be issued from within the K1000 Appliance, again targeting specific machines or using Labels to define groupings of machines.

NOTE: If the targeted machines have Intel vPro provisioned for remote access, this provides an alternate method for waking machines for performing maintenance actions.

18

Copyright Š 2012 Dell KACE. All rights reserved.


2

Because DDP|E is a software-based data centric encryption technology, systems that are being protected may still be updated for operating system and application patching, software installations and management, and system configuration management. In the following example, a critical Microsoft operating system patch needs to be applied to protected systems. The patch detection and application can occur to these systems without having to manage complex processes for system authentication or decryption/encryption. The K1000 agent may operate in the local system admin account and apply the necessary updates without other intervention.

Patches may be applied by the system with a forced reboot, or by prompting the user to let them know that reboot is required to complete the patching process, giving them the control they need to complete their work without disruption.

19

Copyright Š 2012 Dell KACE. All rights reserved.


Reports can then be generated in the K1000 that incorporate data retrieved from the DDP|E environment with data that is tracked by the K1000 to provide a complete view of how encrypted devices are being managed.

Dell KACE Corporate Background Dell (NASDAQ: DELL) creates, enhances and integrates technology and services customers count on to provide them reliable, long term value. Dell provides systems management solutions for customers of all sizes and system complexity. The award-winning Dell KACE family of appliances delivers easyto-use, comprehensive, and affordable systems management capabilities. Dell KACE is headquartered in Mountain View, California. To learn more about Dell KACE and its product offerings, please visit www.dell.com/kace or call 1-877-MGMT-DONE. Helpful Links: • KACE Systems Management Appliances • KACE Systems Deployment Appliances

Dell KACE Headquarters 2001 Landings Drive Mountain View, California 94043 (877) MGMT-DONE office for all inquiries (+1) (650) 316-1050 International (650) 649-1806 fax kaceinfo@dell.com European Sales: kaceemea@dell.com Asia Pacific Sales: kaceapac@dell.com Australia New Zealand Sales: kaceanz@dell.com Greater China Sales: kacegc@dell.com TP_DDPE_05.31.2012 While every effort is made to ensure the information given is accurate, Dell does not accept liability for any errors or mistakes which may arise. Specifications and other information in this document may be subject to change without notice. Microsoft® and Windows 2000® are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries. Availability and terms of Dell Services vary by region. For more information, visit www.dell.com/servicedescriptions. 2For Microsoft Windows only. Dell Data Protection Encryption will encrypt read/write, file-based storage that Windows mounts as a volume with a drive letter. XP requires Nero InCD or InCD version 5.5.1.23 software, Vista requires Vista Live File System to be activated, Windows 7 requires native burning mode to be supported. 3Requires CREDANT FDE for Mac 4Requires CREDANT Mobile Guardian for Handhelds.

20

Copyright © 2012 Dell KACE. All rights reserved.


Fy15wk5 cbabunt asset 51 wpddpekace