What is Beyond Encryption Enterprise?

Beyond Encryption Enterprise (BEenterprise™) is an overlay network infrastructure solution which enables an organization to easily and efficiently control the security of its sensitive information no matter where it resides. Any information that is compromised, or could be potentially compromised, can be remotely controlled and secured with pinpoint accuracy on any device irrespective of its location.

BEenterprise™ can be used by an organization to support existing in-place data security infrastructure such as Device Encryption, Data at Rest & In-Motion Monitoring and End-point Device Control solutions. It has been designed and built to integrate seamlessly with, and support, any of these solutions and the Configuration Management Databases that are used to manage these security solutions at the endpoint.

For the purposes of this document we will assume that the organization assigns the task of managing the BEenterprise™ application to the BE Administrator (BEAdmin).

Pinpoint Accuracy

BEenterprise™ can target INDIVIDUAL files or directories on any data device in the organization for security action.  Pinpoint accuracy also means that the BEenterprise™ solution’s use to support Insider Threat data loss protection solutions such as Data in Motion Monitoring and Endpoint Control is a precision security action. No longer do organizations have to be content with monitoring and blocking. Now they can affect a security action on the data immediately that a potential compromise is alerted. This assures the organization that it is in complete control of its most sensitive data on all remote devices at all times.

Pinpoint accuracy works by securely retrieving the directory structure from each device under management to the BE Server. An updated version of the directory is automatically sent from each device to the BE Server once per day. This information can also be updated manually by the BEAdmin at any time. This directory structure is then available on the BE Server to directly action specific security commands on specific files or folders.

Pinpoint Accuracy allows the organisation to target data as follows:

· Select data directly from the device if the device is online

· Select data from the device based on information from the last time it connected

· Select a file or group of files based on the file name(s)

· Select any type of document or group of documents

· Select the contents of any directory or directories on the device

· Any combination of the above

BEenterprise™ consists of four discrete components:

1.A client agent (BE Client) that resides on each device under management, whose job it is to maintain contact with and carry out instructions issued from the BE Server.  The BE Client cannot be removed from a device by the Device User without triggering the Timed Security feature (see 2.2.5 below).

2.A server (BE Server) that maintains account information, policies, and settings associated with each individual device that has the BE Client deployed on it. This BE Server is responsible for issuing commands or instructions to each client agent.  The BE Server integrates with Active Directory and can maintain a live connection with same.

3.A Secure Communications Channel (SCC) which provides a secure encrypted point-to-point communication channel between the BE Client and the BE Server.

4.A series of core security functions that the BE Server issues to the BE Client using the Secure Communications Channel for execution on the device.

The organization can execute any of the core security functions described below to protect information on any device. No intervention by the Device User is required to execute any of the core security functions.  Further, once a security command is received by the BE Client the Device User cannot stop it being enacted.

BE Enterprise Data Security functions:

Remote Freeze

Upon receiving a freeze command from the BE Server, the BE Client will encrypt the target files and/or folders using AES running in cipher block chaining (CBC) and a randomly generated key with a key length of 256 bits. This action will remove user access to the frozen data files from the Device User without removing the data files from the device.

Once the security of the device and/or its information has been verified the BEAdmin can take the selected files on the device out of freeze mode by sending an un-freeze command in a similar fashion to the process described above.

Remote Secure Deletion

The BEAdmin can send a Secure Deletion command from the BE Server to the targeted device listing what files (pin-point accuracy) should be securely deleted.

Once the BE Client receives the command from the BE Server it will delete the targeted files by overwriting them multiple times with patterned and randomised data in accordance with the US Department of Defence clearing and sanitising standard: DOD 5220.22-M.

As well as securely deleting the targeted files the Secure Deletion function will also securely overwrite the Microsoft Windows system files, Pagefile.sys and Hiberfil.sys, to ensure that any cached information has also been securely removed.

Once the Secure Deletion command has been received by the BE Client on the device it cannot be interrupted by the Device User. Should power to the device be interrupted the secure deletion routine continues when the device restarts until the process is completed.

Remote File Transfer

BEenterprise™ supports a secure Remote File Transfer function empowering the BEAdmin to retrieve files from the device in a manner that is completely invisible to the Device User.

1.Once the security command is received from the BE Server the BE Client encrypts the target files using AES 256 running in cipher block chaining (CBC) mode. To prevent the process being interrupted, either accidentally or deliberately, the cipher key is securely stored on the BE Client device using the Microsoft Windows data protection API. Should the BE Client device be shut down during the file transfer process it will simply restart again once the system is back online.

2.Once the selected data is transferred back to the BE Server it is decrypted and decompressed automatically on the server and then automatically scanned for viruses using the organization’s chosen Anti Virus scanning program. The BE User Interface has an option to choose the AV Scanner which will be used for this process.

3.The BEAdmin can change the default storage location for the User Data that is transferred back to any location or device on the network through the BE User Interface.

4.Once the file transfer process has been completed all traces of the cipher key will be securely removed from the device’s memory and disk.

Remote Lockdown of Device

BEenterprise™ can remotely lock down the device by disabling all the non-administrative accounts on the device, resetting the local administrator password and then shutting the device down.  The device will remain in a lock down loop until the BE Client on the device receives a Remote Unlock command from the BE Server.

Timed Security

To ensure the security and integrity of a remote device the BEAdmin can configure the BE Client to perform any of the security functions previously described, except File Transfer, on the device should it not connect to the BE Server within a predefined period of time.

When this feature is enabled for a BE Client device the BE Server also sends a secure password for the Timed Security feature to the BE Client.  This is stored securely on the local disk.  Should the BE Client device fail to communicate with the BE Server within a predefined period of time the Device User will be prompted to connect to the Internet to prevent the pre-set Timed Security commands activating.  If he is unable to do so the BEAdmin can, upon request, supply the one-time password that resets the BE Client Timed Lockdown internal clock, thereby enabling the user to access the device as normal.  This password will be reset when the BE Client next connects to the BE Server.

Auditing

BEenterprise™ includes a comprehensive audit trail function to support any investigative or audit requirements. Key events are recorded and logged to ensure that all activity can be verified.  When a BEenterprise™ command has been executed on a device the BEAdmin receives a full report outlining:

Ø When the BEenterprise™ command was sent to the BE Client device,

Ø When the BEenterprise™ command was executed on the BE Client device, and

Ø What data files and folders were affected by what actions on the BE Client device.

Ø The names of the administrators who sent the command

Learn More