McAfee Product Strategy

Document Sample
McAfee Product Strategy Powered By Docstoc
					Endpoint Encryption for PC v6.0
Technical Information and Direction
Anthony Merry
Senior Product Manager

April 19, 2010
Agenda – Endpoint Encryption Version 6.0

• Endpoint Encryption for PC
   – A Short History
• Integration and Management with McAfee ePolicy Orchestrator
   – ePO Integration Phases 1 and 2
   – ePO Integration Phase 3
• The “Intelligent” Client
   –   Client Architecture
   –   3rd Party Encryption Hardware
   –   uEFI
   –   Client Architecture Review
• OS Support
• Sense of Realism




                                                         Confidential McAfee Internal Use Only
    A Short History

    ENDPOINT ENCRYPTION V6.0


3                        Confidential McAfee Internal Use Only
1992
“Compact discs surpass cassette
tapes as the preferred medium for
recorded music.”


“Bush and Yeltsin proclaim a formal
end to the Cold War and Bill Clinton
is elected President of the USA”


“Isaac Azimov, the author who
invented Robotics, dies at the age
of 72”

“Microsoft Windows 3.1 is released
and sells more than 1 Million copies
within the first two months of its
release”


.. And SafeBoot Version 1.0 was born



                                       Confidential McAfee Internal Use Only
 SmartDisk
   SafeBoot


• One of the very first Full Disk Encryption
  products in the market

• Developed in Brighton, England

• Conceived as a demonstration
  application for the SmartDisk, a
  SmartCard and Flash Memory reader in
  the form of a floppy disk.

• Pioneering customers included British
  Telecom, ABN-Amro and Barclays Bank


                                               Confidential McAfee Internal Use Only
2007
“Space Shuttle Atlantis is
launched.”


“Windows Vista is launched in the
Retail market”


“The first confirmed deaths result
from the Myanmar military's
crackdown on weeks-long anti-
government protests. Buddhist monks
are arrested and Internet access is
cut from the public”

“Boris Yeltsin, first President of
the Russian Federation dies”


.. And McAfee Acquires SafeBoot
 (17 November 2009)


                                      Confidential McAfee Internal Use Only
    Endpoint Encryption – ePO Integration Plans


                         Phase 1 (Q1 2008)
               Reporting and deployment through ePO 3.61


                         Phase 2 (Q2 2008)
                Reporting and deployment through ePO 4.0


                       Phase 3 (version 6.0)
                 Full integration of SafeBoot Management
                 Center and Endpoint Encryption products
                                  in ePO 4.5


7                                                          Confidential McAfee Internal Use Only
ePO Integration Phases 1 and 2

ENDPOINT ENCRYPTION V6.0


                                 Confidential McAfee Internal Use Only
    Proactive Reporting in ePO – The Difference


    Prior to ePO, SafeBoot reporting was limited to SafeBoot installed machines –
    no information about the machines which are NOT secured
       – Reactive Reporting: check protection status of a laptop post theft; if
         machine not listed in the report it means not secured



    NEW integrated ePO reporting of Endpoint Encryption reports on the entire
    ePO managed machine network
       – Proactive Reporting: embedded Endpoint Encryption reporting through
         ePO presents machines which are not protected with Endpoint
         Encryption. ePO can then deploy the client to these machines directly.




9                                                                       Confidential McAfee Internal Use Only
     Proactive Reporting in ePO – Discovery

     • Compliance reporting with other vendors is limited to installed
       machine or an application running on the machine itself

     • With the proactive ePO reporting approach McAfee can go one
       step further and find non-secured machines, although no agent
       is running on the machine

     • Use the built-in „ePO Rogue System detection“ option to
       determine the machines in your organization not running the
       McAfee Agent (MA)




10                                                            Confidential McAfee Internal Use Only
     Summary Encryption Report
                    The report shows the
                    systems not installed with   The report can be filtered
                    Endpoint Encryption          on the OS version




                   From the report you can
                   directly modify the tasks
                   and deploy Endpoint
11                 Encryption                                 Confidential McAfee Internal Use Only
ePO Integration Phase 3

ENDPOINT ENCRYPTION V6.0

                          Confidential McAfee Internal Use Only
     New Endpoint Encryption Architecture in ePO

             ePO provides central          One Client Manager (MA – McAfee Agent) handling
             policies, key management      multiple Endpoint Security products.
             and central user
             provisioning for Endpoint                         ePO Agent (MA) Framework
             Encryption products.




                                                                                                                                                 Endpoint Encryption


                                                                                                                                                                       Endpoint Encryption
                                                                                                                                                                        for Files and Folder
                                                                                                      Host Compliance
                                                         Anti-Spyware




                                                                                                                        Remediation
                                                                        Desktop FW
        McAfee




                                            Anti-Virus




                                                                                                                                      Host DLP
                                                                                     Host IPS




                                                                                                                                                       for PC
                                                                                                NAC
       ePO v4.5               Secure
                           Communication
                              Channel
               User and
               Machine
               Import




     Active Directory
            &
          LDAP



13                                                                                                                                                            Confidential McAfee Internal Use Only
ePO Integration Goals

• Objective reduce overall operational costs associated with an
  encryption product and to make an Administrator‟s life easier
   – Deployment
   – Reporting
   – Same tasks and policies regardless of operating system or
     software/hardware encryption technology


• Improved support for
   – Clustering
   – Scalability
   – Virtualization




                                                                 Confidential McAfee Internal Use Only
        Endpoint Encryption Policy in Catalog




                         The new Endpoint Encryption
                         Common Policy has two
                         categories (Product Settings,
                         User Based Policies)




15
ePO Integration Update                                                        April Use 2010
                                                         Confidential McAfee Internal 19, Only
        Logon Settings per Platform



                            Endpoint Encryption Logon
                            Section with settings for the
                            PreBoot Logon




                         Windows specific Logon
                         Section




16
ePO Integration Update                                                           April Use 2010
                                                            Confidential McAfee Internal 19, Only
Highlights of ePO Integration for Management
• The three ones
    – 1 Policy for the entire organisation
    – 1 Product to handle all Full Disk Encryption needs
    – 1 Management Centre
• Simplified Deployment
    – Select machines that aren‟t protected and ask ePO to Deploy and encrypt
• Simplified Policies and Policy Management
    – Take advantage of ePO‟s hierarchical structure and have one encryption policy for
      the entire organization
    – Alternatively, specify a new encryption policy at any level of the hierarchy to handle
      specific use cases
• ePO Encryption Status Dashboards and full Reporting
    – All audit and logging information is stored inside ePO
    – Create all necessary custom reports based on information inside the ePO database
• Non-compatible products
    – Before activating on a client the product will search for issues/products that are
      known to cause issues with activation and encryption.
    – Report the status back to ePO (Product is installed, but cannot activate
      because......)
                                                                              Confidential McAfee Internal Use Only
Users in version 6.0

                       • Users are referenced not
                         created
                         – Referenced from Active
                           Directory or LDAP
                         – No local users
                         – Quicker provisioning times
                           possible
                         – Can be used with Auto-
                           Discovery of users
                           functionality
                       • ePO support
                         – 4.5: Active Directory only
                         – 4.5 Patch 2: Will include
                           LDAP support

18                                           Confidential McAfee Internal Use Only
The “Intelligent” Client
Client Architecture

ENDPOINT ENCRYPTION V6.0


                           Confidential McAfee Internal Use Only
Client Architecture

4 Major Components
1.McAfee Agent
2.Endpoint Encryption Host
3.Modules
4.Encryption Providers



                      ePO Agent (MA) Framework


                      Endpoint Encryption Host


                      Modules       Encryption Providers




20                                                         Confidential McAfee Internal Use Only
Endpoint Encryption Host

• Dynamically pluggable
                            ePO Agent (MA) Framework
  architecture
• Responsible for all                        Policy Data, Files,

  communication                              Audit Logs, etc


  between all modules
                            Endpoint Encryption Host
• Provides policy data to
  all modules                     Policy Data, Internal

• Required for Endpoint
                                  Data Messages, etc.



  Encryption for PC to      Modules             Encryption Providers

  function

21                                                   Confidential McAfee Internal Use Only
What is a Module?

• Provides functionality to
  the product                                                      ePO Agent (MA) Framework
• Two types of modules
     – Product functionality                                                                            Policy Data, Files,
                                                                                                        Audit Logs, etc
     – Encryption Providers
• 5 Modules in version 6.0                                         Endpoint Encryption Host
     – McAfee Endpoint Encryption Agent Host
     – McAfee Endpoint Encryption ePO Plug-in
     – McAfee Endpoint Encryption Core Provider
                                                                                                           Encryption Providers




                                                                    Product Detection
       Plug-in




                                                                                        Core Provider
                                                     ePO Plug-in
     – McAfee Endpoint Encryption Provider Plug-in
       for PC
     – McAfee Endpoint Encryption Product
       Detection Plug-in




22                                                                                                             Confidential McAfee Internal Use Only
Encryption Providers

• Pluggable modules that perform
  encryption/decryption functionality
                                            ePO Agent (MA) Framework
• Architecture has been created to
  support a mixed environment of
  encryption                                                   Policy Data, Files,
   – Software                                                  Audit Logs, etc

   – Hardware
   – Whatever else comes along in the
     future....                             Endpoint Encryption Host
• Provides the ability to add support
  for new technology as it emerges
                                        Modules
                                                        Encryption Providers
• Manage a mixed encryption
  environment from a single product
                                                   Software                     Hardware
  and policy                                      Encryption                   Encryption
• Initial release of version 6.0 will
  include software encryption with
  hardware support following quickly
                                                                            E.g. Self Encrypting
  after the release                                                         Disks

                                                                      Confidential McAfee Internal Use Only
The “Intelligent” Client
3rd Party Encryption Hardware

ENDPOINT ENCRYPTION V6.0


                                Confidential McAfee Internal Use Only
     3rd Party Hardware Encryption

      “A major difference between software and hardware-based FDE is that
      software-based FDE can be centrally managed, but hardware-based
      FDE can usually only be managed locally. This makes key
      management and recovery actions considerably more resource-
      intensive and cumbersome for hardware- based FDE than software-
      based.” NIST SP800-111 Guide to Storage Encryption Technologies for End User Devices

     • EEPC version 6.0 introduces Encryption Providers
        – Pluggable architecture to support hardware encryption
        – Provides the capability to utilize third party encryption technologies such
          as Self Encrypting Disks plus other emerging hardware encryption
          technologies from various manufacturers.
        – One common Endpoint Encryption policy
        – Policy defines the priority list of encryption providers,
            • e.g. What happens if I have Technology 1 and Technology 2 on one
              machine? You can choose your order of preference which technology
              to activate and manage.

25                                                                          Confidential McAfee Internal Use Only
        Encryption Settings


                                                         Encryption Policy to encrypt:
                                                         - None
                                                         - All
                                                         - Boot Disk only
                                                         - All except Boot Disk

                         TCG Opal Drive
                         EEPC Software Encryption




                                              Policy to define Encryption
                                              Provider Priority. If you want
                                              to manage various hardware
                                              technologies via ePO you can
                                              configure and order the
                                              preferred provider here.




26
ePO Integration Update                                                                                        April Use 2010
                                                                                         Confidential McAfee Internal 19, Only
Trusted Computing Group
Opal Self Encrypting Drives

• McAfee are an active contributor and voting member of the TCG
  Storage Working Group and provide input to the Opal and Marble
  specifications

• EEPC Version 6.x products will support Self-Encrypting Drives that
  adhere to the Opal (and Marble) specifications from TCG

• McAfee is currently working in conjunction with various manufacturers
  on incorporating their Opal Drives into EEPC V6.x




                                                            Confidential McAfee Internal Use Only
Intel AES-NI

• Included in Intel 32-nm
                                ePO Agent (MA) Framework
  Westmere
  microprocessors
                                                          Policy Data, Files,

• First Encryption                                        Audit Logs, etc


  technology to support
                                Endpoint Encryption Host
  Intel‟s AES-NI
• Faster software           Modules
                                                 Encryption Providers

  encryption on
                                          Software                         Hardware
  traditional hard disks                 Encryption                       Encryption




                                      Use AES-NI if present            E.g. Self Encrypting
                                      in machine                       Disks

28                                       April 19, 2010          Confidential McAfee Internal Use Only
uEFI
A Changing Boot Process

ENDPOINT ENCRYPTION V6.0


                          Confidential McAfee Internal Use Only
So how does a PC „Boot‟?
                                  ROM Programs in Motherboard
            POST                            chips
     (Power On Self Test)
        Test Programs
                                   Setup Programs from CMOS



                                      ROM Chips with BIOS
                                          programs
             BIOS
    (Basic Input Output System)
     System Software executed       BIOS copied from adapters
                                             (VGA)




           BOOT
   BIOS passes execution to
   the MBR which loads the
      Operating System




                                                                Confidential McAfee Internal Use Only
Endpoint Encryption Boot Sequence (BIOS)




                                                                 Operating
                      PBE               Boot Sector
   MBR                                  (Encrypted)
                                                                 System
                      PBA                                        (Encrypted)




          Load EE RTOS       Hook INT13           Hand-over INT 13 to
         (32-BIT PBA OS)    (Disk Handler)        Windows Device Driver




                                                                               Confidential McAfee Internal Use Only
What is UEFI?

• "Unified Extensible Firmware Interface".
• UEFI is a community effort by many companies in the
  personal-computer industry to modernize the booting
  process
• The UEFI specification defines a new model for the
  interface between personal-computer operating systems
  and platform firmware.
• UEFI is a much larger, more complex, OS-like, replacement
  for the older BIOS firmware interface present in all PCs.
     – UEFI Class 0-2 backward compatible. Class 3 is not.
     – UEFI Native Boot – Class 3
• UEFI capable systems are already shipping, and many
  more are in preparation



32                                                    April 19, 2010   Confidential McAfee Internal Use Only
What is UEFI?

• Class Zero
  – This set of platforms is based upon the original BIOS technology of the 1980‟s, also
    referred to as Traditional BIOS platforms.
• Class One
  – In 2003 some PC class platforms began to ship with EFI (the pre-cursor to UEFI)
  – A special software driver (CSM – Compatibility Support Module) was used to
    provide the runtime and operating system interfaces expected of the traditional
    BIOS solution. Customer may not have seen any appreciable change between a
    EFI/UEFI boot solution with Compatibility Support and the traditional PC BIOS,
    those changes were being exploited.
• Class Two:
  – Provides the ability to perform a boot strap (and application execution) through the
    use of the UEFI boot process using UEFI boot loader applications (through UEFI
    interfaces).
  – Class Two systems also support the Tradition BIOS INT 19h boot process (load a
    boot image from the MBR to a hard coded memory location and transferring
    execution to that loader).


                                                                           Confidential McAfee Internal Use Only
UEFI

• Class Three (UEFI Native Boot):
  – Defined as a system which provides the ability to perform a boot strap (or
    application execution) through the use of the UEFI defined boot process using an
    UEFI boot loader applications (through UEFI interfaces), but without the CSM option
    as an integral part of the system BIOS support.


• UEFI Support will not be delivered with version 6.0; however it is
  a Roadmap item

                                                                                          Boot Services
  Platform Init                 EFI Image Load               EFI OS Loader
                                                             (Or INT 19 for Class 2)      Terminate




                    Load EE Client       Load EE Disk Handler                                Hand-over to
                  (32/64 BIT EFI App)    (32/64 BIT EFI Driver)                        Windows or Mac Device Driver


                                                                                               Confidential McAfee Internal Use Only
Overall Client Architecture Review

ENDPOINT ENCRYPTION V6.0


                                     Confidential McAfee Internal Use Only
Client Architecture – Version 6.0


                        McAfee
                       ePO v4.5




                                    }


                                        Confidential McAfee Internal Use Only
OS Support

ENDPOINT ENCRYPTION V6.0


                     Confidential McAfee Internal Use Only
 Client Supported Platforms and Languages

                                                • Management (ePO)
                                                   – Japanese, French, Spanish,
                                                     Chinese (Traditional and Simplified),
                                                     Russian, German, Korean.
  32-Bit Only                   32 and 64-Bit
                                                   – Fully localized and supported


                                                • Client
                                                   – Same languages and support as
                                                     Management section
                                                   – Additional client languages fully
                                                     localized and available by NOT
32 and 64-Bit                    32-Bit Only         supported at GA date
                                                   – Portuguese, Brazilian Portuguese,
                                                     Italian, Dutch, Greek, Swedish,
                                                     Norwegian, Danish, Finnish, Polish,
                                                     Arabic, Estonian and Thai
                32 and 64-Bit                      – Supported as of version 6.0.1


 38                                                                         Confidential McAfee Internal Use Only
Support for Mac OS X

• Provide Mac OS X users with a full disk
  encryption product
• Manage Windows and Mac OS X
  machines from a single policy
• Management
                                               • Client
   – ePO Managed
                                                  – Pre-Boot environment is the
   – Uses the same policies as Windows
                                                     same as the Windows product
   – Additional policy settings specifically
                                                  – Transparent encryption
     for Mac OS X
                                                  – Very little UI on the client
   – Deployment method the same as for
     Windows                                      – Will support Encryption
                                                     Providers, but only Software in
   – Report on Windows and Mac in the
                                                     the first release. Hardware in a
     same report
                                                     subsequent release
• Tokens
                                               • Delivery
   – Not all tokens will be ported to Mac         – Roadmap item
   – E.g. PCMCIA based tokens                     – After EEPC Version 6.0
                                                  – Separate release schedule
                                                                     Confidential McAfee Internal Use Only
Support for Linux

• Provide Linux users with a full
  disk encryption product
• Manage Windows, Mac and Linux
  machines from a single policy
• Management                        • Client
    – ePO Managed                      – Pre-Boot environment is the
    – Uses the same policies as           same as the Windows/Mac
      Windows/Mac                         product
    – Additional policy settings       – Transparent encryption
      specifically for Linux           – Very little UI on the client
    – Deployment method the same       – Will support Encryption
      as for Windows/Mac                  Providers, but only Software in
    – Report on Windows, Mac and          the first release. Hardware in a
      Linux in the same report            subsequent release
                                    • Delivery
                                       – Roadmap item


                                                              Confidential McAfee Internal Use Only
Sense of Realism




                   Confidential McAfee Internal Use Only