demo lab guide data protection | encryption ddp · 4 dell demo center – | dell inc., 2016 short...

Demo Lab Guide – Data Protection | Encryption DDP

Product Domain: Cloud Client Computing

Author: David Aherne

Version: 1.01

Table of Contents 1 Product Overview ............................................................................................................................................ 3

1.1 Lab Preparation Considerations and Caveats .................................................................................. 3

2 Introduction ...................................................................................................................................................... 5

2.1 Lab Topology and Essential Information .......................................................................................... 5

2.1.1 Dell Data Protection Features ........................................................................................................... 6

2.1.2 Lab Addressing and Login Details ..................................................................................................... 6

3 Demo Environment ........................................................................................................................................ 8

3.1 Where to begin the demo .................................................................................................................. 8

3.2 Controlling access to DDPE features ............................................................................................... 8

3.3 Setting encryption policies................................................................................................................. 9

3.4 Removable media ............................................................................................................................... 11

3.5 Recovery ............................................................................................................................................... 13

3.6 Reporting .............................................................................................................................................. 15

3 Dell Demo Center – https://demos.dell.com | Dell Inc., 2016

1 Product Overview Dell Data Protection | Encryption (DDPE) protects data at rest on laptops/desktops (including self-

encrypting drives and BitLocker), smartphones and tablets, removable drives and in the cloud

(currently Dropbox and Box.net). Organizations use DDPE to meet compliance requirements

(HIPAA/HITECH, PCI, etc.) and to secure the intellectual property that resides in these locations.

There are four major workflows for any encryption solution:

• Develop encryption policies and deploy to endpoints

• Central escrow of key material

• Recovery of data during forensics or break/fix workflows

• Reporting for compliance or audits

Why DDPE?

Many customers have an encryption solution in place today. These customers feel an enormous

amount of pain with their legacy solutions—systems management tasks, such as patch management

and software distribution tasks can be impacted, end users are often locked out of their systems due

to password sync’ing problems and recovering encrypted data is very time-consuming—all of this

means more helpdesk calls and more downtime for users.

DDPE software encryption provides:

• Transparency to the end-user

• No impact to patch management, software distribution and other endpoint management tasks (works very well with Dell KACE)

• Quick recovery workflows that do not leave data unencrypted

• Central key escrow/management

• Central reporting for audits/compliance

1.1 Lab Preparation Considerations and Caveats

It is in your best interests to ensure the demo environment you will be demonstrating is clean & tidy

before you begin. For this reason we would recommend, where possible, you log in to your demo at

least 15 minutes prior to delivery and check the following;

1. Familiarize yourself with the environment during this time and check any specific features

you are expecting to demo.

2. Most importantly, be crystal clear with yourself on what it is you plan to show. A full demo

of every feature described below (with questions) can take several hours. If you only have a

https://demos.dell.com/


short time slot be sure to focus on the key points that address the customer’s pain points

and will drive value home to them.

3. Ensure that you have scheduled the demo for sufficient time so as not to have the demo

end before you are finished with the customer.



2 Introduction

In this guide you will find the Dell Data Protection demo that is available at https://demos.dell.com. The

guide details the demo options available to the user enabling the demonstration and learning about Dell

Data Protection. The guide also provides steps by step instruction on how to use Dell Data Protection.

The guide and demo are focused on the following elements:-

Providing a facility to enable engineers to work with Dell Data Protection and the various

configuration options

Provides an example setup on how to use Dell Data Protection

2.1 Lab Topology and Essential Information

The diagram provides detail on the setup of the demonstration environment. The environment

provided is self-contained and has a number of virtual machines images provided for use.




2.1.1 Dell Data Protection Features Dell Data Protection offers the following features:

- Platform to control, manage and protect your laptops, desktops, removable media,

smartphones, tablets, self- encrypting drives, BitLocker and even data in the cloud. All

management-related protocols and features such as simple network management protocol

(SNMP), telnet, secure shell (SSH)

- DDPE Policy based encryption on Windows 7 64Bit with the Demonstration capability of the

External Media Shield (EMS)Optics emulation

- Limited by the Demo environment the following features Cloud ,IOS, Android, Mac, SED, and

Dell FVE security are not currently available for client demonstration ,

2.1.2 Lab Addressing and Login Details Please pay attention to the login details provided. These are essential for the successful completion of

the lab. The information will be required during various phases on of the lab.



The following tables provides login credentials for all elements needed to complete the lab:

System Username Password

DDPE Management Console

demouser password

DDPE Compliance Reporter

reportadmin password



3 Demo Environment

The demo environment allows you to show all aspects of the DDPE console, including central

management, recovery and compliance reporting. Two virtual clients are also available, one encrypted

with DDPE and the other encrypted with BitLocker, but managed by DDPE.

A limitation of the virtual clients is that the USB drives cannot be reconnected once they are

disconnected. When providing a demo, you can show the workflow of a user first connecting a

removable drive and you can show copying data to the drive. However you cannot show what happens

the next time a user connects the USB drive to their system.

Demonstration of encryption for Dropbox and Box.net, as well as smartphones (iOS and Android) is not

available, however the policy configuration for these capabilities can be show in the console.

3.1 Where to begin the demo When first starting the demo, make sure that Enterprise is selected under Protect & Manage on the left-

hand column of the web console. Note that the dashboards in the middle pane provide administrators

with a tactical view of their encrypted endpoints. Also note that these dashboards are drillable, you can

click on a number under Protected, as an example, and see more detail regarding the endpoints.

(Note: click on Enterprise in the left-hand column to return to the original dashboard view).

3.2 Controlling access to DDPE features Now click on Administrators in the left-hand column. Administrators will login to the web console using

their standard AD credentials, however rights to things like key material, reports or the ability to modify

encryption policies are governed by the roles selected here.

In most organizations, you will have security administrators that are responsible for setting encryption

policy and involved in forensics activities. Operational administrators and even frontline helpdesk

personnel can be locked out of setting/viewing policies but can still assist in certain data recovery



workflows.

(Note: if you want to review the details of the listed roles before a demo, click on the ? icon in the

top right hand corner of the webconsole and search for roles).

3.3 Setting encryption policies

Now click on Enterprise in the left-hand column and then the Security Policies tab in the middle pane.

Discuss how DDPE ships with several pre-defined templates designed to meet certain regulatory

requirements such as HIPAA or PCI right out of the box. These templates can be modified or you also

have the option of building your own policies from the ground up. The key point is that customers do

not have to spend a lot of time managing these policies.

Click on the Override button in the top right-hand corner.



This is where you can customize a template or build your own encryption policies. Click on the Shield

for

Windows drop-down box (to the right of Policy Category) and discuss how policies for all of the

platforms we support can be set in one place. This includes Windows, Mac, iOS, Android, removable

drives, self-encrypting drives, BitLocker and cloud storage services Box.net and Dropbox.

Start with the Shield for Windows policies and expand the Fixed Storage section. Emphasize that by

default DDPE encrypts data across the entire drive, with the exception of a handful of files needed to

boot Windows.

However, DDPE differentiates itself from legacy encryption solutions by utilizing multiple keys to secure

the data. With DDPE, when users are sitting at the Windows login prompt, data is still encrypted. The

key for this data (referred to as the common key) is only unlocked by a domain authenticated user.

The benefit to this approach is that nothing changes as far as how the user logs in or accesses their

data. Also it is providing a higher level of security to the data organizations want to protect the most.



3.4 Removable media To do this complete demo, you will need to have a physical system (or a virtual machine that allows

you to connect and disconnect USB drives). This is currently not available in the demo center virtual

environment.

Discuss how many of the big data breaches over the last 18 months have been related to removable

drives (Kaiser Permanente, Sutter Health, State of Alaska—these are all organizations that were not

DDPE customers prior to the reported breaches, but are now).

Discuss how many organizations don’t address removable media because existing solutions are too

much of a barrier to end users. For instance, BitLocker-to-go requires the user to completely

reformat the drive they connect (this involves also copying existing data on the drive to the local

system and then copying it back). This can be very time-consuming and frustrating for users. DDPE

stays out of the way of the end user as much as possible.

Start in the console, expanding the Removable Storage section. Do not go through every policy,

instead focus on a few key policies and the user experience. The policies to summarize are:

• EMS Access to Unshielded Media

• EMS Scan External Media



• EMS Access Encrypted Data on unShielded Device

With the policies that you see in this screenshot, DDPE will not encrypt any existing data on the drive.

Users can still access encrypted data on non-corporate machines by entering a secondary password,

however whenever a user connects the device to their corporate machine, they can access their

encrypted data without entering any additional passwords.

Now transition to a client system. When connecting to Windows7.rdp, you will see two identical

prompts. This prompt is what a user sees when they first connect an external drive.

(Note: there are two prompts because two USB drives are connected to the virtual client. If you don’t

see any prompts, use the formatusb - shortcut batch file on the desktop. When it completes, you will

see the prompts appear).

Walk through one of the prompts, noting that the user has access to the drive in the matter of a few

minutes. At this point you can copy files to the drive and they will automatically be encrypted.

If you have access to a physical system or a virtual machine that allows you to connect and disconnect

removable drives, I recommend starting the client-side demo by connecting a drive that was already

connected to the system and prepared for encryption. Have encrypted files already on the drive. The

goal here is that the prospect sees how easy it is for users to access their data on the drive … no

passwords or special software are needed when the user is logged in with their AD credentials.



When you connect the thumb drive, you will see a pop-up window above the system tray. Note that

the keys to the encrypted data are unlocked by the users AD credentials. At this point the user can

interact with drive just like they did prior to encryption being in place. They can use copy and paste,

drag and drop, etc. and the data is seamlessly encrypted behind the scenes.

The benefits to the DDPE solution are:

Any thumb drive can be encrypted

It does not force the user to re-format the drive, which is both time-consuming and

potentially destructive to existing data

If you allow it via policy (which most organization do), users can still access encrypted data on

non-corporate machines using a secondary password

If the users forget their secondary password, they can reset it themselves on the corporate

machine or through assistance by the helpdesk

3.5 Recovery During a demo you will typically not show an actual recovery, however you need to explain the two

methods for recovering data with DDPE. The primary reason for needing to recover data is break/fix of

the users system—for instance the system board on their laptop dies but administrators still need to

copy user data from the hard drive.

The first (and less commonly used) method is referred to as “permanent recovery”. In this case the

administrator wants to take the hard drive out of the users’ old laptop and put it into a new laptop

chassis with similar/identical hardware. If they try this without the key bundle for the drive, the

encryption keys remain locked and the system will not boot.



To unlock the drive on the new laptop, the administrator must download the keys for that drive from

the Endpoint Detail screen of the affected system. The new laptop can be booted into a pre-boot

environment and the downloaded key bundle copied to the root of the drive. Once completed, they

system can be rebooted and allowed to boot normally.

The DDPE drivers consume the bundle, validate that the keys are correct and the system boots to the

normal Windows login prompt. The user can now login normally.

The second method is referred to as “temporary recovery”. In this scenario, the administrator wants to

take the users old hard drive, put it in a USB enclosure, and connect it to their own system in order to

retrieve the users data. Of course without the keys, the data is still encrypted on the attached drive.

The administrator can then launch a DDPE utility on their system to temporarily unlock the keys for

the users drive. This utility requires credentials with rights to access key material out of the database.

While the utility is open, the administrator can copy the users’ data, unencrypted, to whatever location

they like (network share, external drive, new system). However, as soon as the utility is closed, the keys

are immediately locked again.



The benefits to this approach are:

Most of our competitors require a complete decryption of the drive, which is both time-

consuming—more downtime for the user—and error-prone.

With DDPE, you have access to encrypted data in a matter of minutes.

From a security perspective, you don’t have to worry about data in the clear. If the drive is not

wiped or disposed of properly, administrators are not left with unencrypted data floating

around the environment

3.6 Reporting DDPE reports allow customers to meet compliance audits or demonstrate “safe harbor” privileges in

the event of a lost endpoint or external drive. These reports ship with the product and do not require

any customization or configuration by administrators.



Click on the Reports folder at the top of the left hand column. This will list all of the default DDPE

reports.

Click on the Shield Detail report. Note that the fields in the report are customizable. Also the reports

can automatically be e-mailed out. Access to reports is controlled by the same administrative roles

described earlier. Click on Run Reports to show the results of the report.

Note fields like Policy Proxy Sync, which shows when the system last checked in and the Protected

field which shows the current encryption state per the configured policies.



In the demo environment, the EMS Event report will be empty when starting a demo the first time. For

this reason, you can simply note that all removable media activity is logged once the DDPE agent is in

place.

If you want to show a report with data in it, you can use the RDP link to access Windows7 before you

start the demo and the walk through steps outlined in the removable media section of this guide.

Once complete, you need to run Check for Policy Updates from the DDPE system tray icon. This

sends the logged USB activity to the server. After this is done, use the formatusb - shortcut batch file

to reset the USB drives.


demo lab guide data protection | encryption ddp · 4 dell demo center – | dell inc., 2016 short...

Documents