PocketVault P-3XOffline Secure Access to Data
DevicePatrol Enterprise Policy
Customizable policy options for DevicePatrol deployment
1. Remote Device Management
The DevicePatrol Platform minimizes threats to an organization by providing secure token management and reporting capabilities. Tokens can be managed and audited regardless of where they are located, and the organization’s security policies are enforced whether or not a device is connected to a network. The DevicePatrol server can remotely disable a device, or destroy its data content and keys, rendering the token unusable
2. Client/Server Model
The DevicePatrol Platform is comprised of two components: the DevicePatrol server and the DevicePatrol tokens. The server can be deployed on premise, in the cloud or in a hybrid configuration. Each model allows administrators to set and enforce security policies for each registered device and define the actions performed by DevicePatrol tokens. Each time a DevicePatrol token is used, it creates a secure connection to the Server prior to allowing user access to determine updated enterprise policies or user actions (e.g., change token passphrase), are necessary. If the policy to disable the token is invoked by the server, the token’s operation is blocked. Even if ‘disabled token’ is initiated after user logon, the token will shut down gracefully and no longer be useable. a subsequent administrator authorization is necessary to re-enable the token.
3. Offline Mode
Based on the enterprise policies, a DevicePatrol token can be used when a connection to the Server is not possible. Offline usage policies define how many times, or how much total time, a token can be used before having to re-establish a connection with the Server.
4. Disable or Destroy Command
Disables user access to the token cryptographic key(s) until remotely administratively recovered via the DevicePatrol Server. Destroy Command “Kills” the device by zeroizing the cryptographic key(s), rendering the token unusable. All data on the token isirretrievably lost. To protect investment, the token can be re-orovisioned, by an administrator, with new keys for future use.
5. Reassign Token
Tokens and users are initially assigned to a group when the token is registered in the
DevicePatrol server. A token registered to a specific user can be reassigned to a different user by the Server console operators with the Group Administrator role.
6. Distributed Deployment
The SPYRUS DevicePatrol Server enterprise hierarchical architecture facilitates Group policy definition and control procedures for devices so that Group Managers can be deployed, for example, one for each country in which an organization operates, and the toke usage and protection polices most appropriate for that organization’s criteria can be customizedand enforced.
DevicePatrol Server groups and subgroups allow for policies to be defined that represent geographic or organizational structures, allowing different security policies to be applied as appropriate to each group. Administration is controlled at the group level, whereby Server console users are assigned to manage a specific group(s). Group separation issupported so that console users assigned to manage one group cannot see or manage devices in another group. Roles and privileges can be assigned to each console user to authorize different limitations over the token control for the users within their groups, e.g., token disablement or destruction decisions.
7. Active Directory
The DevicePatrol Server can use Active Directory (AD) to synchronize user id, organizational groups and roles and privileges with those of the AD environment. This provides the enterprise with precise single-point control for IT device and rule assignment and avoids operational conflicts which can occur when multiple authorization databases are used for device deployment. The Server is integrated such that any changes in AD can update the groups in the DevicePatrol Server. If a user is blocked or removed from AD, the Server will disable or destroy any device that belongs to that user based upon the policy defined in the Server. Management of AD synchronized groups is performed by a DevicePatrol Server console operator with the Group Administrator role.