Wave ETS = Centralized Security Management

Organizations, both large and small, understand that centralized security management is a critical component to protecting their networks and, by association, the critical information that drives their businesses. Wave’s software provides the policy-based access controls, comprehensive reporting, directory services integration, centralized control and end-user access recovery that companies require to cost effectively implement and administer endpoint encryption and authentication. Most importantly, Wave software gives IT the assurance that data is protected in the event that a computer (or its hard drive) is lost or stolen.

Wave EMBASSY Remote Administration Server

Conventional security methodologies based on software alone fail to effectively authenticate users and machines on the network or secure data on lost or stolen laptops, or ensure compliance with laws that require disclosure of lost personal data. Fortunately, SEDs, TPMs and Microsoft® BitLocker, provide more secure, cost-effective and simpler ways to safeguard your critical business information. However, these technologies provide only half the answer. ERAS transforms SEDs, TPMs and BitLocker into enterprise-wide encryption and authentication solutions by adding essential centralized configuration and administration capabilities.

Manageability and Control

ERAS provides a full set of capabilities to remotely search for, initialize, configure and administer a global fleet of computers with SEDs, TPMs and those using Microsoft BitLocker drive encryption. Through native integration with Microsoft Active Directory, ERAS delivers the means to centrally provision security policies to end-points across the enterprise, limit access of encrypted information to authorized individuals and remotely manage user and device credentials. Most importantly, ERAS adds an authority of proof, allowing organizations to demonstrate that they were, and are, compliant with regulations in the wake of a security breach. ERAS core features:

• Microsoft Management Console (MMC) snap-in provides both single user and group-level control

• Uses industry standard communication protocols to securely access remote endpoints

• Delegated, role-based administration • Support for non-domain computers • Provides group policy objects (GPO), scripting and

command line operations • Setup wizards for SED, TPM and BitLocker

Wave’s EMBASSY Trust Suite is a suite of security products that secure endpoints by providing strong authentication, data at rest protection, and endpoint health verification. The suite is comprised of the following products:

EMBASSY Remote Administration Server (ERAS) for

• Data at rest protection including Self-Encrypting Drive (SED) management and BitLocker management • TPM management for encryption, strong authentication, endpoint health, and BitLocker authentication

Wave Endpoint Monitor (WEM) for

• Secure BIOS integrity measurements in compliance with NIST SP 800-155EMBASSY Security Center for

• Client communications for ERAS and WEM • Local management of TPM and SED for non-enterprise connected machines

Wave EMBASSY® Trust Suite (ETS) version 2.10x

Microsoft, Windows, and BitLocker are either registered trademarks or trademark of the Microsoft group of companies.

EMBASSY® Remote AdministrationServer (ERAS)

BitLocker

ERAS Core:Management Control

SQL Database:Auditing/Reporting

Help Desk:Recovery

Client PCs and Tablets

ActiveDirectory

GPO

Corporate Network

Self-EncryptingDrive

Trusted PlatformModule

Wave Endpoint Monitor: Start with the Device Wave Endpoint Monitor (WEM) extends protection beyond where traditional software anti-virus and anti-malware solutions leave off by starting security with the device. The Trusted Platform Module (TPM) is a hardware security chip based on standards from the Trusted Computing Group and supported by most major PC manufacturers. WEM leverages the security of the TPM to securely collect measurements and report on the health and integrity of pre-operating system components that are susceptible to attack, such as the BIOS (Basic Input/Output System) and Master Boot Record. WEM provides device identity and high assurance that the endpoint is reporting its accurate state, preventing ‘man-in-the-middle’ attacks. The National Institute of Standards & Technology recently issued a draft of SP 800-155, which outlines guidelines for BIOS integrity measurements. The guidelines note: “Unauthorized modification of BIOS firmware constitutes a significant threat because of the BIOS’s unique and privileged position within the PC architecture.” Accordingly, WEM supports SP 800-155 by giving organizations the knowledge that their systems are booting up securely, without changes to the BIOS that cannot be accounted for.

Using the TPM to Monitor the Integrity of the PC Boot Environment One of the TPM’s most important functions is to provide tamper-resistant storage locations called Platform Configuration Registers (PCRs). These PCRs securely store platform integrity measurements, which WEM uses to collect information about a computer’s pre-OS environment as the system powers on. WEM puts PCR measurements in context by using them to monitor for unexpected changes in the pre-boot environment. When a rootkit is present or some other unauthorized change occurs, the measurements reported in the PCR change. Anomalies in these measurements can indicate either that a user has made unauthorized changes to the BIOS, or that BIOS integrity has been compromised and an APT may be present.

ERAS for Self-Encrypting Drives

SEDs are the most secure, best performing and most transparent encryption option for protecting data on laptops. ERAS is the only management solution that delivers drive initialization, user management, drive locking, user recovery and crypto erase for all Opal-based, proprietary and solid-state SEDs. In addition, ERAS provides:

• Common Access Card (CAC), smart card (Java and .NET) • Secure user recovery using challenge/response • Windows password synchronization and single-sign-on (SSO) • User based SSO after recovery • Reports and logs of device and user status and events • Control for external SEDs • Support for OPAL 1.0 and 2.0 SEDs • User self-enrollment and user self-service password recovery

ERAS for Trusted Platform Modules

TPMs are the most transparent and least expensive way to protect user IDs and to identify which PCs are yours and which ones aren’t. Instead of enabling TPMs one machine at a time, ERAS provides activation, ownership and management of TPMs from a central location. Once TPMs are turned on, you can use ERAS to create hardware-based digital certificates for your VPN, wireless or other PKI-enabled applications — eliminating private key risks and ensuring device identity. In addition, ERAS:

• Puts TPM management under IT control • Delivers TPM password reset for user recovery • Reports on the TPM status (active/owned) • Provides automated provisioning and deployment • Enables use of TPM for Modern Access Control • Creates and enables the use of certified keys and

certificates for Device and User Identity services

ERAS for Microsoft BitLocker

Microsoft BitLocker’s tight platform integration and use of the TPM makes it a good starting point for drive encryption for organizations using Windows® 7. Wave ERAS provides a full set of capabilities to automate and secure the configuration and administration of Microsoft BitLocker. ERAS delivers a simple and intuitive administrative application for setting up, maintaining and reporting on BitLo cker clients — eliminating the cost, complexity and uncertainty of designing your own solution through the use of “home-grown” scripts and directory modifications. In addition, ERAS:

• Enforces consistent policy settings across BitLocker clients • Secures recovery passwords in an encrypted database • Monitors, logs and reports on all BitLocker events

associated with activation, policy management and user access and recovery

• Simplifies TPM activation for BitLocker and retains TPM for user and device authentication

• Provides a simple and transparent migration path from BitLocker to SEDs

Wave EMBASSY® Trust Suite

Managing Endpoint Health

The WEM web console provides a secure user interface for the administrator to manage endpoint health and integrity data. This console includes a dashboard which provides configurable views of the status of the endpoints being monitored.

Alert notifications are sent when WEM detects an anomaly in an endpoint’s pre-boot integrity measurements. These alerts are configurable, and the administrator can specify who is notified and when alerts are generated based on specific rules.

WEM is continuously collecting endpoint integrity data. To make this data more useful to an enterprise, WEM provides robust reports on the endpoint data, so that administrators can view and analyze current and historical data to determine trends. The report data can be exported in standard file types to allow further analysis as well.

EMBASSY Security Center

ESC is the premier application for managing hardware-based security; it protects your data from theft and leverages hardware-based security tools that aren’t vulnerable to common attacks. It can activate the security on your self-encrypting drive (SED) to prevent unauthorized system access, or utilize the Trusted Platform Module (TPM) to enhance security.

When used with ERAS and WEM, ESC is the endpoint client that enforces the security. ESC can also be used for local management where remote management is not available.

ESC for Self-Encrypting Drive Management

Self-encrypting drives are hard drives that integrate full disk encryption with the drive’s hardware and firmware, offering state-of-the-art data protection for both personal and corporate use. They provide an on-board security controller for full disk encryption and pre-boot authentication. Self-encrypting drives encrypt data with no performance overhead, are tamper-resistant and protect against brute force password attacks. Wave’s ESC software application activates and manages the self-encrypting drive’s advanced hardware security features.

WEMEngine

ERAS WEBServices

WEM Console

Rule Engine

WEM Connector

u u

u

u

u

Repository

u

u

u ERASCommand Service

PCRData

Service

uu

As a local management solution, ESC handles all of the drive’s lifecycle functions — from setting up the user authentication to drive de-commissioning. ESC is remotely manageable by Wave EMBASSY Remote Administration Server or Wave Encryption Service (WES). Regardless of the method used, provisioning the drive’s authentication involves setting up Wave pre-boot authentication; this means the user will have to enter valid drive user credentials before the drive unlocks and Windows® loads. Support for single sign-on allows users to authenticate to the SED and be automatically logged into Windows without having to authenticate separately. Additionally, when the drive administrator enables Windows Password Synchronization (WPS), a user’s drive password is automatically synchronized with the user’s Windows password. This feature adds simplicity and ease of management for both administrators and users.

ESC for Trusted Platform Module Management

In 2003, the computer industry recognized that computer security required more than software alone could deliver; a hardware-based root of trust was required. As a result, the industry formed the Trusted Computing Group (TCG); an open, international industry group to develop standards for trusted computing. The TCG created the standards for the Trusted Platform Module (TPM), which is now present on more than 90% of your enterprise’s computers; it is most commonly used as an authentication token, similar to a smart card. ESC ships with the components that let you manage who can use the TPM and how. ESC also includes the Wave toolkit/CSP functionality, allowing you to create hardware-protected certificates. Hardware-protected certificates enhance the security of a Public Key Infrastructure (PKI) — configure it so that only devices you trust can be used to authenticate to network resources. ESC allows keys and related TPM data to be archived and restored.

ESC for Secure Windows® Login

ESC supports the use of additional methods of authentication to Windows for extra security. You can use a smart card to log in, or a fingerprint to authenticate to Windows. ESC can help you to use your fingerprint sensor by allowing you to enroll and manage the fingerprints you use to authenticate to Windows. If a TPM is available, your fingerprint data is protected by hardware from tampering or theft.

ERAS Technical Specifications

ERAS Server Hardware Prerequisites (for managing up to 2000 accounts) • System Processor: Minimum: 2 GHz, Recommended: 2.5 GHz,

4 Core or better • System Memory: 4 GB RAM or more is recommended • Free Disk Space: Minimum: 10GB Recommended: 40 GB • 1 GB network interface

ERAS Server and HelpDesk Prerequisites • Windows Server 2008 (32/64 bits) and Windows Server 2008

R2 - standard edition (minimum) • Domain functional level 2003 and 2008 • Microsoft Management Console (MMC) 3.0 • Microsoft Group Policy Console with SP1 • Microsoft SQL Server 2008, 2008 R2 • Microsoft Internet Information Service(IIS) • Microsoft Windows Installer 4.5 • .Net Framework 3.5 SP1, 4.0

WEM Technical Specifications

The Wave Endpoint Monitor installation and administration manual contains detailed installation and technical specifications for your server environment. The descriptions below give a general overview of the main requirements.

Minimum Server Hardware Prerequisities • System Processor: 2 GHz; Recommended: 2.5 GHz or faster,

4-Core or better, L3 Cache: 8MB • System Memory: 4 GB RAM or more is recommended • Free Disk Space: Minimum: 10 GB / Recommended: 40 GB

Platforms • Available from Dell, HP or Lenovo • Which can be ordered (and ship from the factory) with an SED • Which were released in the past 3 years

Supported Self-Encrypting Drives • All TCG Opal-compliant SEDs • Seagate DriveTrust drives

ERAS Remote Console • Windows 7, Vista, XP • Microsoft Management Console (MMC) 3.0 • .Net Framework 3.5 SP1, 4.0 • Microsoft Windows Installer 4.5

ERAS Tablet Client Requirements (ERAS for TPM and BitLocker only) • Windows 8 Pro/Enterprise • TPM 1.2 or 2.0 • 16 GB available space • 2 GB RAM

Operating Systems • Windows 2008 (32-bit/64-bit) Server or Windows 2008 R2

(32-bit/64-bit)

Compatible Server Components • Domain functional level Windows 2003, 2008 and 2008 R2

domain • Microsoft Management Console 3.0 (MMC) • Group Policy Management Console • Microsoft SQL Server 2008 SP1 or 2008 R2 • Microsoft Internet Information Service 6.0 (IIS) or IIS 7 • .Net Framework 4.0

Hardware Prerequisites • Self-encrypting drive management requires a supported drive • Trusted Platform Module management requires a version 1.2

TPM or greater. • Biometric support for Secure Windows Login requires a

supported fingerprint sensor, listed on www.wave.com

Software PrerequisitesBoth 32 and 64 bit versions of the following operating systems are supported: • Windows 7 • Windows Vista with Service Pack 1 or 2 • Windows XP SP2 or greater, with .Net Framework 3.5 SP1

Wave Systems Corp. 480 Pleasant Street, Lee, MA 01238, USA +1-877-228-9283 • Fax +1-413-243-0045 www.wave.com

Copyright © 2013 Wave Systems Corp. All rights reserved. Wave logo is trademark of Wave Systems Corp. All other brands are the property of their respective owners. Distributed by Wave Systems Corp. Specifications are subject to change without notice.

03-000375/version 1.00 Release Date: 03-29-2013

Wave EMBASSY® Trust Suite

All platforms and SEDs which meet the above criteria are supported by Wave. TPM management requires supported TSS middleware, which can also be obtained through Wave.

ESC Technical Specifications