SafeConsole Secure USB Management Server

Solution Overview

SafeConsole is the only secure USB management platform for secure USB drives that has true password management (remote and local) and that integrates fully with LDAP (for on-premise installation). Also available as a service in the cloud. A SafeConsole Ready USB drive uses a password and hardware encryption to protect all stored information automatically. This technology ensures that your sensitive data is always kept private and that data breaches are avoided altogether. But it takes more than just a secure USB drive to ensure that your data is safe.

Download the SafeConsole data sheet

Key Benefits

Assist Forgotten Passwords
Reset forgotten passwords using a secure, local self-service or a central help desk challenge-response procedure.

Automatic Inventory
Get an automatic inventory directory listing all users (optionally from LDAP Active Directory) and their devices. As with all functioning inventory lists, this will limit waste of devices and assist you when assigning previously used devices to new users.

Full Audit for Compliance
Enforce accountability and assist compliance efforts by activating a full audit trail on all device actions and file changes.

Enforce Policies
Enforce your security policy. By ensuring that stored data is protected with a password that meets your safety standards. Limit or eliminate the risk of USB devices introducing malware onto your networks and much more.

Get Users Back to Work
Re-create data from a lost device onto a new, off-the-shelf device by centrally pushing the existing backup package onto the new unit at the user location.

Remote Kill
Centrally handle the state of the devices over the Internet, setting them as disabled or lost- even perform factory resets remotely. Disable a user in AD and their devices are automatically disabled.

Easy and Rapid Deployment

SafeConsole offers an easy and efficient roll-out scheme for both small and the large organizations optionally connected to LDAP (AD). Administrators can authenticate to access SafeConsole with their AD credentials. Start with installing SafeConsole on your server and go on to deploying USB drives to users, and you will gain full management control from day one. Each unique device is registered to a specific user in SafeConsole and linked to the user in the corporate directory (if available). The all-in-one installation has the power to serve large device deployments in the thousands if required.

Features by Category

Remote Password Reset

Reset passwords remotely over any channel. Administrators can get remote offline users back to work within minutes, without any loss of stored data. The short 8-character recovery codes are easily read over the phone yet maintaining the robust security of a 128-character code using a pre-buffer method. No data is lost and the process is protected against social engineering directed against the helpdesk. The user password is never exposed and there is NO master password. Read the Password Management Best Practice Paper.

Password Policy

Ensure that all data is protected by strong, compliant passwords by enforcing password policies on the devices

Secure Self-Service Password Reset and Unlock with ZoneBuilder

With ZoneBuilder enabled, a user can reset a forgotten password on a trusted user account. This radically lowers support costs while still remaining as secure as the user account. The ZoneBuilder uses a unique certificate to unlock the drive on the trusted user account. The certificate can be stored on the trusted user account or on a smartcard device.

Device Auditing – See Who Did What, When and Where

Device auditing makes taking stock of the entire portfolio of SafeConsoleReady devices easy as it creates an automatic inventory list. The logs then include unsuccessful unlocking attempts, device states and log-ins. This gives the administrator a full overview of all drives in use in the organization.

File Audit Trail – Achieve Compliance Requirements

File Audit Trail is an extension of the Device Audit. It allows an administrator to see what files have been copied to or deleted from the devices, as well as a trail of the files that have had their names changed.

Device State Management – Full Control Over Devices

As an extra security precaution when drives are lost, or to protect your organization’s sensitive information from access by former employees, you can remotely ‘kill’ rogue drives and erase them of all data. In the Device Overview in SafeConsole, an authorized administrator can set the device state to ‘killed’, ‘disabled’ and ‘lost’. Devices can later be recovered using the Remote Password Reset and/or Backup features. SafeConsole can also be set to handle the devices’ states entirely on autopilot. This will require the drives to return to base by connecting to the SafeConsole server within a configurable time period.

Content Audit – Full Content Traces

An administrator can recreate the current content of a device for auditing purposes. Data tracing puts a powerful tool in the hands of the administrator that can play a crucial role in resolving a multitude of situations such as crisis management.

Inactivity Lock – Forgotten Drives Lock Down

Preset (and override the users’ own settings for) the Inactivity Lock to lock down the secure USB drive after a configurable number of minutes. If a user forgets an unlocked drive in a computer, the drive will automatically lock down in accordance with the set policy.

File Restrictor – Restrict File Types to be stored EXE, MP3

By taking a white-list approach to preventing storage of unauthorized file-types the FileRestrictor relieves the users from protecting their device. Rogue files can simply not reside on a SafeConsoleReady Device as it only allows storage of file-types specified by the administrator in the SafeConsole settings.

Authorized Autorun – Stop Autorun Viruses

The onboard autorun-protection that chokes self-copying viruses such as StuxNet and Conficker – by denying unauthorized autorun files from residing on the drive altogether.

Write Protection – Set Devices in Ready-Only Mode

With Write Protection, users can set their drive in a read-only mode when unlocking it on non trusted machines and thereby gain protection from malware trying to infect the drive or its content. It is also possible for an administrator to enforce this protection when a user leaves the company network ensuring that no malware can be copied to the drives and brought back to the company.

Sophos Antivirus for SafeConsoleReady Devices

The SafeConsoleReady Sophos Antivirus is deployed onto existing SafeConsoleReady drives by the SafeConsole server administrator and offers the device end-user a quick and resource effective, on access protection against malware on and off the corporate network. This is the first enterprise mature antivirus solution made available for secure USB drives.

Smart Cloud Backup and Recovery

A lost drive or an inadvertently overwritten file would normally make you lose hours of work. In the event of a lost SafeConsoleReady device, an administrator can easily recreate the drive by sending its backup and settings to a new device. The continuous incremental backup is a transparent procedure that does not affect the users’ everyday routines or work. The recreate procedure is handled remotely and involves no end-user actions other than plugging a SafeConsoleReady drive into their machine. The versioning of the backup information makes it possible to retrieve a file that was accidentally erased or overwritten. Backup securely from any machine to a cloud secure storage server.

Secure Quick Automatic Unlock with ZoneBuilder

When your users have entered a username and password to log on to their workstations they get automatic access to their secure USB drive using a trusted certificate on the account(or their smartcard). On any other machine the user will enter the regular device password when prompted for it.

ShieldShare Integrated

Enable secure file sharing between secure USB drives and desktops. Read all about ShieldShare here

Authorized Autorun – Stop Autorun Viruses

To prevent the spreading of autorun malware a SafeConsoleReady device always overwrites the autorun.inf files stored on the encrypted storage volume, which chokes the effect of viruses such as Conficker. To still be able to have authorized applications autorun off the devices, you can specify trusted commands in SafeConsole. That way you can keep the benefits and convenience of autostarting working-tools, but disallow a gateway for malware infection.

Device User Information

Customize the devices with user information for identification and secure lost and found, thus saving time and pain.

By defining “token” questions, a SafeConsole administrator can ask device users to enter unique information about themselves. The “token” information allows the administrator to create a custom message about the user in the “About” window. This can be used, for example, to identify whose device was left behind in the company conference room, without needing permission to unlock the drive.

An autostart application that requires a password to start can also make use of “token” information by letting one of the tokens be the necessary password. This way the application can start up without any interruption.

The information is collected to the server and can be used to sort and search users and their devices on.

Device User Settings

Tailor the SafeConsoleReady device to your organization’s and users’ needs by changing specific settings on the user device. Device User Settings enable you to disallow users from factory-resetting their devices. It is also possible to enforce a preselected user interface language and to preapprove the device warranty to get quicker device deployment times.

Requirements and Technical Details

Web browser to access the administrative interface. Internet Explorer 7+ , FireFox 1.5+ (PC, Mac), Safari 3+, Opera 9+ (PC, Mac), Chrome.

On-premise Installation

Windows 7+. 4GB RAM on server. 50GB disk. All other required software included.

SafeConsole Cloud Deployment

Each customer has their own private virtual server maintained, updated and hosted by SafeConsole . The feature set has some differences to the on-premise version.