SecurePB

Focus On Security And Control JCI's Mobile Deployment Solution

Security Through Centralized Control Of User Policies

JCI's SecurePBsolution is centrally customizable by the IT department, providing full control over multiple remote users accessing a variety of applications over multiple transport media. The IT manager can create, distribute, maintain, and enforce policies by individual user or group to:

A key component of this policy management architecture is the ability to ensure updated policies for all users.  New policy data can be passed from the SecurePB central policy server to the b-Access client during any network access, and a policy can even exist to ensure that a network access must occur regularly (e.g., daily) to maintain fresh policies.

Security For Systems And Information In A Mobile Environment

The stateful inspection packet firewall embedded in the b-Access client blocks most attempts to invade a remote laptop, and is also used to control which applications are allowed to run, which network services are allowed, plus the requirement to connect through a VPN.  The applications named in the firewall's black list / white list feature and all firewall settings are kept up-to-date by the policy management server.  In addition, if the b-Access client is configured to check for up-to-date virus definitions, a policy can be set to deny access to any network resource other than one used for anti-virus software updates.

Examples of policies to ensure safe communication include enforcement of access through the corporate VPN, or prevention of multiple concurrent network connections.  In the latter case, the risk occurs if a user inadvertently allows a wireless network to be active at the same time the laptop is connected to the corporate LAN.  That situation would expose the corporate network to a potential "bridge attack" in which the laptop is used by hackers to create a bridge from the wireless network into the corporate LAN, bypassing normal LAN access security.

One particularly powerful SecurePB feature utilizes a special policy to disable a lost or stolen laptop.  When the call center is notified about a missing laptop, a policy can be sent that stops any further network access, locks all encrypted data, and prevents any applications from executing.  Since b-Access runs and performs a network login at startup, lockdown can occur the next time the laptop is booted up.

SecureVault

The b-Access SecureVault feature allows individual documents to be encrypted and shared under full control of the user and the enterprise.  The encrypted files are wrapped in a control envelope that establishes the permissions for a user to view, change, print, save, or forward the data to another user.  The controls are time-sensitive and can be changed or revoked for any user at any time.  At the extreme, SecureVault can require that the laptop be connected to a network in order for a designated user to view document, and can deny any other use of the information - even screen printing.  All use of the data is logged in an audit trail, and, if forwarding to another user is allowed, permissions for use are inherited and revocable at any time.  SecureVault can, if desired, scan emails and attachments to ensure that sensitive documents are not accidentally leaked, or can scan the laptop hard drive to ensure that all sensitive documents are encrypted, audited, and centrally controlled.

The SecureVault system is controlled by the enterprise and managed through central policies that govern which documents are encrypted, who can have which type of access to them, and what records will be kept of document use.  The SecureVault auditing capability allows corporations to maintain compliance with the increasingly stringent privacy and security laws.