CE Secure
Managed Encrypted Flash Drives

CE Secure Console

Superior Managed Encrypted Flash Drive Solutions

CE Secure Managed Encrypted Flash Drives



Managed Encrypted Flash Drives

USB storage devices are a necessity in today's busy IT environment to improve employee productivity and collaboration, but the potential of data disclosure and the related costs to the organization in monetary and reputation damages can be huge if these devices are not properly managed. These USB storage devices are the most common "data leakage" routes in an organization that does not impose encryption, audit trails or central management.


Managed Hardware Encrypted Flash Drives are Superior Security Solutions

  • CE Secure Console:  Enforces flexible, easily configurable and cost effective usage policies for USB connected devices on your network and off.
    The console provides the ease of use and flexibility demanded by employees while it enforces rules for what they may connect, along with central administration and audit trails.
  • CE Secure Vault:  Hardware encrypted flash drives for storing, moving data and collaboration purposes.
    These devices can be centrally managed by CE Secure Console, providing all the benefits that come with the console, while also allowing their use in a completeley unmanaged environment.
    Additionally, managed devices may be moved into unmanaged locations and still provide authenticated access, password management and audit logs.
Security researchers at SR Labs have highlighted a weakness in the USB protocol and published a demonstration of the exploit named BadUSB. All present and past CE Secure Console-ready secure USB drives are unaffected by BadUSB as they all require digital signature verification before allowing firmware upgrades.


TCG Logo

Certain products are available in FIPS 140-2 Level 2 CERTIFIED versions. Our certificate number is 1860.

Built to OPAL standards.





CE Secure Console

Easy and Rapid Deployment

CE Secure Console offers an easy and efficient roll-out scheme for larger organizations. Start with installing CE Secure Console on your server and go on to deploying drives to users, and you will gain full management control from day one. Each unique device is registered to a specific user in CE Secure Console and linked to the user in the corporate directory. The all-in-one installation has the power to serve large device deployments in the thousands. No extra licenses for databases or certificate management are needed, and the server requirements are low (4GB RAM; Windows or Linux).

Powerful Amplification of Device Security

Instantly gain complete and granular control over all of your secure USB drives. An automatic inventory is created, and administrators can quickly enforce organization-specific policies for passwords, usage and storage.

Manage Devices Anywhere

Your devices connect to CE Secure Console over the Internet or the local area network to receive policy updates and file packages, and to post audit logs. Administrators can remotely terminate, clone or deactivate a device or help a user reset a forgotten password.

Self-Service Password Reset

This procedure can also be used to recover data from devices that are to be issued to new users. If lowering support costs is a top priority, it is also possible to activate self-service password management, as part of the ZoneBuilder feature. With ZoneBuilder enabled, a user can reset a forgotten password on a trusted user account. This radically lowers support costs while still remaining as secure as the user account.

Usability That Makes it More Secure

If a security measure is the least bit awkward, no policy can prevent your users to learn how to somehow work around it. When your users have entered a username and password to log on to their workstations, save them the trouble of having to enter yet another password to access their secure USB drive. The administrator can enforce a policy centrally in the CE Secure Console that allows users devices to trust users accounts. The administrator can also allow users to trust a machine and user account with ZoneBuilder. The ZoneBuilder uses a unique certificate to unlock the drive on the trusted user account. The certificate can be stored on the trusted user account or on a smartcard device. On any other machine the user will enter the regular device password when prompted for it.

Powerful Tool in a Crisis

An administrator could also recreate the current content of a device for auditing purposes. Data tracing puts a powerful tool in the hands of the administrator that can play a crucial role in resolving a multitude of situations such as crisis management. To repress misuse, all actions taken by an administrator are always logged in CE Secure Console.

Your Choice of Applications Can Reach Your Mobile Workers

CE Secure Console enables administrators to securely deploy new software to CE Secure Console ready devices even when those devices are in the field. This presents organizations with a cost-efficient way to deploy solutions to mobile workers, and enables organizations to make full use of the technology developments of remote worker software, including portable VPN and virtualization software. Together with Authorized Autorun, the published software can easily be integrated with powerful yet simple scripts.

Extra Precaution

As an extra security precaution when drives are lost, or to protect your organization’s sensitive information from access by former employees, you can remotely ‘kill’ rogue drives and erase them of all data. In the Device Overview in CE Secure Console, an authorized administrator can set the device state to ‘killed’, ‘disabled’ and ‘lost’.

Auto-Pilot Lowers Administration Costs

CE Secure Console can also be set to handle the devices’ states entirely on autopilot. This will require the drives to return to base by connecting to the CE Secure Console server within a configurable time period. Devices that have not returned are automatically regarded as ‘lost’. This means that an administrator can save time and costs associated with handling lost devices.

Different Policies For Different User Groups

It is possible to configure multiple complex password policies within CE Secure Console and assign them to different groups within the organization. There is also the option to set a limited life-span for the password based on the number of unlocks or days passed since the last password change. Faulty unlock attempts are alerted to the user to make sure that social engineered hacks will not succeed.

Powerful & Safe at the Same Time

Combining this new feature with Publisher and Authorized Autorun makes it an extremely powerfull tool. An administrator may now publish data to drives knowing that users will not be able to modify the content of the drive once the drive has left the organization. This is ideal for sensitive information that needs to stay intact after having been sent to the target audience. The admin can also set a file to auto-open when the user logs in - that way important new content on the drive will never be missed.

Prevent Unauthorized File-Types

By taking a white-list approach to preventing storage of unauthorized file-types the FileRestrictor relieves the users from protecting their device. Rogue files can simply not reside on a CE Secure Console Ready Device as it only allows storage of file-types specified by the administrator in the CE Secure Console settings. The FileRestrictor complements the Authorized Autorun – the onboard autorun-protection that chokes self-copying viruses – by denying unauthorized autorun files from residing on the drive altogether. Software that an authenticated administrator distributes to the device through Publisher is automatically allowed passed the FileRestrictor.

Store Certificates On A Secure Device

CE Secure Console Ready devices can be used as trusted vessels to transport certificates used for signing or encrypting documents or accessing protected resources.

The Antivirus of Your Choice

If you feel the need for extra reassurance, you might consider sending out a traditional auto-starting antivirus application of your choice. McAfee, Trend Micro, Avast and ClamAV have portable editions available. Additional antivirus software that is in a portable format can be used and will be certified upon request.

Autostart Password-Protected Applications

An autostart application that requires a password to start can also make use of “token” information by letting one of the tokens be the necessary password. This way the application can start up without any interruption.

Fits your Unique Requirements

CE Secure Console is flexible to your needs. It is easily accessed through a web-based interface and all features can be turned on and off at will. If you have an Active Directory in place, then that organizational scheme will be reflected inside CE Secure Console and can be used to assign policies to different user groups. Different password strengths for different users have never been an easier task.

Secure Communications - Locked With a Unique Certificate

This is where the administrator creates settings for the server’s public access. All communication between device and server is encrypted using HTTP over SSL. During the SafeConsole local server installation, the organization enters or generates its private digital certificate. This unique certificate locks the solution completely to the organization and enables authenticated management for administrators from trusted machines. This procedure guarantees privacy of the organization and the managed devices since all communications are encrypted.

Group Policies

Optionally reflect an existing Active Directory or other directory service. Assign configurations to Organizational Units by simple drag-and-drop.

Quickly Tailor The Solution To The Organizational Requirements

Using the web-based interface in a standard browser, an administrator can create and assign a policy or feature setting to a specific organizational unit in the corporate directory. All features can be turned on or off and configured granularly for each organizational unit.

Stretch The Possible Uses of Your Devices

CE Secure Console enables a host of productivity features for an organization’s secure USB flash drives and self-encrypting hard drives. Gain access to lots of productivity tools, including portable application delivery and file distribution.

Forgot Your Password?

If a user forgets the chosen password needed to access information stored on the secure USB drive, a remote administrator can help the mobile worker. A secure challenge-response procedure brings back the locked-down encrypted data and gets the user back to business in a matter of minutes. The short 8-character recovery codes are easily read over the phone yet maintaining the robust security of a 128-character code using a pre-buffer method. No data is lost and the process is protected against social engineering directed against the helpdesk.

Without The Use of a Master Password

The Remote Password Reset feature in CE Secure Console lets the forgetful user choose a new password with the use of a challenge-response method. It does not store the user's password anywhere in plain text, nor does it use a dangerous MASTER password. A master password in the wrong hands, leaves all your "secure" devices vulnerable at once.

Don't Lose Precious Time Because of a Lost Drive

A lost drive or an inadvertently overwritten file would normally make you lose hours of work. In the event of a lost CE Secure Console Ready device, an administrator can easily recreate the drive by sending its backup and settings to a new device. The continuous incremental backup is a transparent procedure that does not affect the users’ everyday routines or work. The recreate procedure is handled remotely and involves no end-user actions other than plugging a CE Secure Console-ready device into their machine. The versioning of the backup information makes it possible to retrieve a file that was accidentally erased or overwritten.

Send Out Files To Remote Workers

CE Secure Console enables files to be pushed out to remote CE Secure Console devices as soon as they are unlocked. All sensitive data is exchanged securely using two way certificate based SSL authentication making Publisher an ideal way of distributing sensitive materials to a remote workforce. This opens the door to a world of opportunities. By distributing files this way you can be sure your work force always has the latest price-lists, the updated PowerPoint templates and the latest version of a customer presentation. When you need to send top-secret documents to a supplier, you can send them an empty stick and then distribute the content when you know the device is in the right hands. All files in transit are compressed to improve installation and transfer times, which also minimizes bandwidth usage.

Device Audit

Device auditing makes taking stock of the entire portfolio of CE Secure Console Ready devices easy. The logs include unsuccessful unlocking attempts, device states and log-ins. This gives the administrator a full overview of all drives in use in the organization.

File Audit Trail

File Audit Trail is an extension of the Device Audit. It allows an administrator to see what files have been copied to or deleted from the devices, as well as a trail of the files that have had their names changed.

Simple Recovery When The Drive is Found

Disabled devices can later be recovered with the Remote Password Reset-feature. Lost drives can be set to display a custom return-to-owner message. To lower support costs, lost drives are also automatically be marked as ‘found’, if they are later inserted into the assigned user’s local machine. All actions are logged for audit purposes and to confirm that the would-be data thieves have been foiled, the ‘awaiting disable’-comment will change to ‘disabled’ to validate that the set drive state has indeed been engaged.

Read-Only Mode

With Write Protection, users can set their drive in a read-only mode when unlocking it on non trusted machines and thereby gain protection from malware trying to infect the drive or its content. It is also possible for an administrator to enforce this protection when a user leaves the company network ensuring that no malware can be copied to the drives and brought back to the company.

Locks If Left Behind

Preset (and override the users’ own settings for) the Inactivity Lock to lock down the secure USB drive after a configurable number of minutes. If a user forgets an unlocked drive in a computer, the drive will automatically lock down in accordance with the set policy. The inactivity lock gracefully handles fie operations in progress and avoids interruptions to everyday work.

Sharing Files Is Part of Teamwork

Studies have shown that users often share passwords when they share data on secure portable devices. To prevent this foolish convenience, EasyShare enables a social-engineering proof solution where the users can share the few intended files by setting them aside and protecting them by a temporary PIN. The rest of the secure files stay protected by the user’s regular strong, exclusive password. When sharing files with EasyShare the ordinary storage area will never be revealed. When the customer, co-worker or friend enters the chosen PIN to access the shared file, he will immediately be able to save it, but will never get any access to the rest of the files stored on the device.

Autostart Applications, Not Malware

To prevent the spreading of autorun malware a CE Secure Console Ready device always overwrites the autorun.inf files stored on the encrypted storage volume, which chokes the effect of viruses such as Conficker. To still be able to have authorized applications autorun off the devices, you can specify trusted commands in SafeConsole. That way you can keep the benefits and convenience of autostarting working-tools, but disallow a gateway for malware infection.

Gather Information to Identify Users and Devices

By defining "token" questions, a CE Secure Console administrator can ask device users to enter unique information about themselves. The "token" information allows the administrator to create a custom message about the user in the "About" window. This can be used, for example, to identify whose device was left behind in the company conference room, without needing permission to unlock the drive.

Customize The Devices To How You Want Them

Tailor the SafeConsoleReady device to your organization’s and users’ needs by changing specific settings on the user device. Device User Settings enable you to disallow users from factory-resetting their devices. It is also possible to enforce a preselected user interface language and to preapprove the device warranty to get quicker device deployment times.

Enable Smooth Citrix Integration

Mainly organizations running Citrix thin client this will make sure that the Explorer Volume Browser does not interrupt the user when the device is unlocked.

Quick and Easy To Deploy

CE Secure Console offers an easy and efficient roll-out scheme for larger organizations. Start with installing CE Secure Console on your server and go on to deploying drives to users, and you will gain full management control from day one. Each unique device is registered to a specific user in CE Secure Console and linked to the user in the corporate directory. The all-in-one installation has the power to serve large device deployments in the thousands. No extra licenses for databases or certificate management are needed, and the server requirements are low (4GB RAM; Windows or Linux).

Compatible Management-Ready Devices

  • CE Secure Vault Flash Drive
  • CE Secure Vault FIPS Flash Drive
  • CE Secure DiskVault
  • CE Secure DiskVault FIPS

Supported Operating Systems

  • Windows 8.1, 8.0, 7, Vista, and XP



CE Secure Vault Flash Drive

Military-Strength Hardware Encryption

The CE Secure Vault hardware controller encrypts all data using AES256-bit encryption in CBC-mode. Encryption keys are generated on board at user setup, and all communications are encrypted. CE Secure Vault is protected against autorun malware, and onboard active anti-malware is available. Once unlocked, CE Secure Vault is as simple to use as a standard USB flash drive.

Quick Startup and Easy Setup

You can unlock a CE Secure Vault drive in as little as one second after plugging it in. The optimized configuration startup time on first use makes CE Secure Vault drives the fastest and simplest to set up. The responsiveness and speed of CE Secure Vault devices are important for a positive user experience, which is essential for achieving user acceptance of enforced and elevated security measures.

Hardware Brute-Force Protection

CE Secure Vault offers true brute-force protection, with a password attempt counter built into the hardware in order to protect against password attacks.

High-Quality Storage

CE Secure Vault has the longest life span of any USB flash drive, thanks to built-in ECC and wear leveling. The ECC hardware on CE Secure Vault ensures that transfer speeds are high and that accuracy and life span of stored data are maximized.

No Installation, No Admin Rights Required

CE Secure Vault devices do not require any software installation or admin rights.

Compact, Robust and Epoxy-Sealed

CE Secure Vault devices are designed to endure wear and tear, and they fit even where port space is minimal. The circuitry is sealed with epoxy, giving CE Secure Vault superior weather resistance and making the hardware completely tamperproof.

Protection & Timer Lockdown

The manageable Timer Lockdown feature ensures that forgotten or misplaced drives do not cause data breaches. CE Secure Vault reminds users upon logout if their drive is still inserted, and it alerts the user if there have been previous faulty login attempts on the drive.

Long-Lasting Investment

CE Secure Vault drives are fully upgradeable, so when new features are released or when there are changes in operating systems or the threat landscape, CE Secure Vault drives never miss a beat, making them a long-lasting investment.

OS Availability

CE Secure Vault is compatible with the Mac operating system, extending its availability to both PC and Mac users. With traditional Mac users, including architects and media industry executives, CE Secure Vault will ensure that concepts and designs that provide a competitive edge are always protected.

Encryption

  • AES256-bit Encryption

Compatible Security Management Software

  • CE Secure Console

Supported Operating Systems

  • Windows 8.1, 8.0, 7, Vista, and XP
  • Mac OSX

Included Encryption Software

  • Authentication/Management client

Transfer Rate

  • Up to 480 Mb/s via USB 2.0

Interface

  • USB 2.0

Other

  • LED Activity status indicator
  • TAA compliant
  • Assembled in the USA



CE Secure Vault FIPS Flash Drive

Military-Strength Hardware Encryption

The CE Secure Vault hardware controller encrypts all data using AES256-bit encryption in CBC-mode. Encryption keys are generated on board at user setup, and all communications are encrypted. CE Secure Vault is protected against autorun malware, and onboard active anti-malware is available. Once unlocked, CE Secure Vault is as simple to use as a standard USB flash drive.

Quick Startup and Easy Setup

You can unlock a CE Secure Vault drive in as little as one second after plugging it in. The optimized configuration startup time on first use makes CE Secure Vault drives the fastest and simplest to set up. The responsiveness and speed of CE Secure Vault devices are important for a positive user experience, which is essential for achieving user acceptance of enforced and elevated security measures.

Hardware Brute-Force Protection

CE Secure Vault offers true brute-force protection, with a password attempt counter built into the hardware in order to protect against password attacks.

High-Quality Storage

CE Secure Vault has the longest life span of any USB flash drive, thanks to built-in ECC and wear leveling. The ECC hardware on CE Secure Vault ensures that transfer speeds are high and that accuracy and life span of stored data are maximized.

No Installation, No Admin Rights Required

CE Secure Vault devices do not require any software installation or admin rights.

Compact, Robust and Epoxy-Sealed

CE Secure Vault devices are designed to endure wear and tear, and they fit even where port space is minimal. The circuitry is sealed with epoxy, giving CE Secure Vault superior weather resistance and making the hardware completely tamperproof.

Protection & Timer Lockdown

The manageable Timer Lockdown feature ensures that forgotten or misplaced drives do not cause data breaches. CE Secure Vault reminds users upon logout if their drive is still inserted, and it alerts the user if there have been previous faulty login attempts on the drive.

Long-Lasting Investment

CE Secure Vault drives are fully upgradeable, so when new features are released or when there are changes in operating systems or the threat landscape, CE Secure Vault drives never miss a beat, making them a long-lasting investment.

OS Availability

CE Secure Vault is compatible with the Mac operating system, extending its availability to both PC and Mac users. With traditional Mac users, including architects and media industry executives, CE Secure Vault will ensure that concepts and designs that provide a competitive edge are always protected.

Encryption

  • AES256-bit Encryption
  • FIPS 140-2 level 2 certification

Compatible Security Management Software

  • CE Secure Console

Supported Operating Systems

  • Windows 8.1, 8.0, 7, Vista, and XP
  • Mac OSX

Included Encryption Software

  • Authentication/Management client

Transfer Rate

  • Up to 480 Mb/s via USB 2.0

Interface

  • USB 2.0

Other

  • LED Activity status indicator
  • TAA compliant
  • Assembled in the USA









Managed Encrypted Hard Drives