Lumension® Endpoint Management and Security Suite:
Device Control

Module Features

Suite Core Features

Features: Key Features | Device / Port Access Control | Media Encryption | Reporting

Key Features

Product Features


Data Loss & Theft Prevention
Lumension® Device Control provides organizations with the means to control the use of removable storage devices / media.
Software Demo: Securing Your USB Flash Drives

Protect valuable organization and customer data from loss or theft via removable devices / media

Media Encryption
Lumension® Device Control provides organizations with the FIPS 140-2 validated technology needed to protect data on removable storage devices / media.

Require end users to encrypt data being copied to removable devices / media in compliance with policy and regulation

Detailed Forensics
Lumension® Device Control provides the in-depth information required to understand the risk posed by data transfers, to report on it for compliance or forensics purposes, and to update policies as business needs dictate.

Monitor all files being transferred onto / off your network by file metadata or the patented bi-directional full file shadowing capability

Malware Protection
Lumension® Device Control provides an added layer of defense against malware, specifically those being distributed via removable devices like USB flash drives.

Add another layer to your defense-in-depth strategy to protect against USB-borne malware introduction / propagation

Integration with Lumension® Endpoint Management and Security Suite

Seamless Security Enforcement

  • Reduces endpoint agent bloat across endpoints and improves endpoint performance with coordinated scans and policy enforcement.
  • Improves endpoint visibility across antivirus protection, vulnerabilities, configurations, and device and application policies – for both on-line and off-line machines.
  • Extends security beyond perimeter to include removable devices like USB sticks, CDs / DVDs, and printers.
  • Lumension® Intelligent Whitelisting™ automatically updates hash files for whitelisted applications.
  • Unified workflow ensures security without disrupting IT or end user productivity.

Features: Key Features | Device / Port Access Control | Media Encryption | Reporting

Device / Port Access Control

Product Features


Per-Device Permissions

  • Granular permissions to control access at device class (e.g., all USB flash drives), device group, device model and/or even unique ID levels; for instance, restrict access rights to a specific device of a company-approved model.
    Software Demo: Practical Policy Implementation

Delivers Granular Permissions Control

  • Provides greater control at lower levels for effective access management.

Device Whitelisting

Allows Only Authorized Devices onto Your Network

  • Eliminates unknown or unwanted devices in your network, reducing the risk of data leakage / data loss.
  • Limits uploading of unknown or unwanted files (i.e., malware or other unauthorized files).
  • Eliminates need to keep up with every new device being brought into your environment; new devices are denied access until you have vetted them and permitted access.

Flexible Policy with Granular Control

  • Permission settings include read/write, forced encryption, scheduled / temporary access, online / offline, port accessibility, HDD / non-HDD devices and much more; can be set for individual and/or groups of users, machines, ports and devices.
    Software Demo: Controlling Device Usage

Provides Comprehensive Policy-Driven Protection

  • Eliminates risk of unauthorized devices connecting to the network while providing the flexibility users need.
  • Allows business needs to drive security implementation, not technology limitations.
  • Permits blanket policies to be fine-tuned via exception management.

Read-Only Access

  • Define any device (e.g., a floppy drive, DVD / CD writer, USB external hard drive, and so on) as read-only; other device permissions include: write, and encrypt / decrypt restrictions.

Prevents Data Leakage

  • Limits potential leakage paths of sensitive data.

Temporary / Scheduled Access

  • Grant users temporary access to removable devices / media, which can be used to grant access "in the future" for a limited period. Also, limit device usage during a specific time period; allows for development of sophisticated security policies where certain devices can only be used at certain times (e.g., from 9 A.M. to 5 P.M., Monday to Friday).

Enhances Security Policy Enforcement

  • Switches access on without having to remember to switch it off again later.
  • Limit unauthorized device usage during off-hours.
  • Provides another method to manage access to sensitive data.

Offline Enforcement

  • Permissions / Restrictions remain effective even when endpoint is offline; these can be the same as when online or different (see Context-Sensitive Permissions).

Protects Beyond Your Network

  • Maintains security posture even when endpoint is not connected to network (e.g., laptops on travel), including all device usage and encryption rules.
  • Provides enforcement flexibility required to support business productivity without sacrificing security.

Uniquely Identify and Authorize Specific Media

  • Authorize and manage DVD / CD collections, by granting access to specific users or user groups and encrypting removable media with unique IDs.

Secures Data from Loss / Theft

  • Limits DVD / CD access to your organization’s standard discs, to avoid use of unauthorized content, and/or encrypts removable media to prevent unauthorized viewing.

Context-Sensitive Permissions

  • Apply different permissions / restrictions depending on network connectivity status. For example, disable WiFi cards when laptops are connected to the network, but enable them when the machine does not have a wired connection to the network.

Increases Endpoint Security

  • Provides deeper, finer-grained control over access to endpoints, reducing possible problem areas in all anticipated environments.

Device Management

Improves Network Security

  • Provides flexibility needed to handle unique needs and environments.
  • Ensures user productivity is not disrupted by applying permissions for Plug-and-Play devices when detected.

File Type Filtering

  • Restrict and manage the types of files that are moved to and from removable devices (such as USB sticks) and media (such as DVDs / CDs); combine with forced encryption for added protection.

Blocks Malware Attacks and Protects Data

  • Reduces risk of sensitive files leaving your network, and unwanted files (i.e., malware or other unauthorized files) entering your network.
  • Filters data being copied to removable devices and enforces encryption for deeper granularity and better control.

Data Copy Restriction

  • Restrict the daily amount of data copied to removable devices (such as USB flash drives) on a per-user basis; can also limit usage to specific timeframes / days (e.g., only from 0900 to 1700 during weekdays).

Limits Data at Risk

  • Removes risk of large amounts of data leaving your network at any given time.

Features: Key Features | Device / Port Access Control | Media Encryption | Reporting

Media Encryption

Product Features


FIPS 140-2 level 2 Validated Encryption

  • The Lumension® Cryptographic Kernel (LCK), a stand-alone software cryptography module which delivers the core ciphering capabilities, has been FIPS 140-2 Level 2 validated

Highest Level of Software Encryption Available

  • Lumension ciphering (incl. AES, SHA, HMAC, RSA and others) meets the highest standards available for software-based cryptography modules.
  • The design and implementation of the cryptographic module itself is highly secure.
  • It is certified and ready for use by governmental agencies and other organizations requiring the highest level of security and encryption commercially available.

Policy-based Encryption for Removable Storage

Increases Security Compliance

  • Ensures that data cannot be accessed if removable devices or media are lost or stolen.
  • Reduces the risk of data leakage / data loss.
  • FIPS 140-2 level 2 validated encryption to protect data from unauthorized access.

User-Enabled Encryption

  • Allow users to encrypt removable devices / media locally using the strongest commercially-available encryption.

Balances Productivity and Protection

  • Ensures that sensitive data is not inadvertently exposed.
  • Allows users to encrypt "on the fly" and not have to wait for admin availability.

Portable Encryption

  • Enforce policies which enable users to access encrypted devices outside the organizational network, or limit it to network-attached endpoints only.

Secures Data Inside and Outside Your Network

  • Self-contained portable encryption of large removable devices allows authorized users access to the data while obscuring it from others.

Encrypted Device Browser

  • Enable access to Lumension-encrypted devices / media from Mac OS X machines, enabling users to move data both from and to encrypted devices or media.

Balances Productivity and Protection

  • The free Encrypted Device Browser utility allows organizations to support Mac users without compromising data security in case the device / media is lost or stolen.

Enforce "Strong" Password Requirements

  • Use existing password length and complexity rules in compliance with Microsoft® standards.

Ensures Password Consistency

  • Reduces administrative burden and end user confusion by maintaining consistency with organization-wide policies.
  • Increases security of password protected data saved onto removable devices / media.

Password Lockout / Recovery

  • Lock users out after five (5) failed attempts; administrators can recover access when passwords are forgotten or user leaves the organization.

Increases Data Protection

  • Reduces risk of hackers breaking into lost or stolen removable devices (such as USB memory drives) and media (such as DVDs / CDs) using brute force methods (e.g., "dictionary attacks").

Features: Key Features | Device / Port Access Control | Media Encryption | Reporting


Product Features


Detailed Event Logging / Reporting

  • Log all device usage and data transfer activity, including:
    • all (allowed/blocked) events;
    • all policies by device, machine and/or user; and
    • all file metadata (name, type, etc.) or complete file copy.
  • View results via dashboard widgets, interactive reports, or email notifications.

Provides In-Depth Visibility

  • Improves insight of all events involving removable storage devices like USB flash drives and DVDs/CDs.
  • Supplies the daily operational data needed to update policies as business needs dictate, and drive compliance by user community.
  • Leverages core Suite capabilities to reduce gaps in visibility, training time, and time-to-protection

Filename Tracking / Full File Shadowing

  • Keep a complete copy (i.e., entire file contents) of all files that are read from and/or written to removable devices (e.g., USB memory drives) and media (e.g., DVDs / CDs) on a per user (or user group) basis using the patented bi-directional shadowing technology.
  • Alternatively, track just file metadata (name, type, size, etc.).
  • Capture all events (e.g., device attached, data transferred, etc.) in logs which are accessible by admin at any time for compliance auditing / forensics.

Delivers Audit Readiness

  • Captures the flow of information into and out of your network via removable devices / media.
  • Enables you to quantify the risk and report for compliance purposes.
  • Enables audits of filename and/or full file content for forensic purposes.

Syslog Support

  • All endpoint event logs are compliant with Syslog protocols.

Enables Integrated Event Management

  • Allows for event correlation to other system logs for centralized forensics.
  • Adds more options for administrator alerts and reporting to reduce the cost of compliance.


How Secure is Your Network?

Lumension® Device Scanner Tool

This free security tool allows you assess your endpoint security risk. If left unmanaged, removable devices can jeopardize the security of your data through data leakage and/or malware introduction.

On-Demand Webcast

Endpoint Device Control in Windows 7 and Beyond

This webcast moderated by Randy Franklin Smith, editor of Ultimate Windows Security, goes in-depth on key endpoint device control capabilities to look for in Windows environments.