Services and Features of ControlSphere

There are three general services of ControlSphere product: Logon, Disk and Data Encryption and Password Manager services. The services can be turned on and off depending on the product configuration needed.

Starting version 3.0 ControlSphere provides centralized enterprise management service known as Token Management System service.

Besides these services, ControlSphere provides other security and convenience features which are functional regardless of the ControlSphere service configuration defined.

Logon Service of ControlSphere

ControlSphere Logon service provides support for token-based Windows logon and computer unlock. The token can hold one or more Windows and Network user accounts which can be used to logon or unlock a computer. Thus ControlSphere eliminates the need of remembering and manually typing user name and password of one or more user accounts to logon to Windows or unlock a computer.

On logon or computer unlock screens a user inserts his token and enters the User PIN to access the token and therefore allow the Windows user profiles to be passed to the PC through a secure channel logging the user on to Windows. If multiple accounts match the computer, user will be prompted to choose the identity to logon under. The login fails if no accounts match the system.

Failure to provide a correct User PIN (a number of attempts is given) will cause the token to lock against external entry until unlocked by an Administrator/SO PIN of the device.
ControlSphere will automatically initiate logon or computer unlock process on token insert event on Windows 2000 or XP. User will need to select ControlSphere credential image to initiate the logon/unlock process under Windows Vista.

The token is marked as "authorized" upon the successful logon or PC unlock. By default ControlSphere constantly monitors the "authorized" token and its removal is locking the computer (default action) or logging the user off depending on the ControlSphere preferences. By default a user is shown a countdown warning message allowing the user to reconnect the token before the action is taken.

ControlSphere Logon service is compliant with Windows password management policy: it will update Windows password stored on a token automatically once it is changed by a user. The token can be configured to handle Windows password change requests automatically without user intervention and automatically generate and store new secure passwords.

The Logon service is perfectly integrated with other services of ControlSphere. For example it automatically mounts Encrypted Volumes and User Home Drive (if such configuration is defined on the token) on token-based logon and computer unlocking events.
See more on ControlSphere Logon service features.

 

Disk and Data Encryption Service of ControlSphere
This service provides hard disk and file/folder encryption support for both user and system layers.

ControlSphere token can hold a number of named encryption keys. The keys can be created on the token or imported from another token device or a Token Image file. The keys are used by ControlSphere disk and file encryption services.
 

Transparent real-time Hard Disk Encryption

Encrypted Volumes

ControlSphere can encrypt a portion of hard drive using encrypted containers (files), also called "encrypted volume files". The encrypted volume file is an ordinary (encrypted) system file that holds a partition, which is mounted as an individual drive under a specific drive letter, just like standard hard drive.

ControlSphere uses AES256 encryption standard to encrypt the data. For additional protection the encryption keys can be "stacked" into one large key (up to 8 x 256bit AES keys) to ensure the maximal data protection.

The volume-based approach allows ControlSphere managing a number of encrypted partitions in user-defined locations (including removable media and network), and mount them according to user/token privileges.

Encrypted Volume can be:
Mounted and dismounted manually by the user as particular drive letters


Automatically mounted using a configuration stored on the token (see Token volume automation for the description)
Automatically dismounted on the key-source token removal event
Backed-up and copied as ordinary files even without being dismounted
Checked for corruption with automatic error recovery
Shared between multiple users (users should have the same encryption key accessible) on a number of computers simultaneously
Configured to mount as a User Home Drive, an encrypted partition that holds entire user environment securely. The volume is a sort or roaming profile which can be shared among different computers on a network, keeping all user files and data portable and secure. See more on this technology of ControlSphere.
 

Besides the tight integration with Windows Shell and Explorer, ControlSphere provides a comprehensive user interface for maintaining encrypted partitions.
 
The encrypted volume is marked as a secure space by Windows Explorer. It can be easily identified by the ControlSphere icon presence.

ControlSphere also allows managing encrypted volumes from the system command line, allowing even further automation. See more on command line support for Encrypted Volumes.		  
Boot-time Encryption
ControlSphere boot-time encryption service provides encrypted volume mounting support on computer boot time and automatically dismounts them at shutdown or power down. Such volumes are an ideal solution for protecting server data. The volumes can be configured to mount prior to defined Windows services (databases, enterprise servers, etc.), allowing the services using the encrypted volumes as their primary data storage from the startup time. This ensures the data of your enterprise is stored securely.

The encrypted server volumes are an ideal solution for protecting server file data. See more on Boot-time Encryption feature of ControlSphere.
 

File and Folder Encryption

Encrypted Archive Technology of ControlSphere

ControlSphere introduces so called Encrypted Archives as a file and folder encryption solution. Encrypted Archive file is a file containing compressed and encrypted partition of dynamic size that grows or shrinks as archive files are added or removed to/from the archive.

The archive contents are protected by AES 256+ encryption keys stored on a token or in Token Image files. Optionally, the archives can be protected by a secure encryption password.

Encrypted Archives are mounted as ordinary drives (drive letters) and act exactly as they would be hard drives themselves. Once the archive is mounted as a drive, its contents (files and directory structure) are available for reading and modification operations for Windows programs just like ordinary files on your hard drive, except that they are compressed and secured by AES256+ encryption.
 
Once the Encrypted Archive is mounted as a drive, ControlSphere displays corresponding status window describing the archive status. The status area of the window will display corresponding (animated) description every time archive files are being accessed, modified, deleted or the archive space is being compacted.
You can open and modify files directly within the archive space eliminating the need of copying them to an unsecured location. You can also add or delete files and directories to/from the archive as you would delete them from the hard drive.
 
The encrypted archive is marked as a secure space by Windows Explorer. It can be easily identified by the ControlSphere icon presence.

Encrypted Archives can contain complex directory structures, they support Unicode file and directory names, standard file system attributes and their size is limited to the amount of free disk space only. By their functionality Encrypted Archives are equivalent to the FAT32 partitions which are compressed and encrypted in addition.

  
User can mount an Encrypted Archive File as a drive, read and/or modify its contents, then dismount it and transfer the encrypted EAR file to your colleagues/friends over unsecured network safely since the archive file system is encrypted.

Encrypted Archives are ideal for different sort of data backups. Simply copy the files to backup to the encrypted archive drive and finally get a single encrypted and compressed archive file that holds all of your backed-up files. Although the encrypted archive size is virtually unlimited, individual files stored in the archive should not be longer than 2GB each.
 
Similarly to Encrypted Volumes, Encrypted Archive maintenance functions are tightly integrated with Windows Explorer.
Additional integration with Windows shell gives user an opportunity to create an Encrypted Archive and store a set of selected files and folders to it with just few mouse clicks. Open Windows Explorer, select the desired file(s), right-click the selection with a mouse and select "Encrypt / Add to Encrypted Archive" menu option.

Encrypted archives of ControlSphere can be easily managed from the system command line, allowing even further automation. One can create, mount and dismount encrypted archives as well as create file copying rules in BAT/CMD files. See more on command-line support syntax for Encrypted Archives.

Command-line access functions are especially useful for automated BAT-file-based data backup processes which require minimal or none of user intervention.

 

Password Manager Service of ControlSphere

ControlSphere provides a secure personal account and password record storage on a token (see Portable Password Bank for details). In addition to that ControlSphere can also automatically pass account and password record data to requesting Windows programs and WEB forms, avoiding the need of manual typing.

Password Manager service provides automatic authentication mechanisms (SSO) for Windows, WEB and third-party programs. Thanks to heuristic approach, it can automate nearly all credentials/password retrieval actions for Windows operating system and other third-party programs. This eliminates the need of remembering user names, passwords and other authentication data. A token device can store all passwords (or password records to be precise) for its holder and pass this information to password-requesting applications in a secure manner.

This credential data is filled in directly into the authenticating application and neither mouse nor keyboard is used. Thus there is no chance for malicious "sniffer" programs (if there any are infecting the system) to capture the sensitive data.
How Password Manager works

ControlSphere recognizes every password request or definition form which is shown to a user and enhances password fields with its own password automation controls.

Initially it adds a button on top of the password field.

  By clicking the button opens interactive ControlSphere Password Manager window. The window contains:
a list of available password entries optionally organized into folders
a list of Windows user accounts stored on a token (not shown on WEB pages)
password automation and management options

A desired password record can be selected for logon and its credentials (user name, password and other optional information) will be passed to the application or WEB form automatically. There is an ability to automate login data entry for selected programs or WEB pages next times they will ask for credentials.

Password Manager of ControlSphere works with all native Windows components and nearly all programs available on the software market, including such WEB browsers as Microsoft Internet Explorer and Mozilla Firefox.


See more on ControlSphere Password Manager.
Handling System Authentication requests

Password Manager handles properly native Windows authentication requests as well. It provides convenient enhancements to standard Windows "Connect As", "Run As" and other credential authentication requests. It allows the use of existing on-token Windows user accounts in those dialogs/requests and eliminates the need for manual user name/domain/password entries. Password Manager is fully compatible with the new "Credential Provider" authentication model of Windows Vista and provides full support for such requests.
Windows 2000, XP: Windows Vista:


   


Token Management System (TMS) of ControlSphere
The Token Management System of ControlSphere is a comprehensive set of tools and functions designed to help companies control the lifecycle of their secure devices (smartcards/tokens) fleet. In additional to that Token Management System (TMS) provides full control over secure data on the ControlSphere-enabled devices. ControlSphere TMS consists of two general parts: TMS server which is as an ASP extension installed on IIS and a client, which is nothing else but the ControlSphere client program itself.

In general ControlSphere TMS provides the following features:
TMS database holds centralized company-wide token, user and security group registry.
TMS database holds complete ControlSphere token data contents, including device PINs.
All changes on ControlSphere data made by a token holder on a client (ControlSphere program) are automatically replicated to the TMS database, including device PIN changes. The replication is done implicitly and securely.
ControlSphere data on a user's tokens can be remotely and securely updated from server using the push technology (pending updates) of TMS. The updates are made implicitly to a user.
TMS database maintains token data update history automatically. Token can be restored to its backed-up state remotely using the push technology of TMS.
It is possible to distribute ControlSphere data objects (such as encryption keys, password entries, configuration items, etc.) to a group of users/tokens using the push technology of TMS.
TMS database can be used to update ControlSphere license information and other configuration items on a token remotely.
TMS can be used to remotely reset locked User PIN.
TMS can ensure that contents of a lost or stolen token will be remotely wiped should someone try to use it.


See more on ControlSphere Token Management System.

 

Other Features of ControlSphere
Customizable security policies

ControlSphere token has its own customizable security policy. It consists of token User PIN quality and security policy, User PIN access protection policy, User PIN Change policy, Windows account/password management policy and other options.

PIN and Password entry protection

ControlSphere provides extra protection against different sort of keyboard "sniffer" or "key-logger" programs which can potentially capture PINs or passwords by just "listening" to keyboard events.

To prevent the malicious software from capturing such data ControlSphere proposes a user entering PINs/passwords partly or completely using the "on-screen" keyboard. The tool does not use the keyboard buffer and circumvents keyboard event analyzers.

For security reasons we recommend entering passwords with both the (partly) keyboard and on-screen keyboard tool. This should totally confuse "sniffers" as well as protecting against "visual spying".

Convenient Token Identification mechanism

ControlSphere provides additional token holder identification mechanism via public data stored on a token. A token may have additional information that describes its holder or a token itself such as token label, holder description and photograph. Accessing these data items will not require any PIN or password, thus allowing easy device holder identification should it be lost. The publicly accessible data is displayed in the ControlSphere Token Information window.

See more on this feature of ControlSphere.
Protecting User Privacy and Temporary data

Windows operating system and other user programs create a large number of temporary files that can hold sensitive information or even temporary copies of user documents. This data may remain after the user session closing. Microsoft Internet Explorer (MSIE) stores temporary Internet files in its temporary folders and the files or browsing information are not deleted with the user session termination. At the same time temporary files is a vital part of the system functionality that cannot be disabled.

ControlSphere provides complete protection over the temporary user files by redirecting temporary file storage paths (TEMP, TMP and Temporary Internet Files folders) to an encrypted User Home Drive.

See more on this feature of ControlSphere.
Token data Backup and Restore

It is unusual for tokens to be lost or stolen as they are normally attached to a piece of the user's jewellery such as the house/car key-ring. However, to prevent token data loss the user has ability to:
Create a secure backup of the ControlSphere data to a Token Image file (protected by a "secure" password and super-strong chained AES256 bit encryption) on their hard drive of removable media.
Backup/clone ControlSphere data to another token, making it a functional reserve device that is identical to the original one.
In addition to manual token data backup functionality ControlSphere provides fully-automated implicit token data backup function which can be enabled by the user.
   
If a token is lost or stolen, the data can be fully or partly restored to a new token within seconds. See more on token backup and restore technology of ControlSphere.

Direct Token Image usage instead of physical token devices

Besides the data restoration itself, ControlSphere provides an ability of a direct data usage right from the Token Image files as they would be physical hardware devices. This approach simplifies the recovery process should the token be lost, stolen or forgotten at home. Token Image files are protected by "secure" passwords and super-strong chained AES256 bit encryption for the data safety.