WinMagic Solutions for the Public Sector

  • MagicEndpoint

    With so much riding on the security of your people and data, why do so many authentication solutions rely on users, which slows productivity? Yes, there are passwordless solutions. But they typically rely on phones, which can be cumbersome and are not phishing resistant.

    MagicEndpoint from WinMagic takes a smarter approach. We put the burden of authentication where it belongs: on the endpoint. By leveraging the endpoint, we eliminate passwords, backend complexity, and the need for third-party devices. Which means tighter security and no user action required.

    It’s time to authenticate the endpoint for the user. Get MagicEndpoint and get back to work without worry.

  • SecureDoc

    All enterprises manage different devices and platforms in their daily workflow. This diversity makes it difficult to protect data around the clock. WinMagic offers security solutions that free you to think, share and achieve your goals, knowing your employees and data are protected.

    With WinMagic’s SecureDoc, you can trust your information will be encrypted at all times while increasing your company’s security. WinMagic delivers a secure and seamless encryption experience for your unique business needs.

  • Access Control

    SecureDoc & MagicEndpoint software offers an extensive suite of security features and access privileges, primarily focused on group and role management. Through meticulous control over users' privileges and their associated roles via group membership, administrators can effectively restrict system access and thwart unauthorized individuals from executing privileged functions. This ensures that information system access is restricted solely to authorized transactions and functions.

    Furthermore, the software delivers additional layers of control by managing encryption keys crucial for accessing system resources encrypted by SecureDoc, encompassing full-disk encryption and file/folder encryption. It also imposes restrictions on the utilization of portable storage devices on external systems, enhancing overall system security.

    SecureDoc & MagicEndpoint boast robust brute-force and phishing-resistant authentication mechanisms, bolstering defenses against unauthorized access attempts from both unauthorized users and devices. Additionally, the software prevents non-privileged users from executing privileged functions and captures the execution of such functions in audit logs. It also limits unsuccessful logon attempts and employs session lock with pattern-hiding displays to prevent unauthorized access and data viewing after a period of inactivity.

    Administrators wield centralized control over the allocation of privileges, encryption keys, and group memberships through a unified operational hub. This centralized hub serves as the nucleus for administrators to oversee users, devices, groups, and other relevant entities crucial to data protection at rest and authentication procedures. Additionally, the software ensures compliance with pertinent rules regarding Controlled Unclassified Information (CUI) by providing privacy and security notices consistent with applicable regulations.

  • Audit & Accountability

    SecureDoc & MagicEndpoint software diligently monitors a spectrum of events such as user authentication, password recovery, portable storage access, and encryption/decryption activities of media and files. Additionally, it tracks administrators' management actions, documenting these events across multiple audit logs maintained by various product components. Each record within these logs is meticulously associated with a unique identifier of the user or process responsible for generating the recorded event, accompanied by a timestamp sourced from an authoritative time source.

    To ensure robust oversight and compliance, the software creates and preserves system audit logs and records to facilitate the monitoring, analysis, investigation, and reporting of unlawful or unauthorized system activity. Moreover, it guarantees traceability of individual system users' actions, enabling accountability for their conduct. In the event of an audit logging process failure, the software promptly alerts relevant personnel.

    Access to the audit logs is tightly regulated based on the privileges and roles assigned to users. Furthermore, the data within these logs is safeguarded through cryptographic measures, preventing undetectable modification or deletion. The software provides a system capability for comparing and synchronizing internal system clocks with an authoritative source to generate accurate timestamps for audit records. Additionally, it safeguards audit information and logging tools from unauthorized access, modification, or deletion.

    Management of audit logging functionality is restricted to a subset of privileged users, ensuring controlled and secure administration of these critical capabilities.

  • Identification & Authentication

    SecureDoc employs unique identifiers to distinguish all managed objects stored within the centralized management repository, as well as the processes registered within the system to act on behalf of a user. Additionally, MagicEndpoint enhances security by generating a unique key for each "user + device" combination, aiming to bolster authentication accuracy.

    Authentication in SecureDoc involves verifying the identity of every entity—be it a user, process, or computer—using their unique identifier and provided authentication factors before granting access in alignment with their authorization. This encompasses the identification of information system users, processes acting on their behalf, or associated devices, followed by authentication or verification of their identities as prerequisites for accessing organizational information systems.

    WinMagic software facilitates a variety of login options to implement Multifactor Authentication (MFA), including BLE mobile authenticator, Hardware Security Module (HSM), tokens, PIV cards, and biometrics. MFA can be enforced for both local access on endpoints (such as pre-boot and Windows login) and for network access to VPNs or service providers like email when integrated with MagicEndpoint authentication. Multifactor authentication is utilized for both local and network access to privileged accounts, as well as for network access to non-privileged accounts. Additionally, replay-resistant authentication mechanisms are employed for network access to both privileged and non-privileged accounts.

    Furthermore, the software enforces minimum password complexity requirements and mandates password changes with character variations upon creation. It prohibits password reuse for a specified number of generations and allows temporary password usage for system logons, automatically transitioning to permanent passwords upon initial access. Passwords are stored and transmitted in a cryptographically protected manner, with authentication information feedback obscured for enhanced security.

    MagicEndpoint Identity Provider (IdP) introduces "no user action" authentication for remote services, resistant to replay and phishing attacks, while adhering to Zero Trust principles of continuous verification outlined in Executive Order M-22-09. Future enhancements are slated to comply with NIST SP800-63C standards for "holder of key" authentication, aiming to achieve the highest level of federated authentication assurance (FAL3).

  • Maintenance

    SecureDoc features a robust crypto-erase operation, rendering decryption of data on the hard drive virtually impossible. Administrators have the capability to configure the system to enforce crypto-erase remotely, enhancing data security measures. This ensures that equipment removed for off-site maintenance is thoroughly sanitized of any Controlled Unclassified Information (CUI), mitigating potential security risks associated with data exposure.

    MagicEndpoint leverages Multifactor Authentication (MFA) for authentication within Virtual Private Network (VPN) solutions during maintenance activities conducted via external network connections. It mandates multifactor authentication for establishing nonlocal maintenance sessions through external network connections, thereby fortifying security measures.

  • Media Protection

    SecureDoc ensures the confidentiality of Controlled Unclassified Information (CUI) stored across diverse digital media by employing encryption techniques tailored to different levels of granularity, including sector-based, data container-based, and file-level encryption. Access to encrypted CUI on media is strictly limited through the utilization of encryption keys allocated solely to authorized personnel, bolstering security measures.

    Media housing encrypted CUI undergo rigorous sanitization processes, either through crypto-erase operations (see MA.L2-3.7.3) or via the Dr. Gutmann method, particularly in scenarios where File Encryption is employed as a protective measure. Prior to disposal or release for reuse, information system media containing Federal Contract Information can be meticulously sanitized or destroyed, aligning with security protocols.

    Access to CUI stored on system media is intended exclusively for authorized users, with media appropriately marked with requisite CUI markings and distribution limitations. Furthermore, cryptographic mechanisms are implemented to safeguard the confidentiality of CUI during transport, unless alternative physical safeguards are in place to provide equivalent protection.

    SecureDoc equips administrators with the Disk Access Control feature, enabling them to authorize the usage of removable media by configuring lock/unlock settings for various types of removable media within profiles. This enables precise control over the utilization of removable media on system components, further enhancing data security. Additionally, measures are in place to safeguard the confidentiality of backup CUI stored at storage locations, ensuring comprehensive protection of sensitive information throughout the data lifecycle.

  • Physical Protection

    SecureDoc Full Disk Encryption, Removable Media Encryption, and File Encryption, combined with the robust authentication mechanisms offered by MagicEndpoint, form a formidable defense against unauthorized access to Controlled Unclassified Information (CUI) on devices utilized off-premises. This integrated solution ensures that sensitive data remains securely protected even beyond the confines of the organization's premises.

    By leveraging these encryption technologies and strong authentication protocols, organizations can enforce rigorous safeguarding measures for CUI at alternate work sites, guaranteeing that data integrity and confidentiality are maintained regardless of the location where devices are utilized. This comprehensive approach to data protection empowers organizations to mitigate potential risks associated with off-site operations, safeguarding sensitive information against unauthorized access or breaches.

  • System & Communications Protection

    SecureDoc software delivers robust Full Disk Encryption (FDE) encrypting the entire disk sector by sector, inclusive of system data, alongside File & Folder Encryption (FFE) functionalities. With centralized enterprise-level management of encryption keys for users and devices, SecureDoc streamlines key management processes via a unified console. This facilitates efficient administration of access rights across the organization.