Did your business just walk out the door?
Our mobile workforce can steal or lose sensitive data quickly and without detection, from a software developer sneaking out gigabytes of valuable source code on his iPod to an executive's wireless-enabled laptop being sniffed at the local coffee shop.
Think about all the ways we move and store data on mobile devices: USB ports, which support a multitude of portable storage devices, including flash drives, portable hard drives, printers, and music and video players; FireWire, PCMCIA, serial and parallel ports, CDs/DVDs, tape drives and even the lowly floppy drive. Add unprotected WiFi, Bluetooth and Infrared (IrDA) connections, and you have a real security nightmare on your hands.
It wasn't long ago that security administrators controlled access to USB ports with epoxy or caulk and physically disabled onboard wireless. Now, however, instead of trying to ban use of portable storage devices and wireless connections, organizations can select from a fairly new but effective group of products that give them granular policy-based control over their use. Device control products can help balance productivity with security by allowing administrators to centrally authorize and monitor endpoint devices.
In a head-to-head review, Information Security examined six device control products, all of which provide centrally managed granular control over ports, interfaces and storage devices: DeviceLock 6.0 from SmartLine, Sanctuary Device Con-trol 4.0 from SecureWave, Endpoint Access Manager 3.0 from ControlGuard, Device-Wall 4.5 from Centennial Software, Safend Protector 3.1 from Safend and Protect Mobile from Workshare.
Making the Grade
Click here for a comparison chart of the six device control tools we evaluated (PDF).
Each product was graded based on its ease of installation and configuration, policy, tampering resistance, port and device control, encryption support, performance, and monitoring, alerting and reporting. Overall, we found all the products performed as advertised, but there are enough differences to consider when choosing a portable endpoint data control solution (see "Making the Grade," (PDF)).
All the products we tested have similar architectures--server, console and client/agent--based on a Windows platform, although each included support for Novell's directory services. We deployed each product on an identical simulated enterprise network (see "About This Review," at right) using numerous desktops and laptops, supporting multiple ports and removable storage devices.
Centennial's DeviceWall was the easiest product to install, since it requires only two components--the Control Center and the Client Service. With a half-dozen ways to roll out the client, DeviceWall got our top vote for installation and configuration.
ControlGuard and DeviceLock have similar setups, consisting of a server, client and multiple Windows-based ways to administer the product (Active Directory, MMS, SMS, GPO). With two different client agents--active and passive--ControlGuard gave us more to consider during setup. We deployed both types of agents and concluded that this aspect of ControlGuard should be simplified with a single agent that could perform in either or both modes.
DeviceWall and DeviceLock had easy install wizards that walked us through setting up initial permissions and policies. DeviceLock's wizard allowed us to set permissions for ports and devices, getting us running quickly.
Installing and configuring Workshare Protect Mobile took the most effort, because it is part of an enterprise suite of three components. It delivered comprehensive endpoint protection, but didn't provide the depth of granularity or functionality as the other products.
The installation of SecureWave was the most difficult, because of its four components--a database server, an application server with two subcomponents, the management console and the client. We also encountered several client deployment issues that required extra time reconfiguring our firewall.
About this Review
Information Security deployed six portable storage device control products in our test lab.
All the products were tested in a Microsoft Windows environment with Active Directory, although some supported Novell. All the products utilized either an embedded or external version of a SQL database.
Our testing environment included wired and wireless network connectivity with both desktops and laptops, supporting an array of portable storage devices including USB flash drives, FireWire external hard drives, CD-RW drives and floppy disk drives. Our testing also included PDAs and serial docking stations, smart phones with Bluetooth connections, PCMCIA wireless adapters and multifunction printer/scanner/fax/copier machines on both USB and parallel ports.
Concentrating on real-world scenarios, we blocked devices such as portable music players and storage devices (flash drives, FireWire drives) while allowing legitimate peripherals including keyboards, mice, printers, faxes and scanners. Drilling down into the granular policies, we set CD/DVD drives to read-only and disabled Bluetooth and IrDA connections, while allowing WiFi use.
Multiple attempts to introduce devices contrary to policy were performed using a variety of devices and connections, including portable storage devices infected with known malware including worms, Trojans and keyloggers.
--SANDRA KAY MILLER
Ultimately, everything boils down to policy and enforcement and performance. Policy granularity is a driving factor in each of these six products. For portable storage devices, our testing revealed nearly identical features, including monitoring and control over reading, writing and blocking.
Policies were determined by device types and classes, ports, connections, machines and users. With all the products, we could set up who could use what device/port/connection and when.
The policy options available are so plentiful, it's easy to get overwhelmed and confused. We found it was easier to start with our global policies and work to more detailed policies, such as those for individual users. We were also able to set different policies for the same user/computer determined by online/offline status. That means when a mobile user returns to the office and logs in to the domain, wireless interfaces can be turned off, and corporate asset protection, such as file filtering, engaged.
All the products allowed very fine-grained policy, mainly through whitelists--the more granular the policies a product supports, the better the controls. DeviceLock provided the most detailed assignment of authorized devices. For example, we were able to allow a single Fire-Wire portable hard drive based on its serial number. The exceptions can also work in reverse; for example, you can shut down access for terminated employees or limit devices to read-only.
We liked how SecureWave's Sanctuary Device Control comes out of the box with a default deny-all policy. No data was allowed to be transferred to external storage devices until we set up authorization. Allowing only what you authorize--instead of trying to blacklist what you don't--is sound security policy.
SecureWave has a number of ways to keep tabs on traffic, including data transfer throttling and file type filtering.
For example, we set policies that limited file types to Microsoft Office files no larger than 5 MB. Regardless of how we tried to save CAD files--both less than and in excess of our size limit--to flash drives, portable hard drives or write to CD, we were unable to do so.
ControlGuard earns kudos for recognizing that many mobile workers also connect directly to the corporate network. We easily set up two distinctly different policies, offline and online. We simulated a common problem that occurs when mobile workers connect their WiFi-enabled laptops directly to the corporate network--they still have a live wireless connection. For our testing purposes, when laptop users logged on to the domain, their WiFi adapters were disabled.
ControlGuard addresses another real-world scenario, exercising control over multiple users logging on to a single machine or a single user with access to multiple machines. This is where a firm understanding of policy hierarchy is required. For example, a user having rights to a USB port on one machine doesn't necessarily mean he has the same rights on another.
For organizations that want to further enforce policy through enterprise-class management systems, Control-Guard's Endpoint Access Manager is designed to integrate with third-party products like HP OpenView and CA Unicenter.
Safend offers similar policy control through role-based access and prohibiting simultaneously enabling multiple networking protocols. One feature that really caught our attention was the ability to easily print a summary of our entire policy anytime. This means corporate policy can be posted or viewed by management, which doesn't have access to the console, but needs access to security policies.
Overall, DeviceWall's policy configuration was the least intuitive of the products tested, although the Master Policy tree accessed through the Control Center provided a clean interface for configuring 16 different device categories, including digital cameras, scanners, smart phones, and BlackBerry, Palm OS and Windows Mobile devices. We would have liked to have seen all the individual categories for mobile handheld devices under a single high-level branch on the tree, instead of each given its own. It would make the Control Center interface much less cluttered.
When building complex policies that limit or deny the availability of computer resources, there are bound to be exceptions to the rules. DeviceWall was our favorite product for bending the rules. It let us assign temporary access for up to three devices either for the current Windows session or by start time and duration. Even when we weren't connected to the network or Internet to push out a change in policy, DeviceWall gave us the option to generate a key that could be verbally exchanged or sent via text message over a mobile phone to provide temporary access to the restricted port or device.
DeviceLock's exception to policy functions similarly to DeviceWall's temporary access, but lacked the granularity to assign any length of time, giving only the option to use the restricted resource during that particular Windows Session.
Safend allows for the temporary suspension of the client, even when the computer is offline.
Encryption Gains Ground
Data encryption has long been a strong security technology, but its use has been generally limited because of the complexity of implementing and maintaining it, as enterprises wrestle with thorny issues such as a key management and security.
That's all changing because of regulatory requirements and the exposure of data through Internet-facing applications. Nowhere has this become more evident than with the ubiquitous use of high-capacity portable storage media. Five out of six solutions Information Security tested for this review have integrated automatic forced encryption capabilities into their products.
Although the use of automated encryption for portable storage media is solving numerous security issues, there are still significant challenges to address.
Nate Lawson, senior researcher at Cryptography Research (www.cryptography.com), a security consulting and technology licensing firm, points out that there is plenty of room for improvement with the widespread use of encryption for storing information.
"How do I make sure I never lose or destroy that key, because if I do, it's like losing the entire set of data," Lawson says. "I won't be able to decrypt it again."
While there are lots of standards for encryption (AES, DES, 3DES, etc.) and protocols (SSL), there is little standardization for key backup.
Lawson sees this as a potential pain point, especially in M&A scenarios and because of the speed at which technology becomes obsolete.
Before organizations begin routinely encrypting portable storage media through solutions such as the ones we tested, they need to examine the lifecycle of the data being stored and ensure access to decryption tools, such as keys and software.
--SANDRA KAY MILLER
We attempted to circumvent our installed clients through a variety of methods. Often, installed components can be sidestepped by local users who have administrative rights to their machine. Even with local admin rights, we were unable to modify or remove any of the installed clients.
Tens of millions of USB flash drives are sold every year, and you can bet some are going to be lost or stolen, sometimes with sensitive data. DeviceWall was our pick for the lost flash drive scenario. When we inserted a USB flash drive into a bare-bones laptop running no device control client, we received the message that our drive was not formatted and asked if we would like to format it. Had the drive contained confidential information, the cost associated with losing the data to the wrong entities could be devastating, but thanks to DeviceWall, less than a minute after plugging in the uncontrolled drive, it was wiped clean.
We also addressed the issue of theft, loss and tampering of removable storage devices and media through the products' use of encryption. DeviceLock, which was generally outstanding in other areas, was the only product in our testing that did not support any type of encryption, which brought down its overall grade.
SecureWave set the bar with two different types of encryption--centralized, which allows administrators to set the requirements, and decentralized, meaning an authorized user can decide when to encrypt. Additionally, you can export keys to a file or to the portable device for access to encrypted media offline, although we felt that this compromised the security of the portable storage device. SecureWave offers the strongest encryption, with AES 256.
DeviceWall offers two different ciphers--AES and Blowfish--in both global and individual user key models. For instance, a company might require its HR employees to automatically encrypt all data transmitted via WiFi or saved to portable media. However, encryption is only available for use with USB flash drives. On the plus side, DeviceWall allows you to easily back up the Global Key, so data can be retrieved if the key is lost.
ControlGuard also provides encryption for secured USB drives. We liked its "self-destruct" feature, which limits the lifecycle of the data accessible on the drive.
Workshare Protect Mobile provides the most flexible client-side encryption through PGP based upon content. Once files have been identified as requiring additional security, they are automatically encrypted.
Safend's encryption is the most transparent to users. We were able to use the same encrypted USB drive on all the machines on our network with the Safend client installed without ever realizing the device had been encrypted. Of course, when we attempted to use the drive in a non-Safend computer, we were unable to access the drive.
One big worry with encrypted files on portable media is the decryption software won't be available when needed. Safend had the forethought for just such a scenario and includes a Home Decryption Utility that allows authorized users to access information on encrypted devices when the Protector Client is not present.
Wireless covers a lot of territory on today's mobile devices. All the products we looked at included comprehensive control over WiFi, Bluetooth and IrDA interfaces.
Since its introduction, there has been a lot of hand-wringing over WiFi connections. Administrators disable onboard wireless, but still have to worry about an employee using their own inexpensive PCMCIA wireless adapter so they can hook up at home or a hotspot.
Administrators are just catching up to smart phones and PDAs, which are increasingly taking advantage of Bluetooth technology for file transfer and synchronization with laptops. An inexpensive USB Bluetooth adapter can quickly connect a PC to a Pocket PC.
And let's not forget about IrDA. Not as powerful or popular as WiFi or Bluetooth, infrared personal area network connectivity still presents a vulnerability.
Safend clocked in with the best control for WiFi, based upon MAC addresses, SSID and network security levels.
The remaining products didn't provide as much control as Safend, but they all provided basic permit/deny wireless interface blocking functionalities that identified all wireless interfaces regardless of type. For instance, we set policy to deny all WiFi with a laptop containing an onboard wireless adapter. As we added PCMCIA and USB wireless adapters, they too were disabled despite those ports not having any deny policy assigned to them.
Auditing and Reporting
While the majority of our testing was devoted to the verification of security features, in today's regulatory environment, a robust auditing feature can be just as critical as security.
The most comprehensive monitoring feature for this purpose is shadowing, which is the ability to record all data transferred to and/or from a device or port. DeviceLock and SecureWave both support shadowing.
During our testing, shadowing allowed us to capture all data sent to specific devices, including our printer/scanner/copier/fax machine. How many companies actually monitor the information sent over a fax or documents that have been scanned? Low-tech crimes are often overlooked.
The only drawback we could see with data shadowing was, ultimately, data storage. A large enterprise could generate an enormous amount of data.
Safend uses file logging; while not as robust as shadowing, it lets administrators track what files are being accessed, moved, deleted, created and modified.
Safend took the honors for the most useful logs, with excellent information for forensic investigations.
We also liked DeviceWall's detailed Policy Change Logs, which record all the policy changes made and provide comprehensive connection reporting. On the other hand, we found the graphical Audit Log Reports and Acceptable Risk meter of little use to a security professional.
Spotlight on the Endpoint
Mobility and portability make data protection a far more complicated problem than it once was. They've given this product market traction it wouldn't have seen just a couple of years ago. As the products mature, they feature improved reporting and central management capabilities, and, in most cases, combine en-cryption with device control for stronger endpoint security.
We're starting to see similar capabilities in more comprehensive security and data protection products. Expect to see these products extend their feature sets or get folded into broader products, as larger companies continue their pattern of acquiring key new technologies.
Time and experience have taught the security community that going to the root of a problem will often save time and money. Priced on a per-user, annual basis, for larger enterprises, these products can become pricey on top of existing security solutions licensed on an annual basis, such as antivirus/antispyware. Nevertheless, endpoint security has clearly moved center stage, and many corporations are going to do what it takes to protect their data as it moves out into the world.