|
Policy Configuration/Enforcement
Ultimately, everything boils down to policy and enforcement and performance. Policy granularity is a driving factor in each of these six products. For portable storage devices, our testing revealed nearly identical features, including monitoring and control over reading, writing and blocking.
Policies were determined by device types and classes, ports, connections, machines and users. With all the products, we could set up who could use what device/port/connection and when.
The policy options available are so plentiful, it's easy to get overwhelmed and confused. We found it was easier to start with our global policies and work to more detailed policies, such as those for individual users. We were also able to set different policies for the same user/computer determined by online/offline status. That means when a mobile user returns to the office and logs in to the domain, wireless interfaces can be turned off, and corporate asset protection, such as file filtering, engaged.
All the products allowed very fine-grained policy, mainly through whitelists--the more granular the policies a product supports, the better the controls. DeviceLock provided the most detailed assignment of authorized devices. For example, we were able to allow a single Fire-Wire portable hard drive based on its serial number. The exceptions can also work in reverse; for example, you can shut down access for terminated employees or limit devices to read-only.
We liked how Secu...
To continue reading for free, register below or login
To read more you must become a member of SearchSecurity.com
reWave's Sanctuary Device Control comes out of the box with a default deny-all policy. No data was allowed to be transferred to external storage devices until we set up authorization. Allowing only what you authorize--instead of trying to blacklist what you don't--is sound security policy.
SecureWave has a number of ways to keep tabs on traffic, including data transfer throttling and file type filtering.
For example, we set policies that limited file types to Microsoft Office files no larger than 5 MB. Regardless of how we tried to save CAD files--both less than and in excess of our size limit--to flash drives, portable hard drives or write to CD, we were unable to do so.
ControlGuard earns kudos for recognizing that many mobile workers also connect directly to the corporate network. We easily set up two distinctly different policies, offline and online. We simulated a common problem that occurs when mobile workers connect their WiFi-enabled laptops directly to the corporate network--they still have a live wireless connection. For our testing purposes, when laptop users logged on to the domain, their WiFi adapters were disabled.
ControlGuard addresses another real-world scenario, exercising control over multiple users logging on to a single machine or a single user with access to multiple machines. This is where a firm understanding of policy hierarchy is required. For example, a user having rights to a USB port on one machine doesn't necessarily mean he has the same rights on another.
|
 |
|
