Price: $13-$32 per seat
Some call it the "iPod Problem": How can you stop employees with 60 gigabytes of portable storage in their shirt pockets from leaking sensitive information? Your company's most precious assets can walk out the door on USB memory drives, writable CDs and DVDs, Bluetooth, Wi-Fi and smart phones, laptops and PDAs.
Draconian measures--searching employees, requiring only company-owned devices be attached to the network, and ordering computers without USB ports or removable storage--carry a steep price in productivity.
Or you can use security products like Safend Protector, which lets you define who can use USB ports and what those ports can be used for. It also allows you to specify who can use wireless connections and under what circumstances, and to control how removable storage is used and by whom.
Safend Protector is a central solution for managing the security policies of Windows-based computers (no Mac or Linux support) on your enterprise network. It provides complete, deeply granular control over who is allowed to use which resources on client machines.
The manager interface is easy and intuitive with buttons and drop boxes. For example, you can restrict write access to only memory devices with specific serial numbers. You can specify different access restrictions on a user or group basis, or allow some types of devices to have access but not others.
Protector depends on a collection of operating system hooks, kernel-level drivers and encrypted registry entries to control access to the outside world for a given computer.
Protector is designed to be installed and have policies updated using Active Directory. It supports any domain management system, using either a GPO file for AD or a registry file for other LDAP products.
The client agent is installed through SMS or any third-party system; policies are distributed through an AD push and Novell's ZENworks.
Removing clients from systems requires an administrative password; the client software includes hooks into the Windows Registry so restrictions can't be bypassed.
We tested Protector on an IBM x346 machine running a Windows 2003 Server, both by using AD for everything and performing distributions and policy updates manually.
Protector thwarted our best efforts to use devices prohibited or limited by policy, such as USB keys that were partially accessible and where access was limited to certain users.
We tried to gain access with devices, such as a USB mouse, that were not on the prohibited list. In all cases, Safend Protector did exactly what the company said it would, and it did it unobtrusively: When we attached a restricted device, for example, we received a polite warning bubble on the Windows desktop, telling us the action was prohibited.
The manual is one of the best we've seen. It leads you step-by-step through the entire process of preparing your server, making the proper AD changes, installing the software and distributing it. The manual will also tell you how to distribute the software without AD. It's detailed, complete, clear and correct.
If you're even slightly familiar with Windows administrative tasks, you can go from start to operational without a problem. Safend offers services for implementation, but in a smaller environment, you won't need them.
Protector provides strong data protection for any size organization, with robust central management and the flexibility to enforce your corporate policies for removable storage devices.
This product review originally appeared in the February 2006 issue of Information Security magazine.