A Closer Watch

By Andrew Garcia Print this article Print

Tech Analysis: A new generation of products go a long way in protecting against accidental data loss.

Sanctuary also provides the ability to log—or even keep a copy of—data permitted to be copied from the desktop.

Closer watch

In the months to come, we expect to see increased interest in content-aware technologies. Network DLP (data loss prevention) vendors, including Vontu, Vericept and Reconnex, have recently released new endpoint agents that promise not only to lock down the use of unauthorized storage devices but also to provide policy-based detection of proprietary data content copied to an approved device.

For example, if an authorized user copies a Social Security number or intellectual property to an unapproved location, this new breed of endpoint security would block and log the attempt.

However, content detection historically has been a network-based technology, so vendors will need to prove that their products will work on the desktop, intercepting disk IO behavior rather than a network stream without causing harm to the local system.

Many of these networking-based vendors have looked outside their own development teams to get going—with one notable exception: While Vericept bought Black White Box back in 2005 and Reconnex partnered with an unnamed third-party endpoint security vendor, Vontu went it alone, developing its own endpoint solution in house.

There are drawbacks to cooperative products, as customers need to make sure that the same detection algorithms that are used at the network level are used at the endpoint. Also, the network and endpoint management functions should be fully integrated, with policy management, logging and reporting tied together for better trending and forensic analysis.

But Vontu's ground-up development comes at a cost as well, as its endpoint product appears less mature than the competition's. We learned in conversations with Vontu representatives that the company's Data At The Endpoint product is a log-only solution.

It cannot, at this time, block the copying of data to removable storage, but only notifies an administrator of policy violations via e-mail. While such a notification is marginally useful for accountability reports, the horse has already left the barn at that point.

Click here to read more about cashing in on data loss prevention.

Steve Roop, Vontu's vice president of products and marketing, in San Francisco, asserts that the risk for false positives currently outweighs any reward for automatic blocking: "Our clients value accuracy as a higher priority than automated blocking," Roop said. "If you block things that are false positive, you will aggravate a large number of your employees."

Roop added that the same detection algorithms Vontu uses at the network level are available for the endpoint. Automated blocking will come in the next revision, he said, after customers have gotten a handle on exactly what data flows are present and what they mean.

eWEEK Labs recommends that corporations evaluate their systems and assess risk tolerance to determine the mix of network and endpoint-based products that will provide necessary auditing features, forensic analysis capabilities and—most importantly—peace of mind.

Technical Analyst Andrew Garcia can be reached at andrew_garcia@ziffdavis.com.

Check out eWEEK.com's Security Center for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK's Security Watch blog.

This article was originally published on 2012-05-04
eWeek eWeek

Have the latest technology news and resources emailed to you everyday.