Musings on personal and enterprise technology (of potential interest to professional technoids and others)

Tuesday, July 10, 2007

The Drive for Data Protection - eWeek April 16, 2007

The Drive for Data Protection:

"... the operating system is not the place to look for the current utmost in protection against accidental data loss, and oversight over and privacy for data that is permitted to be copied to devices, and proof of action for audit and compliance purposes. For these types and levels of protection, companies need to look to third-party solutions.

Indeed, the security market for products that protect against data loss from the endpoint is white-hot right now, with dozens of companies vying for a place on the corporate desktop. And it's a market that an increasing number of organizations are tapping into as a pre-emptive strike.

'We put something in place with [Microsoft] Active Directory that would block the use of USB ports, CDs or floppy disks, but it was not easily administered,' said Miriam Neal, vice president of IS at South Western Federal Credit Union in California. Neal eventually settled on SecureWave's Sanctuary 4.1, which we have reviewed. We also reviewed Secuware Security Framework 4.0.

Both products offer policy settings to deny read or write actions to removable storage devices, approve the use of standard devices and enable the use of encryption.

Security Framework's strength lies in its ability to easily enable encryption on the enterprise..."

1 comment:

Daniel Nadel said...

Surely, the potential threat for the enterprise to fall victim to data fraud increases with each new day. Alas, that's the backside of progress. We get new devices and then these new devices cause us trouble. Microsoft makes some efforts to resist that, we can recall supplementary administrative template that was published by one MS MVP on support site. This solution, though, had a big negative part and was subject to tatoo the registry with template data when the template was being removed from the GP scope. While Vista has made a big step to protect organizations from data fraud by inventing special device installation and usage group policies it still involves taking extra steps to block for example standard USB devices such as manually identifying the device ID strings needed to block the device. The problem is denying the specific access type to the device. As far as I can see if I want to block write access to my device I should choose from the set of three types of devices which include removable disks, floppy drives and WPD devices. That is, you have to determine in advance what class of devices you should block and if you can afford blocking the whole class at once. Moreover it still gives no answer what to do with obsolete (if we can call them so) operating systems such as all NT 5 line with Windows 2000/2000 Server and Windows XP/Server 2003. So talking about my private case we here have chosen a third-party tool (in our case that was Scriptlogic's Desktop Authority) that allows choosing the device types granularly and locking them down by differentiating between USB, IEEE1394 devices and for example bluetooth devices. That allows read access for a person within a specific organizational unit for USB sticks, and forbids write access to it while totally forbidding the access for bluetooth devices or docking PPCs. A very appealing tool! We maintain wireless access within the building and the device management policies within Desktop Authority help a lot.