Share
Continuing the discussion over DLP that started in July with Device Lock, The Tech Herald recently had the opportunity to talk to another DLP vendor, Safend.
Susan Callahan talks to TTH about DLP. (Photo: Safend)
Safend was founded in 2003 and is headquartered in Tel Aviv, Israel, with offices in Philadelphia, Pennsylvania. The company offers three main products aimed at the overall protection of the information on a company network.
Susan Callahan, the Vice President of Business Development and Marketing at Safend, took the time to talk to The Tech Herald via e-mail, and answered the same set of questions that were given to Device Lock.
[Note: The Tech Herald has covered various DLP vendors and solutions in the past. As always, The Tech Herald welcomes any DLP vendor that wishes to comment on this Q&A and offer insight and additional information by answering the same questions.
The answers to the questions are detailed to give enough information to the reader doing research. While cost is a factor, the largest factor a business should focus on when picking a DLP vendor is how well the offered solution works with the business itself. Not all DLP vendors and solutions are equal, it is important to remember that.]
The Tech Herald (TTH): With no marketing spin, explain what your company does and why it is important to IT.
Susan Callahan (SC): Safend is an endpoint data leakage prevention solution that helps companies protect sensitive data without sacrificing security and productivity. The solution provides small to mid-sized enterprises with the visibility and control needed to securely utilize new communication and removable storage technologies while maintaining increasingly stringent regulatory requirements. Safend provides three solutions that work together and assist in the prevention of endpoint data leakage problems:
Safend Auditor provides rapid, non-intrusive, clientless port and device identification, providing detailed audit logs of all devices currently or historically connected to endpoints via USB, Firewire, PCMCIA or WiFi ports.
Safend Protector provides highly granular, intuitive port and device control, providing administrators the ability to block, restrict or allow access, and/or allow with automatic data encryption based on administrator-defined policies. It protects all local, physical and wireless communications ports from accidental data loss and malicious threats.
Lastly, Safend Reporter is an add-on module that provides comprehensive reporting and analysis on security incidents and operations status. Safend Reporter heightens visibility into security incidents by incident type, providing drill-down reporting to facilitate granular policy creation and enforcement. The tool reports on data accessed by removable storage devices and wireless ports, providing extensive security and operational reporting that further enables data security and regulatory compliance.
Coupled with Safend Protector’s built-in compliance policy settings for HIPAA, PCI and SOX, Safend Reporter facilitates regulatory compliance reporting that helps meet the data accountability tenets of these and other compliance standards
TTH: What is it Safend offers that administrators simply cannot get by using solid GPO and local client policy?
SC: For many organizations, the biggest challenge in regards to mobile devices is ‘how can administrators enable employees to maintain or increase productivity when traveling or working remotely while avoiding data security threats?’
Generic GPO and local policies cannot address this need on a large scale. In order to ensure that users cannot easily circumvent security policies, it is important to first make sure the policies in place are flexible enough that they do not hinder productivity, but strong enough to prevent data leakage threats. This is accomplished through Safend’s granular policies that allow administrators to block, allow or restrict access to data from everything from file type, device type and even specific device serial number.
When securing the enterprise companies often choose a binary approach where they allow all or block all access to removable devices. When blocking all access is used for ensuring data security, employees are clearly inhibited from being productive outside of the office environment. A granular solution allows administrations to grant access for specific data to specific users, enabling productivity to remain intact while adhering to data protection policies. A centrally-managed solution also enables administrators to establish such policies based on existing role-based settings and efficiently deploy the policies via Active Directory or eNovell Directory.
Microsoft's GPO also lacks logging capabilities, which is very important for tracking and regulatory compliance. Microsoft's GPO does not handle any end user interaction after a device is being blocked, and cannot provide the user with the right notification for the reason. As for data loss, Safend Protector provides a comprehensive solution when encrypting all data to removable media; this capability does not exist in GPO.
TTH: Data protection is important to every company, yet executives and administrators are slow to adapt policy and change to secure the data. Why do you think this is?
SC: Businesses are slow to create and enforce policy to secure data out of a fear of limiting productivity and access. No company wants to slow down the speed of business or make workers less productive. In order to avoid this issue and rapidly secure enterprise data, a number of factors need to be considered when defining an enterprise-wide DLP strategy: Who really needs access to sensitive data? Do they need access to all data or just a sub-set of information or files? What devices can be used to access data? Which cannot? For authorized users, should encryption be mandated for data transferred to portable devices?
Best practices are essential in maintaining the balance between productivity and security when it comes to enterprise data. This includes implementing a robust and integrated technology solution and setting and enforcing strict and clearly-defined written policies.
TTH: Who are your top rivals in the data protection arena?
SC: There are very few vendors, if any, that have as comprehensive solution for data protection for all physical, wireless and removable media as Safend has. Lumension has a Port/Device Control Solution, but it does not have Safend’s deep coverage for wireless ports. DeviceLock does not have Safend’s advance content and application awareness that enables Safend to track offline usage of encrypted devices or file type control. Pointsec Protector does not have file shadowing and granular graphical reporting for Regulatory Compliance, and no other vendor has Safend’s level of security and anti-tampering capabilities inherent in the Safend solution.
TTH: Would you outline four or five things that you'd suggest a company do to prepare for movement to a network wide DLP strategy and should consider when looking at DLP?
SC:1. Employ an endpoint data leakage prevention solution
An endpoint data leakage prevention solution gives administrators control over what devices are in use, visibility as to when they have been used and by whom, and knowledge of what data has been copied. The most effective endpoint security solutions allow administrators to actively manage user access and log the activity of media players, USB drives, memory cards, PDAs, mobile phones, network cards and more. These endpoint security solutions also permit administrators to centrally disable users from accessing portable storage media, preventing users from stealing data or bringing in data that could be harmful to your network, such as viruses, Trojans, and other malware.
2. Encrypt everything
Because data can be stored in USB devices and external storage cards such as Secure Digital/Multimedia Cards (SD/MMC), CF cards and PC storage cards, administrators should encrypt all communications and data, including email, file transfers, hard drives, external storage and removable media.
Removable media encryption allows an enterprise to ensure that any data taken outside its own managed environment is protected. It is a simple solution to a complex threat, and a solution model that can be applied to flash drives, digital cameras, PDAs, MP3 players, smartphones or any other type of removable device.
This safeguard can also restrict access to a computer’s available ports. Available encryption software is capable of implementing authorization standards that allow only the copying of designated files onto removable media and automatically encrypting data residing on these devices using AES 128/256-bit encryption.
If data is encrypted, it cannot be read by any unauthorized user in the case of loss or theft. Most removable media encryption products can be configured to prevent access to all devices except those that have been explicitly signed and added to a list of authorized devices by the system administrator. Data on an encrypted portable storage device can be read on a machine that is running removable media encryption software and is installed with the correct encryption key. To any other computer, the device appears to be unformatted and any data it contains is inaccessible. Some products may require a password in order to access the device.
3. Use digital rights management (DRM) technology as part of a wider protection strategy
Digital rights management is crucial to those enterprises where intellectual property is of vital importance. This refers to technology for protecting files via encryption and allowing access to them only after the user or device requesting access has had its identity authenticated and its rights to that specific type of access verified. DRM protection is persistent because it remains in force wherever the content goes; in contrast, a file that sits on a server behind the server’s access control mechanism loses its protection once it is moved from the server. In addition, DRM technologies ensure that content is secured both behind, as well as beyond, the corporate firewall. Not only can the content be protected during the production process, its copyright, licensing, reproduction and specific conditions follow the content throughout its use-cycle.
4. Coordinate DRM and Content Management Systems
Various types of corporate enterprises, including large corporations, government agencies and others, adopt content management systems (CMSs) to help them organize digital content and create content-based products for their customers, employees and partners. CMSs are intended to be control centers for entire content lifecycles, including content creation, management, production and distribution.
Integrated DRM-CMS solutions provide enterprise-wide assurance that content and document operations comply with current regulatory regimes, accountability, privacy and security legislation. Tracking submissions to government bodies is of particular importance to businesses operating in a regulatory environment, which is subject to change. By using an integrated system, compliance can be mandated within a short timeframe with significant consequences for not being able to meet new, and often more stringent, regulatory or administrative standards for business operations.
[Note: These listed suggestions were also used in a commentary published by ZDNet in June of 2008. They were written at the time by Gil Sever, Safend’s CEO. While the answers were given to The Tech Herald in an e-mail interview, copyright law requires us to disclose the original use by CNET Networks, Inc.]
TTH: What changes have stood out over the last five to ten years with data protection?
SC: One of the biggest changes to data security in the past five – [ten] years has been the proliferation of portable storage devices. Now more than ever, it is difficult for IT to be aware of every single device that has connected or is connecting to the corporate network and even more importantly, what data they might be downloading once connected. Confidential corporate data is easily downloaded to and stored on these devices, leaving sensitive data at risk if the device is lost or stolen when taken outside of the office.
Determining what kind—and how many—devices are accessing an organization’s network is the first step in developing an effective data leakage prevention (DLP) strategy to mitigate the risks these devices pose. Effective DLP should achieve both detailed visibility and granular control over all endpoint activity – from the devices attached to content awareness and data transfer to/from removable media as well as through wireless connections. This type of solution provides security administrators the power to monitor every potential endpoint data leakage channel—even as new ones are created.
TTH: Where do you see the future of data protection heading?
SC: The perimeter for data protection is expanding at a very rapid pace. It is complicated for IT Administrators to protect data at rest, data in motion, and data in use. In the not to distant future customers will require a true unified DLP solution that will consist of one client and one management console that will enable the IT Admins to leverage the same policies across all mediums.
For example, the same policy that states an employee can not email social security numbers should also be extended to preventing the employee from printing documents with social security numbers; copying documents to thumb drives with social security numbers; and/or IM documents with social security numbers. Some vendors are claiming to do this today but it is not done through a single lightweight unified client. Soon, there will be one client to handle device/port control, encryption, and content inspection.
Many thanks to Susan Callahan of Safend for giving us her time.
Interested in a more interactive TTH? Join our Facebook Group Want regular updates from The Tech Herald? Follow us on Twitter
Advertising
Comment on this Story