DLP and DeviceLock – one company you might have missed

by Steve Ragan - Jul 31 2008, 19:26

Every day press releases and announcements from various PR departments come into the email boxes of the staff here at The Tech Herald. Sometimes, the news and spin is something we already know or have no interest in. However, one company, DeviceLock, recently caught my attention. While the company has been around for awhile, offering what is best known as DLP, you might not know too much about them. With that in mind, here is a little background information for DLP research.

DeviceLock is the new name for another company founded in 1996, SmartLine Inc. The name change from SmartLine to DeviceLock was a branding decision made in 2007. In 1996 SmartLine offered Windows port-device control and auditing. This would later form the base of the core of DeviceLock’s offerings. The ability to block devices and to lock down ports on a system is something that Administrators are all too familiar with. However, after talking with David Matthiesen, Director of Sales for DeviceLock, the port-device controls offered in Windows fail to offer a complete and rounded security offering.

As is the nature with DLP, there are several areas to cover, and one of the most common areas overlooked is the power of external storage, and the mighty USB drive. There are all sorts of storage methods available today, USB drives, iPhones, iPods; even BlackBerry devices can be used to store files. Monitoring and auditing who is saving what and on what device is a nightmare in some IT shops, and thanks to strict data security compliance regulations, there is an even larger need to secure the data.

David was nice enough to give The Tech Herald an overview of the company. The idea was that, while larger enterprise operations and governments know and use DeviceLock, the SMB market – where the bulk of IT lives and breathes – still needs the same protection, but rarely has the budget for the larger offerings that are aimed directly towards them. Often IT administrators and business owners will spend hours researching DLP and various vendors, simply because the thought of losing sensitive data scares them; even if they are slow to adopt it. This quick Q&A should help with some of that research.

[Note: The Tech Herald has covered various DLP vendors and solutions in the past. DeviceLock is one such vendor who was brought to our attention after a series of DLP articles ran on the site. As always, The Tech Herald will welcome any DLP vendor to comment on this Q&A and offer insight and additional information by answering the same questions.

The answers to the questions are detailed to give enough information to the reader doing research. While cost is a factor, the largest factor a business should focus on when picking a DLP vendor is how well the offered solution works with the business itself. Not all DLP vendors and solutions are equal, it is important to remember that.]

The Tech Herald (TTH): DeviceLock has been around for over a decade. However, not too many people will instantly recall the company. With no marketing spin, explain what your company does and why it is important to IT.

David Matthiesen (DM): The initial launch of the DeviceLock solution actually created and legitimized the port-device security software category that has morphed into what is now the broader space called Data Leakage Prevention, or DLP. While we have been around this area a long time and some may say we are still under the radar, the organizations and industries that truly needed control over wide open Plug-n-Play devices and Windows ports certainly know us.

DeviceLock has thousands of customers and millions of licenses in use worldwide. The Federal Government/military, financial institutions, and health care companies came around initially as expected, but that reach has expanded to virtually all verticals. This has been a result of the proliferation of cheap removable mass memory devices (especially USB flash sticks) on one hand, and more regulatory compliance needs/deadlines, better threat awareness, and a conscious move toward “Best Security Practices” on the other.

DeviceLock provides a unique offering because of its preferred Group Policy MMC integration, exceptional depth and breadth of security features (including tamper protection against local admins), low-to-zero infrastructure impact, superior access exception handling, advanced log/shadow data collection with compression/QoS/performance/quota settings, and a very low cost of ownership for the protection and auditing compliance it provides.

TTH: What is it you offer that administrators simply cannot get by using solid GPO and local client policy?

DM: Windows does not provide auditing or file shadow copying of file-level activities with peripheral ports and devices, nor does Windows have options for enforcing use of encryption for removable media or providing USB-PS/2 keylogger protection. DeviceLock can. All of these factors should be minimum requirements for data security compliance.

Moreover, the nature of this question actually identifies the problem. The misplaced assumption is that native Windows Group Policy tools and/or local policy settings are capable of the task when they are wholly inadequate for most organizations. As is common with Windows administrative tools throughout its history, the native tools available (including DMI in Windows Server 2008) skew to the “all-or-nothing” approach to access control management with little flexibility for business productivity needs or access exceptions that are absolutely necessary. Another problem with DMI is backward compatibility, since it only applies to workstations and servers that are at the Windows Vista/Windows Server 2008 level.

Left to Windows tools, peripheral ports and devices are, by in large, either blocked for all users or whitelisted for all users locally. Generally, the “exception” policy settings are for those with user/group types=admin, but not regular user accounts or security groups as is typically desired. Windows tools do not have provisions for enforcing access rules based on per-user, per-group, temporary use, or usage based on day-of-week/hour-of-day time parameters (i.e. to block late nights/weekends). DeviceLock has provided all of these options for years, and currently supports every Windows client and server OS from NT4 and above (including 32 bit and 64 bit versions). Discrete Write/Read/Format/Eject/Encrypted data access options can be assigned per user or per group on all or selected computers by DeviceLock as well.

DeviceLock provides all the granularity and flexibility of access policy configurations that IT administrators would want/need on five layers of Windows device control: the Device Port (interface), Device Class, Device Type, Device Model, and Device ID. The last two levels are handled in the WhiteList, where DeviceLock can also explicitly assign users/groups to a USB device versus the Windows DMI WhiteList option, in which all users with access to the managed computer have access to the whitelisted device.

Suffice it to say, Windows does not adequately cover this security topic, so third-party solutions are necessary.

TTH: Data protection is important to every company. Yet executives and administrators are slow to adapt policy and change to secure the data. Why do you think this is?

DM: With regards to compliance laws, the rules are fairly clear about “what” needs to be protected and very vague about the “how to” side of the equation. Unfortunately, too much is left up to interpretation by executives and administrators, which is potentially to their detriment as they neglect channels of data movement and exposure. Certain data must always be protected by access controls and in some cases encryption, but you will not find too many specifics about protecting data based on how it moves around (or more importantly OUT OF) an organization. The bottom line is that all avenues of data communications need to be addressed, and Windows endpoint ports and devices are generally an unprotected and un-audited sieve of data loss without a product like DeviceLock enforcing specific access and then auditing whatever access is allowed.

Some of the adoption slowness is partially due to the competing approaches and the immaturity, evolution, and changing scope of the DLP category. For example, the DeviceLock approach is straightforward, cost-effective, and reasonable concept of specifically blocking/allowing/mitigating/auditing/shadowing user and group access to physical endpoint ports and devices, while optionally enforcing encryption with our integration partners. However, DeviceLock does not currently protect against other data transfer modes like email, IM, and FTP over the network.

From the opposite camp, some feel that “content-filtering” DLP solutions are the comprehensive way to go, though most solutions today do not have any true endpoint port-device protection or those that do are just not adequate. These solutions also are much more expensive, require constant configuration/re-configuration of data profiling, and are not able to protect many endpoint data communication scenarios (i.e. local PDA data synch and wireless transports). If only exposed to this approach, the cost + implementation bar may seem high to some executives and administrators. A combination of approaches is the real answer, and DeviceLock is addressing that need going forward through a combination of development and non-exclusive partnering.

TTH: Separate yourself from other DLP vendors, you offer solutions for pennies compared to other products, how can you explain away the scoff of “you get what you pay for?” [Example $29,800 for McAfee's DLP appliance based on 501 users, you would charge almost $20,000 less, and your offering is not appliance based.]

DM: DeviceLock has always been the volume pricing/value leader as well as the technology leader in the narrower DLP sub-category of port-device control. The “you get what you pay for” scoff might be the general proclamation of a “household name” Anti-Virus console salesperson selling to a non-technical customer, but due diligence testing would prove that DeviceLock is the best endpoint solution. DeviceLock appeals to organizations of all sizes, from SMBs to large enterprises. For 500 computers the current volume price is actually only $5,500.

However, comparing DeviceLock to McAfee is like matching up apples and oranges. Both are fruits with similar nutrients, but both are still quite different. As discussed earlier, the comparison product mentioned comes from the other DLP approach of “content-filtering”, and while network appliances are appropriate for network protocol filtering, they cannot measure up to DeviceLock for granular endpoint-level protection and auditing. DeviceLock monitors all internal buses and ports (and all devices connected to them) with a kernel-mode device driver where access is intercepted at a low level.

A great example is local PDA synchronization. Content-filter DLP solutions generally rely on network protocols and can intercept file system calls from some “office” applications. However, local data synchronizations between mobile devices and PCs do not use network protocols and may not interact with other monitored applications. They may also communicate via wireless technologies (Bluetooth, etc) or “legacy” ports (serial/parallel) that are not handled well, or at all, by current DLP content filtering technologies. Technically speaking, this means that existing content filtering solutions often do not have control of the data flow through local connections from PCs to mobile devices while DeviceLock does.

TTH: Who are your top rivals in the data protection arena?

DM: Our traditional technical rival in port-device control through the years has been the SecureWave Sanctuary solution (now Lumension), but they are priced much higher than DeviceLock, are much heavier on infrastructure needs, and lack Group Policy MMC integration (as do all others). From the content filter DLP camp, the major anti-virus console/appliance/module players (McAfee, Symantec, etc.) have had an impact due to their large installed bases and internal influence.

TTH: What are five things that you would suggest a company do to prepare for movement to a network-wide DLP strategy and consider when looking at DLP?

DM: Understand the level of data security and audit compliance that is mandated in your industry, country, state, locality, and per your public/private status, as it differs widely.

Understand the value of your data and/or intellectual property, and budget accordingly to properly protect it NOW. This includes user training on data handling practices where automated enforcement cannot be guaranteed.

Formulate your desired general protection and auditing policy that includes data handling/access scenarios per business unit or location, valid data access exceptions, and general procedures on requesting changes/exceptions to policy. HINT: Try to do so initially without consideration of the limitations of the Windows operating system policies or other constraints. How would you design it from scratch if you could?

Determine the current level of non-compliance and exposure. As an example, DeviceLock is often used at first in “audit-shadow only” mode to view the types of files that end users are moving to removable media, DVD/CD-ROMs, PDAs, through Wi-Fi, etc. Also, DeviceLock provides a free Plug-n-Play Audit tool that can scan all selected computers (client-free) to see how many and what types of USB, FireWire, and PCMCIA devices are currently or have been historically connected to those PCs. The same tool within the Enterprise Manager console can be used to easily populate the WhiteList as well.

Despite pressures to the contrary, understand that a “best of breed” solution or combination of “best of breed” point solutions, integrated or not, is most likely the most secure and compliant strategy at this time. Just because a household name company is a recognized leader at Anti-virus/Spyware protection and has cobbled together other endpoint security modules into a console, that does NOT justify purchasing them, or even adding them if free. The lack of due diligence on solutions testing is discouraging.

TTH: What changes have stood out over the last five to ten years with data protection?

DM: It is fairly obvious and well documented that 5-10 years ago, organizations were focused on protecting their network and web presence with heavy investments in firewalls, VPNs, enhanced routers, packet sniffers, anti-virus, anti-spam, anti-spyware, multi-factor authentication, NAC, identity management, and other solutions that primarily secured their perimeters from hackers, denial-of-service, and other external breach attacks.

It is only within the last 3-4 years that focus has been turned inward to endpoint-based threats and internal exposures other than anti-virus. Regulatory compliance rules and deadlines certainly helped with a re-evaluation of data security exposure, but so did the emerging threats of large-scale data loss exposure though wide open and un-audited technologies like USB devices and Wi-Fi, not to mention the introduction of malware, root kits, etc. through endpoint ports. DeviceLock grew rapidly during this period when organizations needed a cost-effective solution with granular control that is seamless to implement and maintain.

TTH: Where do you see the future of data protection heading?

DM: Customer expectations are certainly evolving and as such the consolidation, integration, and development of previously “neighboring” and otherwise niche technologies (encryption, content-filtering, etc) into the sphere of DLP has been going on for the past few years and will continue. Even the acronym DLP has had multiple evolutions...while D certainly always represents Data, the L has been both Leak and/or Loss, and the P has been both Prevention and Protection.

In any case and by whatever categorical definition, DeviceLock has been a pioneer in this data protection area and is the technology and value leader in the most familiar approach (direct port-device control) to handling endpoint DLP.

As we did with encryption, DeviceLock will address the expanding DLP and endpoint security requirements with a combination of development, integration, and partnering where appropriate. Rather than develop and introduce yet another proprietary encryption algorithm to the world as some of our competitors have done, DeviceLock instead went with an open integration approach that includes best-of-breed technologies in multiple data encryption areas. [Including] “Open standard” FIPS-certified encryption with PGP Whole Disk Encryption, “Open Source” (and free) encryption with TrueCrypt, and Pre-encrypted Removable USB media with Lexar Media SAFE flash drives, with more encryption vendors/models to come.

Giving customers a choice of integrating or bundling, along with the core DeviceLock solution, is an important differentiator. We have proven that we can work effectively with multiple providers of technologies to provide a “best fit” scenario to a wide variety of customer security scenarios.

Going forward, we intend to continue that model for encryption, content-filtering, and other areas where we are constantly identifying and engaging best-of-breed partners and technologies.

Around the Web