PortAuthority, Tablus plug data leaks in enterprise communications

Data leaks that lead to devastating identify theft -- and costly consequences for business -- have reached epidemic proportions. In addition to the financial burden to enterprises (which The Ponemon Institute estimates to be between $5 million and $14 million per incident), the U.S. government recently raised the stakes by forming an identity theft task force.

Free IT resource TechNet: More ways to know it, share it, and keep it running. Sponsored by Microsoft Free IT resource Attend the SOA Executive Forum: Breaking SOA Bottlenecks SOAExecForum.com/may2007 Sponsored by InfoWorld

No matter what this group ultimately recommends, one thing is clear: Organizations will be held even more accountable for protecting data they collect and use.

Fortunately, data theft prevention solutions are improving. The latest offerings from PortAuthority and Tablus, for example, boost their detection accuracy and provide policy customization. Both these network gateways monitor many communications channels for information that shouldn’t be transmitted outside an organization and will block or encrypt traffic according to your policies. Tablus Content Alarm NW 4 is easier to use and stacks up well against the products reviewed in January, whereas PortAuthority 4.0 integrates with existing enterprise HTTP proxies and workflow apps but has some analysis quirks.

PortAuthority 4.0
PortAuthority monitors outbound communications in key protocols (including e-mail, FTP, and instant messaging) then blocks unauthorized dissemination of information according to very granular policies. For better precision, version 4.0 fingerprints information in file systems and ODBC-compliant databases.

Version 4.0 also adds ICAP (Internet Content Adaptation Protocol) support; as such, you can integrate PortAuthority with ICAP proxies (such as Blue Coat, Cisco, and Network Appliance) to protect Web mail communications and SSL traffic. And, PortAuthority now protects network printing.

PortAuthority’s architecture, much like Tablus’, includes a management appliance (which handles policy setup, enforcement, and data fingerprinting) along with monitoring appliances placed around your network. These ICAP edge servers can be configured in monitoring or blocking mode. Although organizations often start out monitoring traffic patterns to learn which policies to implement, blocking suspicious communications is the most desirable feature to stop information leaks.

Other improvements in PortAuthority 4.0 include more granular policy management and new reports that show auditors how your organization complies with regulations.

Customizing the Windows Server 2003-based PortAuthority Management Appliance for my network required just a few minutes; the same was true for the ICAP monitor. Then -- either at the management server console or thick client -- you configure and control the environment. I’d prefer a browser interface here, for better usability and convenience, but this design is workable.

Right-clicking on the Policy section of the management tree enables various predefined policies. These scan for violations in a solid range of regulatory compliance and personal information areas, from GLBA, HIPAA, and Check 21 to Sarbanes-Oxley. Policies then automatically deploy to the monitors.

PortAuthority includes a wizard for creating customized policies. To do so, I registered content by having PortAuthority scan various file shares -- a fast process called PreciseID Fingerprinting. The system’s impressive speed extends to registering information in databases: it processed one million records in about 10 minutes.

I fine-tuned my custom policies by specifying communications protocols to monitor users that would not trigger the policy, and the action to take when the policy was breached. Depending on the event severity, I either delivered content to authorized recipients or quarantined suspicious messages; in all cases an audit trail was generated to demonstrate compliance.

PortAuthority’s solution matched the accuracy of the other data leak products I’ve tested. Keyword, lexicon, and advanced regular expression algorithms caught confidential text in e-mail and Web mail according to policies I set. False positives were insignificant; for instance, PortAuthority properly distinguished between nine-digit telephone numbers and Social Security numbers. As a bonus, the system performs real-time scans of 300 file formats, including CAD files and graphics, and will identify sensitive data in nested compressed files.

In addition to this fine performance, PortAuthority stands out in the detection and identification area. Often, registered documents that are not transmitted intact will fail to be detected by a data-leak solution. PortAuthority’s fingerprinting, however, correctly sensed when I pasted part of a restricted Word document into an e-mail.

When sensitive communication is spotted, PortAuthority generates an instant notification according to policy settings. Analysts view violations from a Web interface over a secure connection. From the initial executive summary view, I drilled down to view event details. Messages can be tagged for further investigation.