PortAuthority, Tablus plug data leaks in enterprise communications

I found this process time-consuming because essential information about a breach was spread over many pages. Likewise, built-in workflow functions (for example, routing a violation to another analyst) are minimal. This limitation makes PortAuthority somewhat more difficult to use when investigating and resolving security incidents.

Free IT resource TechNet: More ways to know it, share it, and keep it running. Sponsored by Microsoft Free IT resource Attend the SOA Executive Forum: Breaking SOA Bottlenecks SOAExecForum.com/may2007 Sponsored by InfoWorld

Reporting, though, is reasonable. I could customize predefined reports (such as sorting events by destination or protected content) and generate unique reports on the fly. Reports can also be scheduled and then converted to Acrobat PDF format. I like the way reports tie into a forensic module, so I could link from one event and review logs for related incidents.

Tablus Content Alarm NW 4
Content Alarm NW 4 significantly expands the type of data enterprises can protect and improves usability. With a single click, you can select and implement a prebuilt policy for all the major risk and compliance areas. Workflow is better, with automatic violation remediation, and NW 4 crawls and fingerprints information in databases, file systems, and EMC Documentum repositories, as well as encrypts sensitive information.

I tested Tablus’ central Controller server plus one Sensor, the companion server that passively monitors network traffic. Sensors plug in to your network at exit points and automatically register with the controller, making this solution well-suited for large, geographically diverse organizations. You can also configure an Interceptor SMTP proxy to block, quarantine, or encrypt sensitive e-mail traffic.

NW 4’s tabbed Web interface is highly organized and consolidates functions (such as data crawling) that previously required separate apps. In the Policy area, it takes just a few seconds to select policies from the library. You can create unique policies for countries or regions, too.

I had no trouble editing policies to include crawled content from network file shares along with a Microsoft SQL database of employee salary listings and Social Security numbers. Tablus also employs keyword analysis, pattern matching, attribute analysis (such as file size or type), and linguistic analysis to see whether data is derived from protected documents. In my tests, I received no false positive reports, and none of the approximately 1,000 sensitive documents I transmitted slipped through undetected.

During the policy setup, I determined the severity of violations. Based on those levels, I could choose whether to simply notify the sender of a problem or take extended action. If you have Interceptors running, other automatic actions include message blocking or quarantine. Content Alarm also integrates with existing enterprise encryption solutions, including PGP’s Universal Series.

When violations are submitted to a workflow, the management console’s Incident Manager sorts events by severity. This helped me find and work on the most critical violations first.

Selecting an incident in NW 4 now provides all the details on one page, which greatly aids in the resolution process. For instance, NW4 highlights data in the transmission that triggered the alert and which policies were violated. You can then open file attachments, change the severity, progress the incident through the workflow, or immediately resolve the problem.

Content Alarm’s IRiS (Information at Risk Snapshot) view provides an executive dashboard that lists incidents by policy violation and top offenders, and charts various trends. Although permissioning isn’t quite as granular as Vontu, Tablus should be adequate for meeting international laws that protect personal employee data.

NW 4 ships with a collection of pre-defined reports ranging from high-level summaries to detailed protocol statistics. These are beneficial when enterprises must demonstrate compliance -- or security executives want metrics that show the effectiveness of security programs. In the Report Manager, I also quickly customized several of the underlying report templates to chart different statistics.

Good preventive measures
Tablus Content Alarm has evolved nicely from when I first used it several years ago. NW 4’s modern Web interface simplifies reaching reports and investigating incidents. Policies are very complete and easily modified. As a result, security staff are likely to be productive, and the product’s high performance, distributed architecture, and accuracy should also boost productivity.

For businesses with existing HTTP proxies and related systems, PortAuthority’s open architecture is notable; it was easy to deploy and it reliably stopped leaks in my tests. Usability and built-in workflow could stand improvement, and when installed as a stand-alone solution, PortAuthority’s forensic analysis suffers a bit. The system does have ICAP support, however, enabling enterprises to integrate PortAuthority with existing systems more easily.