Get a grip on communications slips

Code Green, InBoxer, MessageGate, and Palisade compete to prevent costly data loss

[This story has been updated for clarity since it first posted.]

We've been emphasizing data leak reviews lately, and with good reason. Sure, IDC expects the outbound content compliance market to grow to $1.9 billion by 2009. But we're really spotlighting this topic because of the ongoing business risk if enterprises don't take aggressive steps toward e-mail and other forms of electronic communications governance.

[ See the slideshow: Data-leak pluggers square off ]

This time around, I'm looking at four products: Code Green Networks Content Inspection Appliance 1500 (CI-1500); InBoxer; MessageGate Enterprise Email Governance 4.2.1; and Palisade PacketSure 5.5. All four scan for, and often block, known data exposures that would put your organization in violation of HIPAA, Sarbanes-Oxley, SEC regulations, and other legislation. Because smaller organizations (even nonprofits) aren't exempt from these various rules, Code Green Networks, InBoxer (which InfoWorld snagged for this exclusive review), and Palisade all ship as easy to set-up and use appliances.

These systems have gotten much better at discovering leaks of personal information and intellectual property. For example, my testing showed that advances in data fingerprint and analytics caught more security violations than early-generation products.

At the same time, vendors are targeting Rule 26 of the U.S. Federal Rules of Civil Procedure. Both InBoxer and the fourth product reviewed, from MessageGate, intelligently classify e-mails prior to archiving. IT executives and legal counsel please pay special attention: This feature helps locate e-mails sent and received by certain individuals that would be required to be disclosed on short notice as part of lawsuits.

None of these products (or any of the many others we've tested so far) will solve every insider threat problem. However, we point out where each fits best. With this strong lineup, there's no reason for delay in fulfilling your obligation to keep communications secure.

Code Green Networks CI-1500

Code Green Network's appliance targets organizations with up to 5,000 users; optionally, a low-end model handles 250 users, while a tricked-out server supports unlimited users. All provide enterprise-class content protection typical of large-scale software solutions -- without requiring technical skills to install and maintain the system. Setup simply involves plugging in the appliance at a network egress point and defining policies using a Web GUI (or loading a default policy set).

The CI-1500, like most data leak products, employs algorithms that look for patterns of identity numbers and other restricted content in outbound communications. But this solution differs from others in how it precisely identifies restricted content. Deep Content Fingerprinting registers up to 1TB of confidential content found in more than 390 formats and all languages; crawling works with file shares as well as content management system repositories from EMC Documentum and Stellent.

The middle-of-the-line appliance I tested (a late-model Dell PowerEdge server with dual Intel Xeon CPUs, 1.2TB of RAID-5 disk space, and 8GB RAM), executed an excellent performance -- from policy and incident management through content-stream inspection and policy enforcement.

Supplied policies cover all the main data privacy laws and help you comply with the content control provisions of Sarbanes-Oxley. Policies are based on reusable components, which I quickly adjusted (with simple tabbed dialogs) and combined to make new policies.

thumb87635.gif
Click for larger view.

During testing, Deep Content Fingerprinting precisely registered Microsoft Office documents, PDF files, and C++ source code. This process works by scanning file systems or content repositories -- plus, it does on-the-fly assessment of e-mail attachments and Web uploads. Interestingly, fingerprinting works with Click for larger view. content written in any language or character set (including non-Roman ones, such as Japanese). The resulting highly compressed fingerprints (1TB of data typically reduces to a 5GB pattern-matching file), combined with this systems' standard pattern matching (for detecting, say, common U.S. and European identity numbers) reduced false positives to zero in my evaluation.

thumb87607.gif
During testing, Deep Content Fingerprinting precisely registered Microsoft Office documents, PDF files, and C++ source code. This process works by scanning file systems or content repositories -- plus, it does on-the-fly assessment of e-mail attachments and Web uploads. Interestingly, fingerprinting works with Click for larger view. content written in any language or character set (including non-Roman ones, such as Japanese). The resulting highly compressed fingerprints (1TB of data typically reduces to a 5GB pattern-matching file), combined with this systems' standard pattern matching (for detecting, say, common U.S. and European identity numbers) reduced false positives to zero in my evaluation.

Additionally, fingerprints infallibly detected when I copied parts of a protected document into another, compressed the new file, and modified the original text. Yet the system is smart enough to know that insignificant noise, such as added spaces, should not trigger alarms. Additionally, the system inspects encrypted objects.

Depending on the policies I'd set, the Content Inspection Appliance blocked messages, put e-mail in a quarantine queue for later action by the proper authority, or re-routed mail to another Mail Transfer Agent server for processing (such as adding encryption or applying digital rights management). This worked without any noticeable delay when sending from Microsoft Outlook, communicating with instant messenger, using Web mail, or transmitting files via FTP.

With blocking, the originator can be informed of the reason for the action, which helps to educate employees and further reduces risk of accidental disclosures.

When security violations happened, incidents were recorded, and the manager I specified was immediately notified to act using the Content Protection Dashboard. Importantly, CI-1500's own security ensures that incidents related to one department (say HR or finance) can't be viewed by others. In one section of the dashboard, color-coding highlighted the most severe problems so I could review them first. Reports let me see the details of the incident, record a comment, take appropriate action (such as releasing a message from quarantine), and close the task. This workflow's flexible, which let me quickly re-route some incidents to others for action.

Other dashboard functions let me generate custom alerts and reports, display graphs of incident trends, and see risk metrics. Although the CI-1500 lacks some the sophisticated report functions found in its competitors (generating and e-mailing reports on schedules, for instance), what it offers is still above the norm.

Similarly, on the forensic side, reviewers can view the audit history of incidents and sort them by different criteria to help spot patterns. That said, the CI-1500 doesn't retain information about all communications it monitors, so it's not perfect if you need to go back and see messages that might have been missed.

Code Green Networks offers multiple reasons for its high score, including registering confidential structured and unstructured data, audit reports and forensic analysis, negligible impact on network performance, and easy administration.

InBoxerAnti-Risk Appliance

Many data leak products start to look similar in features and operation, but InBoxer has some truly unique differences that make it a superior investigation tool. Foremost, it archives every e-mail message (including attachments), which are immediately indexed for later searches. Besides working with Microsoft Exchange, InBoxer was just qualified for IBM Lotus Domino.

Second, InBoxer scores each message on a scale of 1 to 100 for inappropriate content, privacy violations, and other metrics.

While the product doesn't block communications, you can create policy management alarms based on one of InBoxer's 70 predefined categories (or other criteria) -- responding to the sender or notifying a compliance officer. What's more, the system's fine search and reporting greatly cuts investigation time.
thumb87608.gif
Click for larger view.

I had the Anti-Risk Appliance set up in 30 minutes, which is a credit to the system's language analysis. Rather than spending time setting up policies, InBoxer automatically applies language modeling techniques (originally developed for speech recognition) to determine if a message requires action. Used in combination with the predefined categories, this solution found all the problems in my test messages, including privacy violations (credit card numbers), medical technology (for HIPAA compliance), offensive content (adult content and profanity), and confidential documents.

For absolute precision, InBoxer provides a commonplace feature where you can specify (through the Web interface) match lists. Here, I entered files of exact customer numbers and patient identifiers. I also specified regular expressions (for finding text that matched particular patterns), which was helpful in spotting unusual bank account number formatting.

The system will also examine attachments, such as word processing documents and spreadsheets (and it peers inside of compressed ZIP files). However, it doesn't handle encrypted communications or files -- and it can't crawl file shares or databases to register content.

On the flip side, InBoxer scans inbound, outbound, and internal communications, delivering a level of thoroughness other products don't necessarily provide. Checking internal messages is often mandated in financial institutions where certain departments must stay removed (e.g. a Chinese wallrequirement) or in cases of harassment.

You can set alerts for any number for circumstances. For instance, I notified a compliance officer when messages containing confidential information, such as the code name for an internal project, were sent to an external e-mail address. Similarly, you could inform executives when messages containing names from a customer list were e-mailed externally.

InBoxer saves messages with their format and metadata intact, as required by the Federal Rules of Civil Procedure. This includes desktop, Web-based, and BlackBerry messages sent and received using your corporate mail server. Also, I easily put messages on "litigation hold" so they were not deleted. InBoxer even keeps these messages in the appliance in case they might be deleted from your archive -- a feature I haven't seen elsewhere.

Also of note, InBoxer's archiving system works with most standard backup systems (such as old-style tapes), not just sophisticated archive applications.

InBoxer's Anti-Risk Appliance AJAX-style reporting interface also impressed me. I merely dragged "droplets" (on-screen objects) to the dashboard, which quickly generated lists of messages with privacy, medical, and other types of questionable content. Clicking on a message provides details of InBoxer's scores, categories the message fits, full message, and actions you can take.

Likewise, I created Favorites -- reports of, say, personal use and employment-related messages. Yet where this solution hits a home run is through custom searches, which are also simple to build with droplets. A few of the tests I ran identified employees who sent potentially harassing e-mail; found messages sent to a competitor's domain, and by whom; located messages to top investors; and determined top external domains sending employment information to employees. All reports can be run on a schedule and contents e-mailed to you.

InBoxer got a lot of recognition after the brilliant move of processing all Enron e-mails and making them publicly searchable with an Anti-Risk Appliance. Marketing aside, the substance behind that exercise can help any organization avoid fines and reduce risk. This solution's well-done e-mail archiving and searching, plus real-time policy management alerts, makes it fast and easy to stay in compliance and conduct investigations.

MessageGate Enterprise Email Governance 4.2.1

MessageGate's product takes a very sensible approach to this specific, albeit biggest, insider data-leak conduit. After operating in passive mode that captures all e-mail communications, you develop policies specific to your organization's culture and any problems uncovered. Also, unlike the other three products, MessageGate is a software solution with multiple components that you implement as needed. Besides flexibility, its distributed architecture is very scalable; a minimal three-server setup handles about 250,000 messages a day.

At this solution's hub you'll find CORE (Console, Operations, and Reporting Engine) delivering Web-user interface and managing the remaining components. These pieces include a Message Adapter, for intercepting messages from your mail server; Message Analysis Service, which evaluates evidence provided by the adapter and then processes the necessary policy; and a Mailout component, for placing messages back into the mail stream after they're processed. (SenderConfirm's a standalone application based on the main policy enforcement engine; it flags e-mails that are out of compliance, notifies the sender, and lets the person either send or delete the message).

1 2 Page
Recommended
Join the discussion
Be the first to comment on this article. Our Commenting Policies