SecureWave stops breaches at the source
Sanctuary Device Control prevents forbidden devices from plugging in to the network
The most significant security breaches in the enterprise come from people who have easy access to the network, such as employees and approved contractors. With the influx of high-capacity portable storage technologies -- such as iPods, storage keys, and digital cameras -- it's easier than ever for information to be carried out the door. Yet for most organizations, banning the use of portable devices altogether would cripple operations.
One answer is SecureWave Sanctuary Device Control, a solid offering that helps security admins develop and enforce granular policies for using any device that can be accessed from a PC. This solution establishes a trusted environment for desktops, where no one can plug in to the network without approval. Sanctuary also logs any attempt to use unauthorized devices, and it can maintain a copy of all data written to permitted devices.
Comprising a database server, one or more control servers, and a kernel driver for desktops, this scalable system provides central administration and a good range of end-user flexibility, so it shouldn't inhibit legitimate work.
After setting up a Sanctuary Device Control server, which takes a few hours, I installed the Client Deployment tool and sent out the agent to a group of workstations. The three-tier architecture is a plus for many organizations that mandate applications follow a tight security model.
Sanctuary automatically discovered devices in my test environment. I liked the way peripherals are automatically grouped much like Windows device manager (DVD/CD drives, tape drives, and other removable storage devices), which cuts setup time and ongoing maintenance efforts.
You control access by assigning rights and attributes by device class, specific device, or specific media to users or user groups -- a straightforward task. For instance, I simply right-clicked on the Floppy Disk device and added read permission to specific individuals; you can also grant access to groups listed in a Active Directory domain, which should speed large rollouts.
At a deeper level, Media Authorizer allow me to register the content of CDs. For instance, you might want to allow music discs to be played but restrict access to certain sensitive client lists in Excel files that are mounted on media in a networked jukebox.
This solution works by intercepting OS requests. In my tests, if a device was not in my lists, Device Control always denied its use. That's very important because it prevents installation of unauthorized devices. For known devices, the system always followed the rights I'd specified. Additionally, Device Control detected plug-and-play USB drives and Zip drives on the fly and applied access control in real time.
And those rights are wide-ranging. I scheduled access for predefined times, applied a limit to how much data could be copied to specific devices, and shadowed that data for certain users. Admins also may temporarily grant use of a device to individuals.
Sanctuary also does a good job of handling remote and disconnected computers. A local copy of the latest device access permission list -- which can contain offline rules -- is stored on, say, a laptop. Therefore, the device is fully protected when disconnected.
But with these strengths also come some weaknesses, at least when compared with full-blown compliance systems. Although Device Control has strong auditing features, including checking administrators' actions, formal reports are limited. There's no automatic notification of policy violations. Additionally, there are no predefined policies for different legislation; thus IT staff will need to adjust access to devices based on their knowledge of company and government mandates.
Shortcomings aside, SecureWave Sanctuary Device Control is simple to deploy and manage, and it will reduce the risk of data leaving enterprises through almost any type of removable device. At the same time, flexible rules that allow certain media or files mean the system won't hinder day-to-day operations.