PortAuthority, Tablus plug data leaks in enterprise communications

Data leaks that lead to devastating identify theft -- and costly consequences for business -- have reached epidemic proportions. In addition to the financial burden to enterprises (which The Ponemon Institute estimates to be between $5 million and $14 million per incident), the U.S. government recently raised the stakes by forming an identity theft task force.

No matter what this group ultimately recommends, one thing is clear: Organizations will be held even more accountable for protecting data they collect and use.

Fortunately, data theft prevention solutions are improving. The latest offerings from PortAuthority and Tablus, for example, boost their detection accuracy and provide policy customization. Both these network gateways monitor many communications channels for information that shouldn’t be transmitted outside an organization and will block or encrypt traffic according to your policies. Tablus Content Alarm NW 4 is easier to use and stacks up well against the products reviewed in January, whereas PortAuthority 4.0 integrates with existing enterprise HTTP proxies and workflow apps but has some analysis quirks.

PortAuthority 4.0

PortAuthority monitors outbound communications in key protocols (including e-mail, FTP, and instant messaging) then blocks unauthorized dissemination of information according to very granular policies. For better precision, version 4.0 fingerprints information in file systems and ODBC-compliant databases.

Version 4.0 also adds ICAP (Internet Content Adaptation Protocol) support; as such, you can integrate PortAuthority with ICAP proxies (such as Blue Coat, Cisco, and Network Appliance) to protect Web mail communications and SSL traffic. And, PortAuthority now protects network printing.

PortAuthority’s architecture, much like Tablus’, includes a management appliance (which handles policy setup, enforcement, and data fingerprinting) along with monitoring appliances placed around your network. These ICAP edge servers can be configured in monitoring or blocking mode. Although organizations often start out monitoring traffic patterns to learn which policies to implement, blocking suspicious communications is the most desirable feature to stop information leaks.

Other improvements in PortAuthority 4.0 include more granular policy management and new reports that show auditors how your organization complies with regulations.

Customizing the Windows Server 2003-based PortAuthority Management Appliance for my network required just a few minutes; the same was true for the ICAP monitor. Then -- either at the management server console or thick client -- you configure and control the environment. I’d prefer a browser interface here, for better usability and convenience, but this design is workable.

Right-clicking on the Policy section of the management tree enables various predefined policies. These scan for violations in a solid range of regulatory compliance and personal information areas, from GLBA, HIPAA, and Check 21 to Sarbanes-Oxley. Policies then automatically deploy to the monitors.

PortAuthority includes a wizard for creating customized policies. To do so, I registered content by having PortAuthority scan various file shares -- a fast process called PreciseID Fingerprinting. The system’s impressive speed extends to registering information in databases: it processed one million records in about 10 minutes.

I fine-tuned my custom policies by specifying communications protocols to monitor users that would not trigger the policy, and the action to take when the policy was breached. Depending on the event severity, I either delivered content to authorized recipients or quarantined suspicious messages; in all cases an audit trail was generated to demonstrate compliance.

PortAuthority’s solution matched the accuracy of the other data leak products I’ve tested. Keyword, lexicon, and advanced regular expression algorithms caught confidential text in e-mail and Web mail according to policies I set. False positives were insignificant; for instance, PortAuthority properly distinguished between nine-digit telephone numbers and Social Security numbers. As a bonus, the system performs real-time scans of 300 file formats, including CAD files and graphics, and will identify sensitive data in nested compressed files.

In addition to this fine performance, PortAuthority stands out in the detection and identification area. Often, registered documents that are not transmitted intact will fail to be detected by a data-leak solution. PortAuthority’s fingerprinting, however, correctly sensed when I pasted part of a restricted Word document into an e-mail.

When sensitive communication is spotted, PortAuthority generates an instant notification according to policy settings. Analysts view violations from a Web interface over a secure connection. From the initial executive summary view, I drilled down to view event details. Messages can be tagged for further investigation.

I found this process time-consuming because essential information about a breach was spread over many pages. Likewise, built-in workflow functions (for example, routing a violation to another analyst) are minimal. This limitation makes PortAuthority somewhat more difficult to use when investigating and resolving security incidents.

Reporting, though, is reasonable. I could customize predefined reports (such as sorting events by destination or protected content) and generate unique reports on the fly. Reports can also be scheduled and then converted to Acrobat PDF format. I like the way reports tie into a forensic module, so I could link from one event and review logs for related incidents.

Tablus Content Alarm NW 4

Content Alarm NW 4 significantly expands the type of data enterprises can protect and improves usability. With a single click, you can select and implement a prebuilt policy for all the major risk and compliance areas. Workflow is better, with automatic violation remediation, and NW 4 crawls and fingerprints information in databases, file systems, and EMC Documentum repositories, as well as encrypts sensitive information.

I tested Tablus’ central Controller server plus one Sensor, the companion server that passively monitors network traffic. Sensors plug in to your network at exit points and automatically register with the controller, making this solution well-suited for large, geographically diverse organizations. You can also configure an Interceptor SMTP proxy to block, quarantine, or encrypt sensitive e-mail traffic.

NW 4’s tabbed Web interface is highly organized and consolidates functions (such as data crawling) that previously required separate apps. In the Policy area, it takes just a few seconds to select policies from the library. You can create unique policies for countries or regions, too.

I had no trouble editing policies to include crawled content from network file shares along with a Microsoft SQL database of employee salary listings and Social Security numbers. Tablus also employs keyword analysis, pattern matching, attribute analysis (such as file size or type), and linguistic analysis to see whether data is derived from protected documents. In my tests, I received no false positive reports, and none of the approximately 1,000 sensitive documents I transmitted slipped through undetected.

During the policy setup, I determined the severity of violations. Based on those levels, I could choose whether to simply notify the sender of a problem or take extended action. If you have Interceptors running, other automatic actions include message blocking or quarantine. Content Alarm also integrates with existing enterprise encryption solutions, including PGP’s Universal Series.

When violations are submitted to a workflow, the management console’s Incident Manager sorts events by severity. This helped me find and work on the most critical violations first.

Selecting an incident in NW 4 now provides all the details on one page, which greatly aids in the resolution process. For instance, NW4 highlights data in the transmission that triggered the alert and which policies were violated. You can then open file attachments, change the severity, progress the incident through the workflow, or immediately resolve the problem.

Content Alarm’s IRiS (Information at Risk Snapshot) view provides an executive dashboard that lists incidents by policy violation and top offenders, and charts various trends. Although permissioning isn’t quite as granular as Vontu, Tablus should be adequate for meeting international laws that protect personal employee data.

NW 4 ships with a collection of pre-defined reports ranging from high-level summaries to detailed protocol statistics. These are beneficial when enterprises must demonstrate compliance -- or security executives want metrics that show the effectiveness of security programs. In the Report Manager, I also quickly customized several of the underlying report templates to chart different statistics.

Good preventive measures

Tablus Content Alarm has evolved nicely from when I first used it several years ago. NW 4’s modern Web interface simplifies reaching reports and investigating incidents. Policies are very complete and easily modified. As a result, security staff are likely to be productive, and the product’s high performance, distributed architecture, and accuracy should also boost productivity.

For businesses with existing HTTP proxies and related systems, PortAuthority’s open architecture is notable; it was easy to deploy and it reliably stopped leaks in my tests. Usability and built-in workflow could stand improvement, and when installed as a stand-alone solution, PortAuthority’s forensic analysis suffers a bit. The system does have ICAP support, however, enabling enterprises to integrate PortAuthority with existing systems more easily.