Guard your data against insider threats

Oakley, Reconnex, Tablus, and Vontu prevent costly data leaks

1 2 Page 2
Page 2 of 2

Content Alarm DT, the new agent component that provides control over confidential information at the desktop, looks to give the company an advantage. In typical agent fashion, administrators prevent actions, such as copying and pasting, printing, or moving files to USB drives.

What's different, however, is that organizations centrally define policies across the whole suite, which should reduce administration. I also liked the system's adaptive policies, which change in real-time based on usage. For example, if Content Alarm notices someone downloading or uploading large files, then that user can be quarantined. Moreover, only trusted applications are permitted to interact with confidential data, which should offer an extra layer of protection against worms and viruses.

The desktop part also leverages Content Alarm's distributed architecture and load balancing, indicating it should hold up for large-scale deployments.

In the end, Tablus has the right strategy: network and desktop protection, while both monitoring activity and preventing data from leaving the enterprise at all borders. The design appears easy to deploy, manage, and maintain. Now it's up to Tablus to execute this strategy.

Vontu 5.0

Vontu 4.0 established a tough benchmark the last time I looked at data-loss prevention solutions; it tested excellent in protecting customer data, preventing information disclosure, and ensuring compliance with government regulations. Vontu 5.0 adds a missing piece: Vontu Discover scans files shares, Web content servers, and desktops for exposed confidential data, further reducing enterprises' risk.

Additionally, this updated version addresses global requirements for workplace privacy. For example, the system captures only data that violates company policy -- without revealing employee identity -- to meet European Union legal requirements. Existing functions were refreshed along the same line; role-based access controls prohibit investigators in a business unit from seeing incidents in another part of your organization. Combined with already fine accuracy, predefined policies, and scalability, Vontu 5.0 sets another standard.

Vontu renamed some functions and made Version 5.0 more modular, which gives enterprises more deployment flexibility. But the underlying two-tier architecture remains and contributes to this solution's scalability. Sitting on a secure corporate LAN, Vontu Enforce is the core management server. Also here is Vontu Discover. On the outer tier, Vontu Monitor scans network traffic while Vontu Prevent integrates with mail gateways to block transmissions of confidential data.

Importantly, Vontu Enforce allows you to centrally define and implement policies across multiple Discover, Monitor, and Prevent systems. Vontu's well-done user interface also delivers easy access to reporting and remediation functions.

As previously, Vontu 5.0 offers both prebuilt templates -- more than 50 for industry and government regulations -- and a simple-to-use policy builder. Templates for HIPAA, GLBA, CA 1386, and Visa PCI (Payment Card Industry) saved me a lot of time and possibly oversights because they are complete out-of-the-box. Yet I had no trouble adapting these standard policies to create company-specific rules.

On the detection side, Vontu handles both structured and unstructured data. The system relies on keywords, lexicons, pattern matching, indexed-document matching -- for fingerprinting whole or document fragments -- and exact-data matching (to handle databases of customer, patient, and employee information accurately). Used in combination, Vontu had little trouble detecting data-loss incidents. There were no false negatives and very few false positives.

Vontu Monitor's real-time network scanning worked across all the major business network protocols I tested, and it inspected Webmail, IM, and FTP transfers without any problem.

Moreover, when Enforce spots a policy infraction, the system gives enterprises many options. At the minimum level, I notified those who violated a policy; this alone can change employee behavior and help enforce compliance. Vontu then classifies each incident by severity.

Compared with the previous version, Vontu 5.0's real-time dashboards give executives even better insight into these trends, such as incidents by their business unit or departments. This doesn't take any special customization because Vontu integrates with active directory and respects access control privileges.

Role-based access extends throughout the system -- security and flexibility that betters the other products. For instance, I set up a role where certain investigators could only review incidents that violated customer data policies, another role for violations of HR policies, and a third "manager" role that received incidents that were escalated by the original analyst.

Within some of these roles I further limited access to attributes of the incident, such as hiding the sender's identity, which is critical for safeguarding employee privacy. Yet in each situation, analysts received the necessary information to see why the communication generated the incident, while Vontu's workflow ensured that it was handled by the appropriate person.

Still, I found you can confidently let Vontu run unattended. When I added Vontu Prevent into the mix, it automatically, and accurately, blocked e-mail and Web communications that contained confidential data. Alternately, based on policies I created, Prevent routed messages to an encryption gateway for secure delivery.

Discover applies Vontu's detection techniques and data security policies to networked servers and other spots where documents are stored. Without installing any agents, Discover quickly scanned several file shares, document management repositories, and desktops.

Vontu continues to be the standard-bearer in detecting and mitigating insider security risks. Enterprises can implement this solution in various ways -- from simple audits to give you a baseline risk profile all the way to full blocking of communications. This version's improvements in protecting personal privacy, finding noncompliant data-at-rest, and established accuracy represent a compelling mix.

Insiders, beware

Plugging data leakage is no longer a low-priority project for the corporate security department. It's one of the top 10 CEO challenges for 2006 and should be on the minds of every other executive, shareholder, board member, and employee.

Although no technology can guarantee 100 percent compliance, these four vendors show they know how to abate insider threats. Their products provide strong visibility and control over confidential information flowing over your networks -- and now on the desktop and internal servers. Still, with this awesome control comes the next beachhead: personal privacy.

Content Alarm 3.0 sets ambitious goals of network and desktop protection, while monitoring for and preventing leaks, which will put other vendors on notice if delivered. Tablus Content Sentinel, meanwhile, performs adequately in finding exposed data at rest.

I like Oakley SureView for its straightforward deployment model and flexible rules. Just slightly ahead is Reconnex, because of its improved reporting and forensic capabilities.

Although Vontu may be a bit more complex to setup, owing to various hardware components, the payoff is smooth, centralized operation, while leaving no exit points uncovered. Yet what edges this solution ahead are its privacy safeguards along with a lack of noticeable functional gaps.

InfoWorld Scorecard
Scalability (10.0%)
Performance (20.0%)
Features (20.0%)
Ease of use (20.0%)
Value (10.0%)
Reliability (20.0%)
Overall Score (100%)
Oakley Networks SureView 3.3 8.0 9.0 9.0 9.0 8.0 9.0 8.8
Reconnex iGuard 2.1 9.0 9.0 9.0 9.0 8.0 9.0 8.9
Tablus Content Alarm 3.0 Beta 0.0
Vontu 5.0 9.0 9.0 10.0 9.0 8.0 9.0 9.1

Copyright © 2006 IDG Communications, Inc.

1 2 Page 2
Page 2 of 2