Endpoint Security Madness
A group of CISOs asked me this week to briefly describe the problem and solutions around network data leakage and endpoint security. I broke it down like this.
The Problem: Sensitive information leaves the control of the company all the time. People leak it at cocktail parties after one too many martinis with blue-cheese-stuffed olives (yum). Or excerpts from a proprietary file are pasted into an email. Or the entire spreadsheet is attached to the email or copied to a USB memory stick, etc. You get the picture.
The Solution: since we cannot cut off everyone’s fingers and tongues, we need to find more subtle approaches that won’t hamper normal business. Therefore, a few classes of product have emerged to help.
Device Protection. ControlGuard, Safend and Securewave are three vendors with software running on each computer that manages which devices may be attached to the PC. For example, a Kingston Brand DataTravelerÂ® Secure Privacy Edition USB Flash drive with 256-bit
AES encryption that was issued by the company for authorized use…would be allowed. But a Kingston memory card stuck in your phone or PDA would not be an authorized storage location. These software solutions do a great job of controlling what data may go out what doors, and it’s all controlled by policy.
Good idea. But since it’s costly and difficult to maintain software and policy on every single machine, the chances for leakages are still high. You need something else.
Then there is the email problem. Companies like PortAuthority (just acquired by Websense), Vontu, Oakley and Vericept sniff data that is leaving the safe confines of the controlled network, and by policy monitors or disallows traffic containing confidential data.
Good idea. But as we’ve already seen, important data leaks out
through iPods and phone memory cards. The vendors understand, and
that’s why they’ve all begun adding device protection (competing with
ControlGuard and the rest) to their solution. But it’s still not
Sometimes I’m authorized to send confidential information out
of the company. We send contracts, legal documents, sales forecasts,
business plans, and all sorts of private data to our business partners
all day long. Simply encrypting that data with PGP or another product
is silly (not to mention tedious), because as soon as it is decrypted
at the other end, the information can be forward, edited and leaked
That brings us to secure document management. Liquid Machines,
Sealed Media (acquired by Stellent/Oracle), Authentica (Acquired by
Documentum/EMC), and Interfuse
keep track of all documents and data throughout their respective
lifecycle and across all company computers. All but Interfuse lose
their control of the information once the document slips out to a
business partner. Interfuse wraps the document in a security blanket
than is never unwrapped. I email you the document, and when you open
it, a special reader gives you a view to the content. But you still
cannot cut ‘n paste or forward the doc. Not foolproof, but the best
solution on the market for sure.
Then somehow you need to keep track of whether your document and
data protection systems are actually installed on people’s machines,
and if the policy is accurate, and if the software is running
properly. That brings us to Promisec. The Promisec platform gives you
a real-time snapshot of what memory sticks and iPods and other devices
have been plugged in without authorization, and if the antivirus,
personal firewall and device protection software is all doing its job.
Clientless scans mean you don’t have to install software on every
machine – and it means you can see devices like PDAs that are owned by
your employees. To me, Promisec gives the most bang for the buck.
Promisec + Interfuse is a pretty complete solution and saves a lot
of trouble in deployment. Promisec + Interfuse + say, Vericept or
Vontu may be the ideal complete package. (I suggested this to Websense
but they didn’t get it, oh well).