Securing data at the point of use

Inspecting content on the wire, the approach taken by the products in this roundup, is nothing new. In fairness to these vendors, they’ve put a lot of hard work into optimizing their solutions to handle high data volumes and the fresh ways users try to bypass scrutiny. But this traditional strategy can grow in complexity as organizations struggle to keep up with the latest ways information might leave the enterprise.

We’re now seeing solutions that tackle the problem with a different, potentially more practical architecture: local agents that stop data cold at the point of origin. Companies taking this path include Oakley Networks, Tablus, and Verdasys.

Host-based security results in more intense real-time examination. For instance, agents see encrypted communications in clear text (packet-sniffing approaches are typically blind to encryption). And agents can be distributed across a large enterprise, giving you scalability instead of forcing you to rely on a centralized network-monitoring server. However, drawbacks include the complexity (and cost) of deploying agents and the chance that some systems go unmonitored.

Still, Gartner reports that by the second half of 2005, host-based security platforms will have better discovery (detecting PCs and servers that don’t have agents) and will follow XML-based industry standards (to better integrate with existing asset management systems). By 2006, Gartner and other analysts say, these products will be mature enough for widespread enterprise use. Oakley Networks’ innerView has developed to this point already (see Test Center Preview, page 10).

Similarly, Verdasys Digital Guardian overcomes many woes related to agent technology. It supports tens of thousands of agents with one back-end server. Moreover, policies and reporting synchronize with Active Directory and other LDAP servers, which lowers ongoing management costs.

Digital Guardian records user activity at the desktop as compact logs, which are then collected by the server. The system also acts as a policy-based, real-time control point for activities such as disallowing copying and pasting of confidential data into an e-mail, blocking writing to a USB drive, and prohibiting printing.

At first glance, Tablus doesn’t bring much more to the party. Content Alarm DT (which the company got with its recent acquisition of Indigo Security) places a lightweight driver on Windows 2000 and XP desktops. This agent then follows policies delivered from a gateway server running a secured version of FreeBSD. The system prevents documents from leaving through printing, USB drives, or CD-ROM.

With Content Alarm DT and Content Alarm NW, Tablus covers the gamut of insider prevention technology. Moreover, the company offers integrated management of the two products; the products share policies, for example, thus reducing administration effort.

Expect to see more synergy between point-of-use and network-monitoring vendors. Stopping information before it reaches the network makes better sense than chasing the security problem du jour by building another traffic-inspection algorithm. Network sniffers mop up what little leaks through.