Review

From Network Computing Vol 18 No 03- May/June 2009

Protecting corporate data against internal security threats is now a major concern for network administrators. Not only do they need to ensure that authorised personnel have the appropriate access levels to do their work, but also that data is safe against threats such as leakage, accidental destruction, and the ever growing problem of theft.

Without strong security measures it's simple for a disgruntled employee to siphon off huge amounts of confidential data with nothing more than a cheap USB stick. DeviceLock provides protection against this common problem but critically, it goes much, much further, as it can enforce access security policies at network endpoints, for virtually every type of port and removable media device. Network printers and mobile devices that use Windows Mobile and Palm OS also come under the DeviceLock remit, and this latest version introduces a content processing engine, allowing it to identify nearly 4,000 file types and apply access restrictions to them regardless of the policy applied to the device they reside on. DeviceLock doesn't use the file extension, but employs algorithms and signatures to accurately identify file types, leaving nothing to chance.

Mobile workers can now have offline access policies applied when away from the corporate network and, along with TrueCrypt and PGP, SafeDisk encrypted

storage devices can have special access policies applied to them, so you can stop data being written to unencrypted devices. Installation is a swift process where you are offered a choice of three management consoles. The standard console functions as an MMC snap-in, the second integrates with the Windows Group Policy Editor, whilst the Enterprise Manager is aimed at larger networks. There's also an optional Enterprise Server which requires access to an SQL database, allowing it to log client activity and maintain long-term stores of shadow operations.

The Enterprise Manager provides a scanning service for locating systems in workgroups or AD domains plus tools for remotely deploying the DeviceLock service. As we had an AD domain controller in the lab we found the standard MMC console the best bet for general management, as it allowed us to select devices and port types, and decide what access we wanted to allow or deny. Restrictions and permissions could be set at the user and group membership levels, making it very simple for us to deploy network-wide access policies.

DeviceLock can be configured to apply a base set of global security policies to selected devices, after which you can then fine tune user and group access for each port or device type. The content aware feature is used to override device policies, but only for specific file types. As an

example, we set all client USB device permissions to read-only, but added a file type policy that allowed write access for text files only. With these policies deployed, we could create and modify text files - but all attempts to modify Word documents on the same USB stick failed, and we could use a custom pop-up message to advise users that write restrictions were in place.

For the offline feature you can use wired, DeviceLock Enterprise server, or domain connectivity to determine when a system has left the corporate network. We had no problems with this and created an offline policy that blocked all access to USB devices. Within seconds of removing the network cable from our test clients, the local DeviceLock service stopped us from using any USB devices until we were physically reconnected.

DeviceLock offers a sophisticated and affordable solution to an increasingly serious problem. It is capable of controlling access to virtually any device on your client systems, it's easy to deploy and manage, and the next version has iPhones on its agenda. NC

Product: DeviceLock 6.4
Supplier: DeviceLock Inc.
Tel: 0800 047 0969
Price: 100-249 seats -£9.70 per seat
excluding VAT
Web site:www.devicelock.com

Review