Data theft by disgruntled employees is now a more serious threat than external attack, as they can filch huge swathes of valuable information armed with nothing more than a USB stick. DeviceLock aims to plug this security hole and provides controls to lock down every imaginable type of port and removable storage device.

Naturally, USB ports are at the top of its agenda, but you have controls for serial, parallel and FireWire ports, plus CD, DVD and wireless network adapters. Network printers and mobile devices using Windows Mobile and Palm OS are also supported; iPhones will be added soon.

Version 6.4 allows you to apply offline security policies to mobile workers when they leave the network and, along with TrueCrypt and PGP, you can apply security policies to SafeDisk-encrypted storage devices and stop data being written to unencrypted devices.

DeviceLock is now content aware and its new processing engine uses algorithms and signatures to identify nearly 4,000 file types. This allows you to apply access policies to file types that override the device type policies, so you could block write access to all files on USB sticks except for Word files, or only stop executables being accessed.

The standard DeviceLock console has tight AD integration, allowing access permissions to be managed at user levels. Another console integrates with the Windows Group Policy Editor, and the Enterprise Manager console can be used to remotely install the DeviceLock agent and deploy security policies to selected systems.

The optional Enterprise Server uses a SQL database to maintain long-term stores of shadow operations, which are used to log all user activity on selected devices or ports. As soon as the agent is deployed, you can apply a set of global security policies to specific devices and then fine-tune user and group access for each port or device type.

We found the offline policies worked well, and connection status can be determined by querying either the physical connection or links to the DeviceLock Enterprise server or domain server. We created an offline policy that denied all access to USB ports, and when we unplugged our test clients the DeviceLock service stopped us from using any USB devices. With clients connected, all access was restored.

For content-aware policies, we set removable device permissions to read only, but added a file-type policy that allowed write access for text files. This worked fine as we were unable to modify other files on our USB sticks.

If the removable device policy is set to deny access, you can have a file-type policy that allows access to specific files, as the Traverse Folder permission allows you to browse the device. Don’t try to use content-aware policies in conjunction with interface port policies – they’ll only work properly with interface types such as removable devices.

DeviceLock offers an excellent range of controls for protecting business data. It’s easy to deploy and manage, and it’s affordable for businesses large and small.

Author: Dave Mitchell