Product Group Tests
Data protection (2009)
Serious functionality and fine performance at an acceptable cost make NextLabs Enterprise DLP our Best Buy.
This month, two products win our Recommended award: Aladdin Hasp SRM in licence protection; and Fidelis XPS in extrusion prevention.
Full Group Summary
There's a variety of ways to protect data. We put eight products to the test. By Peter Stephenson.
This month's super group focuses on protecting data under a variety of circumstances. First, we look at digital rights management (DRM). DRM lets us send data wherever we want, while dictating what can be done with it.
Data leakage prevention (DLP), sometimes called extrusion prevention, has a different objective. In this case, we want to keep our data where we put it and we do not want unauthorised users to remove it. We may also want to protect against removal of the file by malware.
Finally, a twist on DRM: licence protection. In this case, we usually have an application we want to control the use of in accordance with our end-user licence. This is the familiar copy protection dongle we see regularly, especially on big-ticket applications; these products take two approaches.
We saw examples of all of these.
Digital rights management
DRM has multiple levels of protection, depending upon the product and the data being protected. One of the simplest functions is watermarking. This places a notation or "watermark" in the file, such that it cannot be removed. Other functionality includes prevention of printing, emailing, copying, deleting and editing of protected files. Some products allow a self-destruct policy for the file.
When buying DRM, consider carefully why you are applying it. DRM is not a substitute for encryption. It is intended to allow controlled access rather than to deny all access. However, like all of our product types this month, it might include encryption. If you decide on DRM, there are more decisions. For example, how does it fit into your architecture? How do you deploy and manage it? Are you protecting intellectual property or complying with regulatory requirements? How much logging do you need?
Data leakage protection (DLP)
Data leakage products sometimes can be confused with endpoint management products. Many endpoint protection systems do a rudimentary form of DLP by preventing the use of thumb drives or other peripherals. However, we concentrated on products whose primary function was to protect data, wherever it lies in the enterprise, from being removed without authorisation. Perhaps the most insidious type of data leakage is that facilitated by malware. Unfortunately, positive control of that problem is still a bit of a Holy Grail.
When buying DLP, look at what types of extrusion you are addressing. Also, be aware of what endpoint protection you have and focus on augmenting it in functional areas over which you do not have control. Here, as with most enterprise products, centralised management is a key question. This covers the ability to deploy, provision and manage the product over the enterprise. It means, where identity management of some sort is required, that there are clear connections to something such as LDAP or AD. The user should be able to access the benefits of the product transparently from any workstation in the enterprise where they have authorised access.
Finally, the twist on DRM: licence protection. These are products that offer some sort of copy protection. For high-value products, the cost of the hardware key (USB dongle) is absorbed easily in the price of the product and piracy of such products may have serious consequences - from the proliferation of pirated copies of very expensive software to uncontrolled availability of dangerous product such as penetration testing tools.
The products we looked at offer two ways to use this type of security. One is ad hoc, applying an envelope to the file you want to protect. The other is building the protection code into product code.
When buying this type of copy protection, consider how you intend it to be used. This is an application that is normally used by developers. There are two ways to approach this. One is to use a licence server that allows anyone authorised to access the resource to do so but does not allow access if the dongle is not in the licence server. This is an economical way to allow universal access to an application that is copy-protected. Many of these licence servers are configured to allow a certain number of licences, up to a limit.
If you are a developer building licence protection capability into your code, the parameters will be straightforward. If you are using the envelope approach, it is important to be sure you understand what works and what does not.