Strengths: Easy deployment, tight AD integration, content aware policies, extensive port and device support, shadow operations, offline policies
Weaknesses: Be careful when setting up content aware policies
Verdict: A highly versatile solution for stopping data theft from workstations, with useful content aware policies and controls for mobile workers
Data theft by insiders is a major problem, particularly where a disgruntled employee is concerned. With the workstation bristling with ports and removable storage devices, it's easy for users to filch company data in seconds and slip it out of the building in their pocket.
DeviceLock controls access to workstation ports and, along with the ubiquitous USB port, it can manage access to a whole range of others, including serial, parallel and infrared, plus CD, DVD, MO and wireless network adapters. Network printers, Windows Mobile and Palm OS mobile devices are supported.
This latest version on review delivers plenty of interesting fresh features, with controls added for mobile workers. Offline policies can now be defined that come into play the moment the user detaches their device from the main network. Encryption options have got better, as, along with TrueCrypt and PGP, SafeDisk encrypted storage devices can have access policies applied to them where you can prevent data being written to unencrypted devices.
DeviceLock's new content-processing engine is used to identify 4,000 file types. This allows you to create device-type access policies and then fine-tune them with file-type policies that allow or deny access to specific files. Rather than use extensions that are easily circumvented to identify files, DeviceLock employs algorithms and signatures.
For testing, we used a Boston Supermicro dual 3GHz Xeon 5160 server running Windows Server 2003 R2 and acting as an AD domain controller. Initial installation is swift and you get a choice of three consoles to load, which can be confusing. The main DeviceLock console integrates tightly with AD, allowing access permissions to be managed at user and group membership levels.
A second console snaps into the Windows Group Policy Editor, while the Enterprise Manager console is used to remotely install the DeviceLock agent and deploy policies to selected systems. The optional Enterprise Server component requires access to a SQL database and centrally manages client activity logs and provides long-term storage for shadowing operations.
When the agent is deployed, you can lock down access immediately by adding devices and ports to a global policy where access is denied by default. You can tweak this by creating policies and deciding which AD users and groups they are applied to. You choose which device you want to control, select users and groups, determine access levels and decide when the policies are active.
For the offline policy feature, DeviceLock determines whether a device is disconnected from the LAN by checking its physical connection or whether it has a link to the Enterprise Server or a domain controller. We tested this by creating an online policy for our users that allowed full access to the USB ports and an offline policy that denied them all access.
We disconnected the network cable on our clients and saw the offline policies come into effect almost instantaneously where all USB access was blocked. When we reconnected our clients, USB access was restored immediately.
The content-aware feature also worked well, but it's worth making sure you understand the relationship between interface port, interface type and file policies. The latter will only work with interface type policies, so if you deny all access to USB ports then file policies can't come into effect - you need to deny access to removable type devices.
We started by creating an interface type policy that allowed full access to removable devices and added a file policy that denied all access to text and Word files. This worked fine as we could access our USB sticks but could do nothing with the test documents stored on them. If we tried to open them, we received an 'access denied' message and it was also possible to set the agent to pop up a custom warning message from the System Tray.
We could also deny all access to removable type media but still allow users to access specific files.
The shadow feature mirrors data written by users to removable storage devices and will prove useful for auditing purposes and possible litigation. The data is retained locally on each PC in a private area, but if you have long-term storage needs, the Enterprise Server should be used.
For wireless and Bluetooth devices, you can block or allow read and write operations and format operations can also be blocked on hard disks and tape drives. For mobile devices, you can manage general read, write and execute rights and specify permissions for access to email, calendars, contacts, media, favourites and so on. We have been advised that the next release will add iPhones to the mobile list.
DeviceLock looks a fine choice for protecting business-critical data from light-fingered insiders. It supports a huge range of devices and ports, allows access policies to be deployed in seconds and looks very good value too.