Strengths: Policy-based access security, snaps in perfectly with AD, new protocol and content-aware components worth getting, can control virtually every workstation port and storage device
Weaknesses: Optional components increase cost significantly, too many consoles
Verdict: Provides sophisticated data leakage prevention measures that keep business data in the workplace
With so many methods of circumventing edge security, businesses need to enforce strict access controls to protect sensitive and personal data from light-fingered, or just plain forgetful, users.
DeviceLock has always offered good access controls for workstation ports and removable devices; this version goes further by extending security to network protocols and applications. With the rise of social networking and the use of IM apps in businesses, it is essential that their usage is controlled, and the new optional NetworkLock and ContentLock components aim to do just that.
The base DeviceLock software can also manage network printers and control data transfers between iPads, iPhones and many other mobile devices. NetworkLock takes this up a level as it can apply access permissions at the network protocol level. Common protocols including FTP, HTTP and SMTP can be controlled, and NetworkLock has options for social networking sites. IM apps including Windows Messenger and Live Messenger can be controlled, as can encrypted communications.
ContentLock builds on the content awareness feature introduced in the previous version, which allows you to restrict access to specific types of files and uses a combination of algorithms and signatures to identify them.ContentLock can inspect a file's content by looking for keywords and patterns. It can also peer into archives and supports more than 80 types of file.
For testing, we installed DeviceLock on a Windows Server 2008 R2 64-bit system. It's simple enough, but new users may find the management consoles confusing. The main one is an MMC snap-in that integrates with Active Directory and provides full access to all group- and user-level security policies. Another console works with the Windows Group Policy Editor, while Enterprise Manager is used for big networks.
Larger sites will also want the optional Enterprise Server, which uses an existing SQL database to provide long-term storage for auditing and shadowing operations. The latter mirrors data transferred by users from controlled devices and applications so you can view copied files.
We deployed the agent to our Windows 7 client systems and used the global policy to lock down access to selected devices and ports. From the MMC we could then create more policies and apply them to selected AD users and groups.
NetworkLock is already present in the console and just needs a licence to activate it. From the Protocols menu option you pick which ones you want to control, select access levels and define daily and weekly schedules to activate the policy.
We tested FTP controls using our external test site and found we could block all access for some users, allow others to download files but not upload any, and give some full access. When an action is carried out that isn't permitted, DeviceLock pops up a warning.
We found controls for Windows Messenger more basic as you can only permit or deny account access. There is an option to block the sending of instant messages, but switching this off also blocks login attempts.
SMTP controls are more sophisticated as we could block some users from sending any email and allow others to send plain messages but not attach any files. For social networking you can allow users to login to their account and only view it but not post comments and messages or upload any content.
Adding ContentLock to the mix provides more extensive access controls which can be finely customised. For example, instead of a wholesale block on Windows Messenger or FTP apps, you could allow access but block specific file types or content.
ContentLock is accessed from the content-aware rule set where it adds two new selections for patterns and keywords. Plenty of predefined keyword and pattern groups are provided, but you can add custom ones as well. We created a custom keyword group and used a set of Word documents where some contained these words. Using the FTP and SMTP controls we found we could not upload or email Word files containing the keywords.
Along with port and device policies, the offline feature can also be applied to the NetworkLock component. This allows you to apply different protocol access policies to mobile workers. The shadowing option can also be applied to policies for improved auditing and compliancy purposes.
For 100-199 users, NetworkLock costs a further £14 per seat, and the ContentLock adds an extra £28 per seat, so costs do go up significantly. Even without them, however, DeviceLock looks a sophisticated access control solution.