DeviceLock®

Technical questions (PDF format)

Webinar (flash)

Q: What is DeviceLock®?

A: DeviceLock is a policy-based endpoint data leak prevention (DLP) security solution that enables network administrators to centrally control uploading and downloading activity through local computer devices and network protocols and applications. With DeviceLock you can lock out unauthorized users from USB and FireWire devices, WiFi and Bluetooth adapters, CD-Rom and floppy drives, infrared, serial and parallel ports, local and network printers, PDAs, smartphones and many other plug-and-play devices. Also, DeviceLock contains port-independent network protocol and application detection and filtering, message and session reconstruction with file, data, and parameter extraction, as well as event logging and data shadowing.

Q: Why is there such interest in securing PC devices and ports now?

A: First sensitive data and applications continue to migrate to Windows networks; there is simply more digital data out there, and it is not locked up in a secure mainframe computer room. Next, corporations and government agencies are becoming more aware of the high value of the information stored in their databases. A survey by ASIS International, PricewaterhouseCoopers and U.S. Chamber of Commerce found that 40% of the companies polled experienced incidents of known or suspected proprietary information theft. R&D and financial departments suffered the greatest dollar value of loss per incident; however, customer data and strategic plans were taken more frequently. This survey found that insiders - current and former employees - were suspects about 80% of the time.

Q: Are portable storage devices that connect through the USB or FireWire port any more of a threat than more conventional floppy, CD and zip drive media?

A: Newer USB-attached devices often feature high-speed transfer and high-capacity storage. They’ve made it easier to copy and transport very large volumes of data in a short time when compared to floppy and CD media. They also take many shapes; flash memory drives have become extremely popular, as have cell phones, cameras and PDAs that can serve as storage devices.

The USB Flash Drives are particularly inexpensive, easy-to-use and easy-to-lose. A well-meaning employee may believe he is out just $30 when he realizes that he’s left his USB flash drive behind at the coffee shop across from the office; however, the loss to his company will be a great deal more if the IP contained on the stick should fall into the wrong hands. One now famous illustration of how valuable IP can be misplaced on these devices is the case where a former employee of a major financial institution sold his wireless handheld device on Ebay. To the buyer’s surprise the handheld’s memory stored the ex-employers customer list.

Employee missteps related to portable music players can cost an enterprise more than the loss or theft of valuable information. Music or other IP sharing that takes place on the corporate network leaves the company exposed to copyright infringement litigation. And an information thief that uses an Apple iPod player doesn’t even have to be very clever. There is new commercial software that promotes using the iPod as a backup device. For example, Migo Personal for iPod from PowerHouse Technologies Group sucks up Outlook e-mail, calendar and contacts; Internet Explorer favorites and browsing history; as well as data files, presentations and the like on the iPod's hard drive with a few clicks.

Q: Isn't this a problem best handled through policy changes and employee education?

A: Ultimately, any portable storage device policy will need to be backed up with compliance or monitoring tools. A new policy ultimately calls attention to the value and sensitivity of information and the vulnerabilities of a business and therefore requires enforcement. When you institute a policy aimed at controlling portable storage use, installing DeviceLock® is a way to complete the communication. If you wanted to warn pedestrians to avoid a dangerous construction zone, would it suffice to put up a sign, or would you recommend a fence as well?

Q: Will a personal firewall installed on PCs protect the network from intrusion via local device endpoints like open USB drives?

A: A personal firewall will not protect your network from a threat that walks up to your computer and attacks locally - only when it attacks across the network.

Q: Doesn’t Windows provide a means to control access to ports?

A: Standard operating system tools such as Windows 2000 Group Policy do not enable monitoring or blocking of individual ports, such as USB and FireWire ports. Likewise there are no built-in permissions controls over access to WiFi and Bluetooth adapters.

Windows XP system administrators who have installed Service Pack 2 can configure a registry key to make USB storage devices read-only. But, editing the registry of each PC is laborious and impractical for big networks. Also making changes to the registry always poses some risk. DeviceLock® customers are looking for more functionality and flexibility. They want to

• Control which users or groups can access devices

• Control access to devices depending on the time of day and day of the week

• "White list" certain USB devices while blocking access to others of the same type

• Control all functions remotely from the system administrators console

• Install and uninstall permissions settings automatically

Some good news for those customers who want to manage everything from within the Windows Group Policy interface: this is now possible with DeviceLock® which comes configured for integration into Windows Active Directory. There is a snap-in option for the Microsoft Management Console (MMC) as well. This can eliminate the need to deal with a separate interface and the need to load another management console on their servers.