When we started looking at USB security products, we actually had no idea what we would find. Vendors of many types of products — from those that protect USB ports to those that protect data at USB ports — presented their wares. As you might expect, we found something interesting in all of the sub-categories.
The most obvious types of USB security products, at least in the enterprise environment, are those that allow direct management of the USB ports on enterprise computers. What we found here was that most competent products don’t limit themselves to USB ports. The category of USB security, in this case, has morphed with the older category of endpoint security into a new and more useful product group. It more closely resembles endpoint security than it does simple USB management.
That said, the level of sophistication regarding what can be managed and what data is allowed on the managed endpoints has increased markedly from the last time we looked. One notable product, for example, can select allowed or disallowed devices by manufacturer. This is useful for identifying rogue connections.
Virtually all could turn ports on or off, but a major improvement in general this year is the increased granularity with which products can be managed. It is not uncommon for products to allow individual and group policies, for example. Another improvement is the ease of creating policies. Some products had extremely simple policy creation tools that, though simple to use, were also powerful.
When you are looking for a product of this type be sure you know what you want to do with it. For example, we saw at least one product that would not let you save data to a USB memory stick without encrypting it first. If you are going to allow memory sticks in USB ports, this would be a good tool to have.
On the other end of the feature spectrum, we saw otherwise excellent products that lacked the useful utilities for application in an enterprise. What good, for example, is a product for the enterprise that does not have centralized management?
In addition to products that control the endpoints, we had a few that use the endpoints.
In this regard, we saw encrypting memory sticks. This is an important issue for virtually all organizations because today’s mobile workforce needs to have a way to transport data that is allowed to move between desktop and laptop.
However, when that data moves, there is a strong likelihood that it will sit unencrypted on the laptop inviting the types of thefts of personal identifiable information that have become the rule rather than the exception lately. A far better approach is to save the sensitive data to an encrypted thumb drive and access it from there. That way, if the thumb drive gets lost, the data is still safe. We viewed that, for the purposes of this Group Test, as a form of endpoint security.
With that in mind, we are continuing our trend toward taking a holistic view of product categories. We are at the beginnings of one of those rare periods of innovation where new product categories are emerging and old categories are combining. What once was obvious is no longer. The old definitions of some product groups are falling away and it remains to be seen how they will recombine into new categories that address current security challenges.
Our examinations for this Group Test depended on the type of product we were considering. At minimum, we tested each product to ensure that it met its advertised specs and capabilities. Then we looked for ease of configuration, policy development and applicability to the enterprise. We assessed the product’s features compared to what we would expect for a product of its type. Finally, we examined such things as reporting, alerting and notification to users of policy violations. For the encrypted thumb drives, we performed some simple encryption tests and forensic examination of the media to see if they could be compromised easily.
The bottom line for this group of USB devices and software was that there are ways — with improved functionality and granularity over last year — to manage what is and what is not allowed at the endpoints of the enterprise, especially relating to the USB ports and the data that may be accessible through them.
- Mike Stephenson contributed to this Group Test.