Lifecycle management of data: A special type of DLP
Starts at $5,000, plus between $5 and $30 per seat based on volume. Maintenance is 20 percent/year.
Identity Finder starts with a very simple premise: If you want to keep data from leaking, protect it where it lies. That way, if someone steals it, they get nothing. As simple as that sounds, it's a bit harder to execute. The hard thing here is deciding who should protect what. While it seems easy enough to say that IT protects everything, that turns out to be less than practical.
For example, how does IT know when the attorney in a cube on the 46th floor creates a sensitive merger-and-acquisition document and stores it in her "hold" folder? Of course, we can have policies that require saving these files in secure repositories, but anyone who has ever been a system administrator knows that is not always how things work out.
We can use fully encrypted hard drives, but that only protects the contents of the disk if the computer is stolen. Since the disk is operating in clear text when the user is logged in, anything that attacks data on that disk gets it and gets it in clear, not encrypted, text. Identity Finder estimates that protecting data at rest correctly can protect 90 percent of all sensitive data to be protected. Certainly, many of the more dramatic recent data breaches could have been protected by using a tool such as this one.
The bottom line is that sensitive data needs to be protected in its resting place and that has to be done - preferably easily - by the person who owns or creates it. Further, for those documents that just seem to get "out there," we need an easy way to find them and protect them. That is what this First Look is all about. Identity Finder Enterprise 4 provides a suite of services that do all of those difficult tasks and more. And while its focus appears to be personally identifiable information (PII), in reality it can provide protection for any kind of information or document using the product's MultiFind tool.
First, I was impressed by the way that Identity Finder empowers the user to protect their data by providing a nearly automatic method of protection that requires almost no user intervention. I need to clarify that a bit. Identity Finder can act completely automatically if you want it to, but it is most effective when there is some user control left. That way, exceptions can be addressed easily, and just because a sensitive document doesn't fit a rule exactly doesn't mean that it cannot be protected.
Identity Finder 4 consists of two pieces: the client (and this can be used independently) and the console that acts as a centralized controller. It is through the console that IT can invoke searches for sensitive, but unprotected, information across the enterprise. It does this by communicating with clients. Strictly speaking, there are no agents. Rather, the console communicates with clients that are placed strategically across the enterprise. These clients offer protection in their own right, and they can execute policies pushed out from the console. As well, the console can collect aggregate data across the enterprise for such things as compliance reporting. While there are lots of preconfigured reports, reporting just requires the writing of an SQL query and the vendor will help if necessary.
For PII there is an impressive number of preloaded formats. For example, along with common formats, such as Social Security numbers and credit card numbers, it also recognizes driver's license numbers from all states. All data stored by Identity Finder is encrypted and access is automatic using a sort of mini-PKI system that is hidden effectively from the user so as not to add complications. The user interface is superb on both the client and the console. And building rules is so easy that it only requires that the user be able to articulate clearly what they want to make the rule do.
Overall, this is a very powerful tool for data leakage protection. It is based on a solid premise, is very well-executed, and has all of the features needed by today's enterprises. It integrates into the enterprise cleanly and syncs with LDAP or Active Directory. - Peter Stephenson