We are not ones to succumb to market-speak. So when we read "total data protection outside the firewall," we were a bit put off. That, after all, is a pretty broad claim. Then we started looking more deeply and what we saw satisfied us that the protection really is as comprehensive as the vendor claims and may be a bit more so.
The heart of Bitglass Enterprise Edition (BEE) is digital rights management (DRM). And, it's DRM with everything that implies. The whole idea behind BEE is the idea behind DRM: nevermind the platform, protect the data. Today, data resides on a lot of places outside the firewall. Some of those are completely outside the scope of an organization's control. The paradigm today is, assume that you've been breached, because you likely have been. Now, how do you protect and preserve your data? DRM is one excellent way to do that.
Bitglass uses the APIs that are associated with various applications in the cloud, such as Dropbox, Box and Office 365. Those APIs connect to BEE in the cloud - although you can deploy it in your private cloud if you wish - and that, in turn, connects to either managed or unmanaged devices. For managed devices, the communication is through a forward proxy while a reverse proxy with agents or certificates are used. Communication through BEE is forced and all of its functions - policy-driven, of course - are deployed.
Policy development is simplicity itself. Three primary areas of control are deployed: contextual access control, application access control and data protection. Contextual access control is role-based and refers directly to the applicable application, e.g., Office 365. For a managed device, a certificate is required and the device will be a member of a domain. For an unmanaged device, such as BYOD, there is no device profile as there is with a managed device, and there is no certificate.
Application access control dictates what applications - e.g., email - can be accessed by the main app, in our example Office 365, as well as other things that can be accessed. For unmanaged devices the choices are far more limited than for managed devices. Finally, you can think of data protection in the same way that you are used to thinking of it in the world of physical data centers. For unmanaged devices, there are lots of choices for protecting the data in what amounts to a sacrificial environment.
The Bitglass infrastructure lives in Amazon Web Services (AWS) or on Bitglass's own infrastructure. Since it is hosted across multiple instances of AWS, the non-Bitglass infrastructure takes advantage of global load balancing and 24/7 support. Bitglass offers a 99.9 percent SLA, which for anything on the internet is pretty good.
Bitglass DRM is full-featured and we saw the kinds of functionality one would expect in a world-class digital rights management system. The core of the DRM is a watermark that is on every protected document. This watermark is spread across the entire document. The benefit of that is that even if the document is fragmented - e.g., copy/pasted, part of it copy/pasted, damaged - the watermark parameters persist. That means that, for example, if you have a spreadsheet that is protected and you copy/paste a couple of rows to another spreadsheet, the watermark will persist and the new spreadsheet will, likewise, be protected.
Watermarks can be kept invisible or a notice can be placed on the document that it is protected from compromise by a watermark.
As with any good DLP system, the Bitglass tool allows remote access revocation or remote device wipe. If there is a suspicious incident - too many attempts at a password for example - an alert appears and the administrator is given the option of managing the device or doing nothing. Users can be placed in groups and those groups can be created manually or can track Active Directory or similar.
Overall, we liked this tool and found that it has the necessary requisites for protecting data in a hostile environment. This, clearly, is a case of data protection rather than platform protection. Since the tool is intended for use in a virtual or cloud environment, that is necessary. You may or may not have adequate control over the environment so the place to take control is at the data. By applying DRM and DLP directly to the data - in a way that it cannot be removed or compromised - one achieves that objective.
At a glance
Product Bitglass Enterprise Edition
Price Starts at $5 per user per month.
What it does Cloud access security broker.
What we liked Even though it advertises itself as "total data protection outside the firewall," what this really is is an excellent DLP/DRM system. So users can bet that the data really is protected and we liked that.