The sheer number and variety of external threats to network security are forcing administrators to focus primarily on their perimeter defences. As a result, internal security is often neglected and yet it's here that many of the biggest dangers lurk. Removable media is a classic example, as their use in a business environment is difficult to control and virtually impossible to monitor.
This makes it all too easy for employees to siphon off huge amounts of corporate data in seconds, using nothing more than a cheap, pocket-sized USB key. Equally alarming, bringing removable media into the workplace circumvents any perimeter anti-virus defences.
With businesses now legally obliged to ensure that personal data is protected, it is essential that some form of restrictions are implemented. DeviceLock offers an impressive range of security controls. This latest version introduces a number of new and useful features, but one that has always made it stand out is the number of ports it can handle. Naturally, USB is at the top of the list, along with this DeviceLock can handle serial, parallel and infra-red ports, plus CD, DVD, magneto-optical drives and wireless network adapters.
Each system to be protected requires an agent service installed locally. DeviceLock then monitors user requests to devices and ports at the kernel level and decides whether to permit or deny access based on policies. If access has been blocked, the user merely receives the standard Windows Access Denied message so there's no indication that DeviceLock is even in the background.
Deployment is fairly straightforward, but the number of management methods can be confusing at first. The management console in this version has been updated to function as a Microsoft Management Console snap-in and is used to manage the service it is connected to and view its audit logs. Integration with Active Directory (AD) has been improved so that access permissions can be controlled at the user and group membership levels. The enterprise manager console provides a discovery routine that locates Windows domains, workgroups and specific computers. Agent deployment methods depend on the networking infrastructure, as they can be deployed using the bundled MSI package and AD group policies or pushed out to multiple systems directly from the enterprise manager console.
There's more as DeviceLock also provides a group policy editor that integrates into the Windows group policy editor tool. Although the agent is transparent there will, no doubt, be a few enterprising users who will try to circumvent it. Therefore it is recommended that each workstation has its basic input/output system boot-up sequence changed so that the hard disk is the first device, and these settings should be password protected. You should also seal the chassis so that the complementary metal-oxide semiconductor (CMOS) can't be reset.
To implement restrictions from the enterprise manager, you can select domains, workgroups or individual systems and decide what devices, if any, users are allowed to access. You can set devices that support read and write operations to read only and access to USB ports can be fine-tuned, for example you can allow, USB keyboards and mice to be connected but deny the use of storage devices. Multiple policies and time schedules can be assigned to users and groups.
USB device control can be fine-tuned even further as a white list allows you to permit access to specific pieces of media. Providing the manufacturer assigns unique serial numbers to its devices you can use these to identify and allow access only to those listed in the DeviceLock database. This has now been extended to control access to DVD and CD-ROM media. When a disk is loaded and added to the database, DeviceLock computes a signature for each piece of authorised media.
We really like the new data shadowing option, as this allows DeviceLock to mirror any data being copied to a removable device. It even works with serial and parallel port devices and will store the information in a private location on the user's workstation. Any impact on local storage can be minimised, as you can set quotas to limit the space used and decide how long it should be retained for. If you want to keep this data over the long term, the new enterprise server component comes into play, which uses an SQL Server instance. We found the data shadowing simple enough to use, and you can copy files to the management system for a closer look.
DeviceLock is one of the most versatile access-control solutions on the market. It could do with few less consoles for easier management, but it offers extensive policy-based controls over any removable device, plenty of auditing facilities and unique data shadowing capabilities