Fri 13-Jul-2012 06:50
We are currently trialing Sophos, particularly for the Data Control features. However, I've run into a couple of limitations and I'm hoping someone might be able to help.
Out of the box, floppy drive, optical drive, removable storage, email clients, web browsers etc. are included, but are we able to add additional "destination is" places? Particularly I would like Sophos to pick up files that are being copied to an FTP site, being copied over SSH etc.
Has anyone had an success with this? Or is this a limitation of the feature?
Apologies if I've missed this posted somewhere else.
Any help is much appreciated!
Fri 13-Jul-2012 08:42
may I suggest the Data Loss Prevention board for this question?
Guess John Stringer will add his comments, for now I'll try to answer the major points.
but are we able to add additional "destination is" places?
No - what you see are all supported device types and applications. Implementing it is not as simple as it may seem. Usually one also restricts (using Application Control) the programs allowed to run. Note also that Loss means Accidental Loss and not Deliberate Leakage. Furthermore a certain mechanism (like browser or FTP upload) with the potential of data loss might also be used internally. Therefore Data Control is ideally combined with a gateway solution and strict enforcement of certain programs and protocols.
Scanning - especially DC - comes with a cost, often much cost. Moreover you can't tell on the client side whether an action constitutes a data loss. Consider the following scenario: A file already packed is opened by an archive tool. To determine whether it contains sensitive data you'd have to unpack it to scan it (if the format is know to data control) before you can decide whether to allow or block - only to have it unpacked again by the archiver. Moreover It might be that the archiver is used to view the file, or another file is about to be added to the archive - how could you tell? If the archive is also encrypted you can't even scan it - therefore you'd have to block it. Thus it'd be impossible to open encrypted archives at all - unless you employ a certain strategy like en-/decrypting on the gateway (and optionally utilize a centrally controlled tool - which goes beyond simple data control - on the client).
So in short, Data Control is not - and can't be - the magic wand but is best used as part of a multi-layered multi-faceted strategy.
Fri 13-Jul-2012 13:59 - edited Fri 13-Jul-2012 14:01
Qc has already provided a good response but I'll also add my product manager thoughts. The endpoint data control functionality is primarily designed as a education tool for end users. On the endpoint it excels at providing a relatively simple control to monitor common data exit points, checking the file content and flagging up to an end user if the content looks sensitive (the user can then make an audited call on whether to proceed or not). As a by product of this analysis data control will often uncover broken business processes or poor data management practices... and occasionally deliberate malicious mishandling or extraction of data. On the email gateway the most common use case for data control is to enforce file based encryption for sensitive data being sent out of the organization (usually deployed with an Outlook plugin that enables manual marking of files for encryption).
We are constantly reviewing our definition of "common data exit points" and have recently added support for additional monitored applications (Chrome, Skype,Lync). We've also had quite a bit of internal discussion about cloud storage services like DropBox replacing the role of USB keys (so three years ago!) and the need to make it easier for our customers to allow controlled use of these services. So we're open - positively welcome - customer suggestions on improving what we look for and where we look for it.
There are tools out there that will enable you to monitor for sensitive data within FTP and SSH protocols today but they are often very expensive and complex to set up. If you have the time I'd recommend raising a request to monitor these protocols via our UTM (network security gateway) on the Astaro feature request forum: http://feature.astaro.com/forums/17359-astaro-secu