Full Text

With serious data breaches occurring on almost a daily basis, concerns about data protection have skyrocketed. While some experts believe endpoint breaches may no longer comprise the majority of data leaks, the intentional or unintentional release of sensitive data from endpoints within an organization, whether by employees, contractors or guests, remains a serious problem that data loss prevention (DLP) products seek to address.

We tested broad-based DLP products from four vendors: Sophos, Trend Micro, Verdasys and Websense, plus we tested Cisco's Ironport Email Security Appliance (see sidebar). (Symantec, TrustWave, McAfee, Code Green Networks, RSA and Computer Associates were invited to participate, but declined.)

Our overall conclusion is that these products work well in blocking unintended releases of sensitive information, and also work just fine in an environment where the IT department has control over the types of email systems and browsers that are being deployed by end users. In a scenario where an end user is determined to find holes in the DLP system, IT needs to be extra vigilant.

For example, we found that we could thwart some of the DLP systems by using Mozilla Thunderbird for email. The vendors told us the workaround was simple enough: block the use of non-Outlook email. But this example points to the fact that a successful DLP deployment requires constant attention. (See how we conducted our test.)

Next up for DLP: the cloud

All five products tested were easy to install and we experienced no difficulty getting each product up and running on our test LAN, usually within an hour. DLP policies and enforcement rules were easy to create and deploy in our test environment, once any applicable endpoint agents were in place, although some server consoles, notably Websense and Verdasys, seemed more intuitive than others. As we expected, policies were enforced regardless of our status as Windows users - i.e. being a system administrator in Windows did not allow us to bypass rules.

Overall, the products passed our DLP tests by successfully blocking data transfers, quarantining or auditing sensitive data or warning the end user, depending how enforcement was configured. In some cases, tweaking and workarounds were needed to achieve a successful result. Only one product, Sophos Enterprise Console, passed all our endpoint tests without workarounds.