The name of the new game is data protection
- By William Jackson
- Feb 07, 2007
SAN FRANCISCO ' As mobile devices, remote access and increasingly complex enterprises make the concept of a network perimeter obsolete, IT security is focusing more on protecting data than on erecting barriers.
Firewalls, antivirus and other types of filters remain important, but the big buzz at this year's RSA security conference is data security. Tools for securing databases, encrypting files and monitoring activity are among the most common products and services being demonstrated at the show.
Government regulation, data breaches, exposures and good business practices are putting a premium on the ability to control sensitive data within an enterprise.
Fidelis Security Systems of Bethesda, Md., has come up with its own category of tool that it calls an Extrusion Prevention System to protect from data leakage. Fidelis XPS works like an intrusion prevention system in reverse, monitoring and blocking outbound traffic from a network.
'Almost everyone has some kind of e-mail prevention solution,' said David J. Etue, vice president of product management. But in addition to keeping an eye on e-mail, XPS also watches Web traffic, file transfers, instant messaging and peer-to-peer traffic. The appliance is purpose-built to block improper outbound traffic, not just monitor it.
The appliance can be deployed inline, although most organizations do not use it this way, or out-of-band. Both configurations can block traffic. When inline, it can automatically drop a network connection. This is more efficient than sending instructions to stop a session, which must be done when operating out-of-band. But an inline installation runs a greater risk of network disruptions.
Unlike IPS, which must inspect each packet to stop inbound attacks, XPS looks at a file as a whole, so it has less impact on network performance.
The latest version of XPS uses the Internet Content Adoption Protocol that lets devices see into encrypted sessions that are decrypted by a proxy server.
'With ICAP, we can have that information handed off to us to monitor,' Etue said.
Zix Corp. of Dallas is adding a new directory feature to its e-mail encryption service. The Federal Deposit Insurance Corp. is the first customer for ZixConnect, which will let FDIC communicate seamlessly with banks that already are customers in the ZixDirectory.
Zix charges customers for encrypting outgoing mail, and there is no charge for recipients. It offers a variety of encryption options including S/MIME and OpenPGP. If the recipient has no encryption capability, Zix sends an out-of-band e-mail notification with a secure link to view the e-mail over an SSL connection.
With ZixConnect, customers already in the ZixDirectory can exchange strongly encrypted e-mail without each party having encryption capability on the desktop. The service now uses Triple DES encryption but will switch to the Advanced Encryption Standard in August.
CipherOptics Inc. of Raleigh, N.C., also is offering a new tool for easing the burden of encrypting traffic. Its CipherEngine Policy and Key Manager reduces overhead by simplifying key management.
Key exchanges have long been the weak point of encryption schemes. As the number of users increases, the effort required to generate and manage keys grows exponentially. CipherEngine eases that burden by managing keys at the workgroup level.
CipherEngine consists of a management server and key authority. Users authenticate to the network as normal, and authorization is mapped to policies in the management server. Authorization is then passed to the key authority, which parcels out keys to the appropriate users.
'The difference is full, networkwide encryption, so that data in motion is locked down,' said chief marketing officer Jim Doherty.
The German company Utimaco Software AG is announcing a bundled suite of data protection tools called SafeGuard Enterprise. Utimaco has been in the U.S. market for a decade, but growing privacy concerns have re-energized its efforts here, said CEO Martin Wulfert.
Customer demand is moving away from point solutions that lock down individual devices, toward more integrated solutions, Wulfert said. So SafeGuard Enterprise bundles modules from existing solutions to provide file and folder encryption, device encryption, configuration protection and data exchange security under a common management console with an application programming interface, so partners can develop their own plug-ins.
One thing the suite does not offer is database encryption, but Application Security Inc. of New York is bundling that function along with other tools in its new DbProtect suite.
DbProtect is a rebranding and upgrade of a number of existing AppSec tools. It will be available in April and will support Oracle, Microsoft SQL Server, IMB DB2 and Sybase. A new feature in the suite enables tamper-evident monitoring of privileged activity in a database. Monitoring all such activity is important because keeping track of privileged users is difficult, said Ted Julian, vice president of marketing and strategy.
Keeping track of databases within an enterprise also is difficult, and DbProtect also does intelligent discovery to find all databases on a network. Future releases of the tool will include database configuration analysis. The AppScanner feature also does vulnerability scanning and actively monitors for threats to those vulnerabilities.
The suite will cost $3,000 a year per database, Julian said.
William Jackson is a Maryland-based freelance writer.