Every week, there are new reports of data breaches at organizations of every type. Firewalls and intrusion detection systems can shield an enterprise only from known attacks, so it’s almost inevitable that hackers will be able to penetrate an organization’s systems, or that an employee will download sensitive data to a mobile device or USB drive, which might then be stolen or lost. However, with the right management software, an administrator can control which devices are allowed to access data, prevent sensitive data from being moved to portable devices, and verify that the data on internal or removable devices is encrypted. That way, even if data is stolen, thieves won’t be able to read it.
Symantec’s Endpoint Encryption Device Control, Endpoint Encryption Full Disk Edition and Endpoint Encryption Removable Storage Edition form three prongs of an approach to ensure data security. Device Control allows administrators to set policies on what kind of data can be moved around, whether on the network or to local storage or mobile devices such as smartphones, tablets or USB drives.
Full Disk Edition confirms that the internal drives in a PC or notebook are encrypted; a password must be entered before the device boots, ensuring that unauthorized users cannot extract data from the system. Removable Storage Edition encrypts data on all sorts of media, such as floppy disks, CDs and DVDs, as well as USB and FireWire storage devices. It can also encrypt files as self-extracting archives so they can be e-mailed safely to employees or partners.
The three products together form a comprehensive approach to data security, allowing an administrator to prevent data from being copied over a wireless network, via a sync cable to a smartphone or tablet, or onto any type of removable media unless it is first encrypted. It controls all avenues of data movement and can even keep users from making local copies on a PC’s hard drive without encrypting the data.
Number of built-in file types that can be controlled by Symantec Endpoint Encryption Device Control when designating which files can be read or written to devices
Policies can be created based on document type, connection type (Wi-Fi, USB, Bluetooth), user or group type, or location in the file structure. An administrator can protect specific applications or directories from being copied to USB devices while allowing a specific user to perform backups. Such flexibility is great, though it can add to the complexity of setup, because there are many options to consider.
Device Control allows an administrator to create a policy for data security, roll it out to all the PCs in the organization and automatically enforce the policy. This allows IT staff to block PCs from writing certain files to USB keys or prevent any data from being copied.
A central management server controls policies for all endpoints and can work with Active Directory as well. Administrators don’t have to set separate policies for each PC or user; the organization can deploy different policies based on existing Active Directory groups or set up new ones.
The three products — Endpoint Encryption Device Control, Endpoint Encryption Full Disk Edition and Endpoint Encryption Removable Storage Edition — must be purchased and installed separately (but this also means that if you need only one or two parts of the functionality, the cost is less). Setting the system up and creating policies takes some thought. An administrator won’t be able to just install the software and begin using it.