Data Loss Prevention Rolling Review: Safend Safeguards At The Endpoint

Low-cost endpoint specialist gets the job done -- most of the time.
Safend was resistant to tampering. We attempted to end the process that controls the Protector client, and it just started right back up again. We even attempted to delete the registry keys containing the service information required by the client. After the registry keys were wiped, the client kept on humming. After rebooting, the registry keys were inserted right back into the registry hive.

While Safend's anti-tampering features are impressive, they still run within the Windows operating system, and that's an Achilles' heel. We simulated a laptop theft and orchestrated a data leak by booting up our test laptop with a floppy disk and running an NTFS volume reader. We easily swallowed up all the valuable data this laptop had to offer. Whole-disk encryption would have stopped us cold. The Protector client doesn't offer it out of the box, but Safend provides whole-disk encryption with its Encryptor product line. Encryptor can be purchased at an additional cost, so IT shops looking to lock down and encrypt their endpoints can get both features under one roof.

We found Protector's logging, alerting, and reporting capabilities to be more than sufficient. All events that can be locked down by policy can also be configured to centrally alert and report violations. Alerts can be e-mailed, logged to the Windows Event log, or collected from an SNMP trap.

Wi-Fi management is also implemented well with Protector. Policy definitions allow you to force clients to use specific service set identifers and encryption protocols in order to be able to access a Wi-Fi network.

However, Protector falls short in its ability to control whether or not clients might be leaking critical data via Instant Messaging, FTP, peer-to-peer file sharing, etc. Protector isn't application-aware, and that could be a deal breaker for some shops. Protector also can't prevent printing of sensitive data and can't thwart leakage via screen capturing. Safend says these key features will be added in the next release.

Application intelligence also is unavailable with Protector now, although Safend is preparing to add some key features to its product mix with the upcoming release of its first network-level DLP product, Safend Inspector. Set for a third-quarter release, Inspector will fill in some holes in the area of enterprise data discovery and application awareness.

As tested, Safend Protector lists for $13 to $32 per license, depending on volume. Safend Encryptor lists for $29 to $69. Protector and Encryptor can be purchased together. Safend Protector runs only on Windows operating systems, including Windows 2000 SP4, 2003 Server, XP, and Vista.

Our Take
Safend Protector ably cuts the risk of data loss through comprehensive port, device, and storage security control.
Security policies are applied at the kernel level, making the Protector client extremely resistant to tampering.
Centrally managed reporting, logging, and alerting capabilities will meet the needs of most environments.
Safend Protector 3.3 lacks some key features-it's not app-aware and can't prevent printing or screen capture-that the company says it'll add to the next version.

Randy George is an industry analyst on security and infrastructure topics.