Data Loss Prevention Rolling Review: Safend Safeguards At The Endpoint

Low-cost endpoint specialist gets the job done -- most of the time.

Randy George, Director, IT Operations, Boston Red Sox

May 7, 2009

7 Min Read

We start our Rolling Review of data loss prevention products with Safend Protector Endpoint, the lone entry in our DLP mix whose primary emphasis is endpoint security. The other players have strong DLP capabilities at both the network level and the endpoint, but we wanted to include a company that operates exclusively in the endpoint market because not all IT shops want, or can afford, a soup-to-nuts system from the likes of RSA, Websense, or Symantec.

Regardless of how large or complex your organization is, battling data loss threats must start with an emphasis on the endpoint. Safend estimates that 60% of corporate data resides on endpoints, and that's where Safend Protector Endpoint aims its DLP resources.

We test endpoint security systems on many challenges, including how easy each product is to deploy and manage; how well it alerts, reports, and mitigates policy violations; and how robust its protection mechanisms are from a physical, file, and application standpoint. Safend Protector delivers on most accounts, but not all.

We appreciate the ease and speed with which we deployed the Protector Management Server. Companies can deploy the central policy server via any Microsoft Windows 2003 server, but Safend recommends more robust server back-ending to an external SQL database for more than 1,000 users.

The Protector client and policy definitions can be deployed via login script or any software-distribution mechanism, and policy updates between client and server can be scheduled via Windows management interface. Tight integration with Active Directory allowed us to easily deploy multiple policy definitions to different user communities based on Organization Unit membership. Even better, Protector Management Server is free with the purchase of client licenses.

Safend's Protector client puts solid defense around physical port, device, storage, file, and Wi-Fi security, and passed our physical port security test with flying colors. By selecting Allow, Block, or Restrict within the policy manager, IT can control access to every type of physical port or storage device imaginable on a given system. USB, FireWire, serial/parallel, PCMCIA, Bluetooth, IrDA, SD cards, modem, floppy/CD/tape -- you name it, Protector can lock it down. IT policy makers also can define which types of devices, for example, are allowed to plug in to a USB port, such as a printer, a thumb drive, or a smartphone.

Rolling Review


Business value
An ounce of loss prevention can be worth thousands of dollars of remediation and damaged reputation. We'll test DLP options' ability to detect, report, and remediate trouble on handheld devices and PCs.

Reviewed so far
Safend Protector Endpoint
Delivers impressive endpoint security, but lacks application awareness and can't stop data leaks via printing of sensitive data or screen captures.

Still to come
RSA, McAfee, Symantec, Vericept

More about this rolling review >>

If you want to ensure that your employees are using approved USB thumb drives issued by IT only, you can lock down policy to include only the serial numbers of approved USB thumb drives. Furthermore, you can force encryption of data copied to the thumb drive, and prevent users from accessing the data on that thumb drive from a non-company PC.

Safend's file protection gives IT teams the ability to apply policy based on the type of file being accessed, such as a Microsoft Office file, a database, a Web page, or an image, among other formats. Policy options include allowing access to a certain file type, blocking it, or allowing and shadowing its use to aid in collecting forensic evidence on how the file is used and transported. By configuring logging and alerting appropriately, the administrator can get a heads-up on potential data leaks before they become a bigger problem.

Our only knock on Safend's file protection is that we couldn't create custom file definitions within the broadly defined "MS Office" file type -- or any other type, for that matter. As a result, we had to treat Excel spreadsheets with the same policy set as a Word document, which in some environments might represent a lower-priority leakage target.

In addition, we'd like to see some functionality to proactively search file contents for items that might raise a red flag, such as a spreadsheet that contains credit card or Social Security data, and enforce encryption or take another type of action based on that detection.

Safend was resistant to tampering. We attempted to end the process that controls the Protector client, and it just started right back up again. We even attempted to delete the registry keys containing the service information required by the client. After the registry keys were wiped, the client kept on humming. After rebooting, the registry keys were inserted right back into the registry hive.

While Safend's anti-tampering features are impressive, they still run within the Windows operating system, and that's an Achilles' heel. We simulated a laptop theft and orchestrated a data leak by booting up our test laptop with a floppy disk and running an NTFS volume reader. We easily swallowed up all the valuable data this laptop had to offer. Whole-disk encryption would have stopped us cold. The Protector client doesn't offer it out of the box, but Safend provides whole-disk encryption with its Encryptor product line. Encryptor can be purchased at an additional cost, so IT shops looking to lock down and encrypt their endpoints can get both features under one roof.

We found Protector's logging, alerting, and reporting capabilities to be more than sufficient. All events that can be locked down by policy can also be configured to centrally alert and report violations. Alerts can be e-mailed, logged to the Windows Event log, or collected from an SNMP trap.

Wi-Fi management is also implemented well with Protector. Policy definitions allow you to force clients to use specific service set identifers and encryption protocols in order to be able to access a Wi-Fi network.

However, Protector falls short in its ability to control whether or not clients might be leaking critical data via Instant Messaging, FTP, peer-to-peer file sharing, etc. Protector isn't application-aware, and that could be a deal breaker for some shops. Protector also can't prevent printing of sensitive data and can't thwart leakage via screen capturing. Safend says these key features will be added in the next release.

Application intelligence also is unavailable with Protector now, although Safend is preparing to add some key features to its product mix with the upcoming release of its first network-level DLP product, Safend Inspector. Set for a third-quarter release, Inspector will fill in some holes in the area of enterprise data discovery and application awareness.

As tested, Safend Protector lists for $13 to $32 per license, depending on volume. Safend Encryptor lists for $29 to $69. Protector and Encryptor can be purchased together. Safend Protector runs only on Windows operating systems, including Windows 2000 SP4, 2003 Server, XP, and Vista.

Our Take


Safend Protector ably cuts the risk of data loss through comprehensive port, device, and storage security control.

Security policies are applied at the kernel level, making the Protector client extremely resistant to tampering.

Centrally managed reporting, logging, and alerting capabilities will meet the needs of most environments.

Safend Protector 3.3 lacks some key features-it's not app-aware and can't prevent printing or screen capture-that the company says it'll add to the next version.

Randy George is an industry analyst on security and infrastructure topics.

About the Author(s)

Randy George

Director, IT Operations, Boston Red Sox

Randy George has covered a wide range of network infrastructure and information security topics in his 4 years as a regular InformationWeek and Network Computing contributor. He has 13 years of experience in enterprise IT, and has spent the last 8 years working as a senior-level systems analyst and network engineer in the professional sports industry. Randy holds various professional certifications from Microsoft, Cisco and Check Point, a BS in computer engineering from Wentworth Institute of Technology and an MBA from the University of Massachusetts Isenberg School of Management.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights