Using security and desktop management products to block USB access

David Strom, Contributor

A rogue employee can easily carry a lot of private data out of your
offices using a USB drive. While gluing your USB ports shut (like my local
library did) is one way to prevent data loss via a portable drive, a less
drastic -- but just as efficient -- option is a security or desktop
management product. These products block read or write access to removable
USB or CD drives. This not only prevents data loss, but it also protects
desktops from an infected disc or drive.

The following five products are major players in the area:

* Safend Protector
* Symantec Endpoint Protection
* Sophos Endpoint Security and Data Protection
* Skyrecon StormShield Endpoint Security
* Dell Kace K1000 Systems Management Appliance

How the products work

At the highest level of operations, each of these products requires a
management agent on all corporate endpoints. However, this can be a
challenge, since not all endpoint operating systems are supported by all
products. Most of these products began in the 32-bit Windows world, and
they have since branched out to include 64-bit Windows, Mac and even Linux

The next step is to set up a series of policies of the management server
-- typically by using a Web browser to connect to a separate machine --
that locks down the removable drives. When a user inserts a drive, he
(along with the administrator) gets a message that says the drive isn't
operable because of corporate security policies. You can allow particular
groups of users, such as IT testers, unimpeded access to their drives, or
you can allow specific types of drives.

The tricky part with all these products is that although you want block
USB drives, you still want to allow access to other USB attachments such
as keyboards, mice, cameras and printers. In other words, you want your
PCs safe and usable. Therefore, it's important to understand how each
product differentiates the harmful USB devices from the benign ones.
It's also critical to evaluate the level of integration of device
protection with the host intrusion-protection, data loss prevention and
antiviral solutions that may or may not be present in each product. This
means you can track or block the storage of particular kinds of data (such
as customer lists or executables) but not others to removable drives.

Note that many of these endpoint products do more than just enforce
policies for removable drives. They can also require PCs to be up to date
on their OS and antivirus patches, make sure that desktop firewalls are
installed and operational, and perform hundreds of other endpoint security

One of the Products

Sophos Endpoint Security and Data Protection v9.5 only supports 32-bit
and 64-bit Windows clients, but it does allow you to create sophisticated
policies. For example, you can create a policy to block all USB drives
except for encrypted ones. It also includes application controls and data
leak prevention policies, such as the ability to block access to online
cloud storage sites.

Cost: $110 per year, per desktop, which drops to much less for more users.

Contact us for details,

Fanky Christian
Business Development Director
IBEC Building 2nd Fl
Jl. KH Wahid Hasyim No.84-86
Jakarta Pusat, 10340, Indonesia
SMS: 62-21-98054359
Telp: 62-21-3924716
Fax: 62-21-3903432
mobile: 62-812-1057533

Online Store:


Structure Cabling and Data Center
|Cisco Systems|Juniper|Raisecom|Proscend|

|Kiosk System|
|finosMQS - multimedia queuing system|
|finosMDS - digital signage system|
|finosSQM - sequence queuing system|

SMS Gateway
|SendQuick|OZEKI NG|

Enterprise Management
|OpManager|AppManager|ServiceDesk Plus|NetflowAnalyzer|
|Desktop Central|Firewall Analyzer|FacilityDesk|Solarwinds|

Database and Chart

|Network Implementation Services|Operation Support Services|