By eweek  |  Posted 2006-06-12 Print this article Print

Vontu 6.0 provides a flexible, policy-driven system that allows IT managers to find protected data and block its unauthorized release.

The Vontu 6.0 suite was released by Vontu in March. Its price, which starts at $100,000, is based on the number of users and the modules purchased. The modules include Monitor, Prevent, Discover and Protect.
The first two modules cover data in motion, such as e-mail and file transfers. The latter two modules are used for data at rest, such as information in a file share that is not actively moving on the network. All the modules can share policies.

New products are coming to market that will prevent people from doing things—whether knowingly or not—that will put sensitive data at risk. Click here to read more. Vontu 6.0 distinguishes itself from data protection tools such as Reconnex iController and iGuard, Tablus Content Sentinel (a finalist in the 6th annual eWeek Excellence Awards), and Vericepts Content 360° by keeping an in-memory replica of protected data. eWeek Labs tests show that this method—which Vontu calls "exact data matching"—increases the accuracy of information identification under ideal circumstances.

With exact data matching, Vontu 6.0 can quickly sift through e-mail, instant messaging, FTP, and other Internet and network protocols looking for specific protected data. Thus, instead of looking for data that follows a rule—say, two words, where each word begins with a capital letter, followed by a nine-digit number in the form of xxx-xx-xxxx—Vontu 6.0 looks for specific information (such as Cameron Sturdevant 123-45-6789).

One clear advantage of looking for the exact copy of the protected information is that the false-positive rate is quite low. In our tests, Vontu never misidentified exact data-match information.

One fairly obvious concern about this method, however, is that the matching data must be stored and maintained on the Vontu 6.0 system—making the device high-risk, indeed. We evaluated an appliance-based version of Vontu, but the product is also sold as software, so IT administrators can use as beefy a piece of hardware as they wish to process data streams.

Regardless of the installation, Vontu 6.0 must be able to see all outgoing network traffic to provide complete monitoring and control. We put the device on a monitoring port on a Cisco Systems Cisco Catalyst 3550 switch so that it would see all the traffic on our test network.

During Tests, the first thing we did was specify a corpus, or collection, of protected data. We created a database that contained first and last names, Social Security numbers, addresses, and customer numbers. Our data tables also contained fields for information that did not have to be protected—such as products ordered, ship dates and warranty dates. IT managers should work closely with business-line managers to determine what should and shouldnt be protected, using data loss prevention tools only for sensitive data.

The extraction process allowed us to pull in the column headers of the data so that we could streamline the process of designating the exact match data we wanted to protect.

A meaningful theft of data will likely entail some number of data records—lets say 100 for this example. If an e-mail is intercepted that contains even one of the records in Vontus exact matching engine, then the entire e-mail would be blocked, and the other 99 records would also be protected.

Therefore, collections of high-value data—for example, a wealth management database from a financial organizations personal banking department—would need to be frequently updated because the loss of even one of these records would generate substantial risk for the financial organization.

The frequency of updating data is also important because of the operational costs associated with such updates. Be-cause these updates involve sensitive information, IT managers will need to ensure that the maintenance process is secured, monitored and automated. We recommend that IT managers make this a key point of their evaluation of any data loss prevention tool.

We were aided in this area of our tests by the ability of Vontu 6.0 to set a required minimum of matches before creating an incident report. This is actually an interesting area of Vontus operation that must be tuned carefully to support business processes.

For example, it may be appropriate and necessary for an employee to send as many as 10 records containing personally identifying data. We were able to configure Vontu rules that would permit such an e-mail. We could also set up the system to send an alert if the e-mail contained more than 10 records.

During tests, we found that encrypted data went beyond the reach of our Vontu 6.0 system, but warnings that encrypted data is being sent off the network should be enough of a red flag to IT and business managers.

We were able to set up Vontu 6.0 to intercept HTTPS (HTTP Secure) and secure FTP transmissions when the product was integrated with a Blue Coat Systems Blue Coat proxy appliance. Company officials indicated that methods of decrypting other secure communications were under consideration, although no timeline for possible implementation was given. Since encryption and personally identifiable information increasingly will become intertwined, the ability to decrypt, examine and re-encrypt traffic will likely become a distinguishing characteristic for the next generation of data loss prevention.

Next Page: Rooting out hidden data.


Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel