SecureWaves Sanctuary 4.1 is simply one of the most comprehensive security lockdown products eWeek Labs has seen to date, allowing an unparalleled granularity of control over user devices and settings.
While initial deployment can be complex, and ongoing policy management could definitely be better organized, Sanctuary 4.1s many capabilities will go a long way toward locking out mischief while clamping down on data.
We tested the Sanctuary Device Control flavor of Sanctuary 4.1, which provides device lockdown, encryption and in-depth reporting.
SecureWave also offers Sanctuary Application Control, which is functionally akin to Bit9 Parity. Customers can get both products in the full Sanctuary suite.
The first thing we noticed about Sanctuary was the incredibly deep level of control it provides. Not only can Sanctuary control access to pretty much any device we could think of (including USB drives, CD/DVDs, PDAs and infrared or wireless networking ports, among many others), but it is also bus or connection aware. For example, we could create different access rules governing the use of wireless network adapters connected via USB and those connected via PCI.
We created policies in the Device Explorer panel, one of many configuration screens in the Sanctuary Management Console. (The console can be installed on any Windows machine throughout the network.)
The Device Explorer looks remarkably similar to Windows Device Manager, but underneath each listed device class are line items of the access policies rather than individual devices. For example, under the Removable Storage Devices class, we configured a series of rules, assigning different access privileges and requirements for Domain Administrators and for Domain Users, as well as different copy limits (how much data a user could transfer to this device) and shadow policies (reporting exactly what elements were transferred or accessed from the monitored device) for each group.
But this granularity can get confusing as the policy rules for every user and group are muddled together. We could pull up a report of the specific rules applied to a specific user or group, but we would prefer a more object-based approach to policy definition, where we could create policy templates that we could then apply to a user or groups. This could extend existing configurations to new groups or users as a company grows.
Sanctuarys reporting and logging capabilities are outstanding. Prepackaged reports allowed us to easily pull up a users or computers specific permissions, while the logs allowed us to track pretty much anything under the sun, including the number of times a user accessed a device and when; how much of a copy limit a user has usurped; or violated access permissions over a defined amount of time.
We particularly liked the audit log, which tracked Sanctuary itself, reporting what policy changes were made, by whom and when. Sanctuary also can be used to secure removable media devices with AES 256-bit encryption.
Administrators encrypt the USB device at a Sanctuary console, where they can also optionally assign the device to a specific user or group from Microsoft Active Directory. Using Sanctuarys centralized encryption features is much easier if there is a Microsoft Certificate Authority in the domain. Otherwise, administrators can push USB device encryption responsibilities out to the users.
When users try to access the encrypted drive, they must provide the encryption key (which administrators can export to the device directly or give to the user another way) and a password. However, Sanctuary does grant the ability to use an encrypted drive on an unprotected workstation—as long as the administrator enables Sanctuarys Easy Exchange feature, which loads a Secure Volume Browser and the encryption key on the encrypted drive. The user can then enter a password to unlock the device from machines not protected by Sanctuary.
Check out eWEEK.coms Security Center for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEKs Security Watch blog.