eWEEK content and product recommendations are editorially independent. We may make money when you click on links to our partners. Learn More.
Vontu 6.0 provides a flexible, policy-driven system that allows IT managers to find protected data and block its unauthorized release.
Click here to read the full review of Vontu 6.0.
2
Vontu 6.0 provides a flexible, policy-driven system that allows IT managers to find protected data and block its unauthorized release.
The Vontu 6.0 suite was released by Vontu in March. Its price, which starts at $100,000, is based on the number of users and the modules purchased. The modules include Monitor, Prevent, Discover and Protect.
The first two modules cover data in motion, such as e-mail and file transfers. The latter two modules are used for data at rest, such as information in a file share that is not actively moving on the network. All the modules can share policies.
Vontu 6.0 distinguishes itself from data protection tools such as Reconnex iController and iGuard, Tablus Content Sentinel (a finalist in the 6th annual eWeek Excellence Awards), and Vericepts Content 360° by keeping an in-memory replica of protected data. eWeek Labs tests show that this method—which Vontu calls “exact data matching”—increases the accuracy of information identification under ideal circumstances.
With exact data matching, Vontu 6.0 can quickly sift through e-mail, instant messaging, FTP, and other Internet and network protocols looking for specific protected data.
Thus, instead of looking for data that follows a rule—say, two words, where each word begins with a capital letter, followed by a nine-digit number in the form of xxx-xx-xxxx—Vontu 6.0 looks for specific information (such as Cameron Sturdevant 123-45-6789).
One clear advantage of looking for the exact copy of the protected information is that the false-positive rate is quite low. In our tests, Vontu never misidentified exact data-match information.
One fairly obvious concern about this method, however, is that the matching data must be stored and maintained on the Vontu 6.0 system—making the device high-risk, indeed.
We evaluated an appliance-based version of Vontu, but the product is also sold as software, so IT administrators can use as beefy a piece of hardware as they wish to process data streams.
Regardless of the installation, Vontu 6.0 must be able to see all outgoing network traffic to provide complete monitoring and control. We put the device on a monitoring port on a Cisco Systems Cisco Catalyst 3550 switch so that it would see all the traffic on our test network.
During Tests, the first thing we did was specify a corpus, or collection, of protected data. We created a database that contained first and last names, Social Security numbers, addresses, and customer numbers.
Our data tables also contained fields for information that did not have to be protected—such as products ordered, ship dates and warranty dates. IT managers should work closely with business-line managers to determine what should and shouldnt be protected, using data loss prevention tools only for sensitive data.
The extraction process allowed us to pull in the column headers of the data so that we could streamline the process of designating the exact match data we wanted to protect.
A meaningful theft of data will likely entail some number of data records—lets say 100 for this example. If an e-mail is intercepted that contains even one of the records in Vontus exact matching engine, then the entire e-mail would be blocked, and the other 99 records would also be protected.
Therefore, collections of high-value data—for example, a wealth management database from a financial organizations personal banking department—would need to be frequently updated because the loss of even one of these records would generate substantial risk for the financial organization.
The frequency of updating data is also important because of the operational costs associated with such updates. Be-cause these updates involve sensitive information, IT managers will need to ensure that the maintenance process is secured, monitored and automated. We recommend that IT managers make this a key point of their evaluation of any data loss prevention tool.
We were aided in this area of our tests by the ability of Vontu 6.0 to set a required minimum of matches before creating an incident report. This is actually an interesting area of Vontus operation that must be tuned carefully to support business processes.
For example, it may be appropriate and necessary for an employee to send as many as 10 records containing personally identifying data. We were able to configure Vontu rules that would permit such an e-mail. We could also set up the system to send an alert if the e-mail contained more than 10 records.
During tests, we found that encrypted data went beyond the reach of our Vontu 6.0 system, but warnings that encrypted data is being sent off the network should be enough of a red flag to IT and business managers.
We were able to set up Vontu 6.0 to intercept HTTPS (HTTP Secure) and secure FTP transmissions when the product was integrated with a Blue Coat Systems Blue Coat proxy appliance.
Company officials indicated that methods of decrypting other secure communications were under consideration, although no timeline for possible implementation was given. Since encryption and personally identifiable information increasingly will become intertwined, the ability to decrypt, examine and re-encrypt traffic will likely become a distinguishing characteristic for the next generation of data loss prevention.
Next Page: Rooting out hidden data.
TKTK
While Vontu aims to prevent the inadvertent release of personal and other regulated data, the product also has extensive capabilities for finding purposely hidden data.
For example, Vontu 6.0 examines files attached to e-mail messages or being transferred independent of the file extension.
In our tests, we collected personally identifiable data into Word documents and then changed the file extension of the documents to try to evade detection by Vontu 6.0. None of our attempts to evade detection was successful. Only one minor failure was noted when we attempted to look for “Confidential” data.
Vontu was able to identify when the word appeared in a document. However, when we set up Vontu so that it would also look for quotation marks before and after the word, we saw some anomalous behavior: The document would sometimes be flagged as containing protected data but still allowed to pass.
We dont see this as anything other than a minor concern, since quotation marks are almost never a piece of confidential information. In addition, Vontu worked without a hitch in all our tests that looked for dashes (inside Social Security numbers and telephone numbers) and decimals (in currency amounts).
Aside from exact matching, we also used what Vontu calls “index document matching,” where free-form text is processed into Vontu 6.0 and then protected in much the same way exact data is protected. These tests were much more difficult to conduct because the percentage of a document that must be protected varies in an almost limitless way.
We were able to make accurate identification of documents even when paragraphs were rearranged in the same document, but detection became more difficult when only portions of a protected document were transmitted.
We were able to access Vontu 6.0 from a Mozilla Firefox browser, but we could manage the administrator interface only when we accessed the product from Microsofts Internet Explorer browser. This was disappointing because we often use Firefoxs tabbed browsing capabilities to access a variety of management tools in our network.
Vontu 6.0 must be able to see network traffic and be integrated with compatible Web proxy and e-mail gateways to fully protect data. Aside from the practical task of making room for one more monitoring port on our Cisco Catalyst switch, we also had to ensure that the Vontu 6.0 installation integrated correctly with our test network.
While Vontu 6.0 supports some of the biggest names in Web proxies and secure e-mail gateways, the list of vendors is still rather short: Cisco, Blue Coat, Guidance, IronPort, PGP and Symantec.
Next page: Evaluation Shortlist: Related Products.
Page 4
Reconnexs iController Uses “document biometrics” to identify protected data (www.reconnex.net)
Tablus Content Sentinel Includes encryption, in addition to other monitoring and blocking techniques (www.tablus.com)
Vericepts Content 360° Uses an “intelligent content control engine” to analyze Internet-based communication (www.vericept.com)
Technical Director Cameron Sturdevant can be reached at cameron_sturdevant@ziffdavis.com.
Check out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzers Weblog.