Monday, February 04, 2008

Agent versus no agent what is the right answer?

When looking at DLP as well as other security products such as patch management, anti virus etc, the question comes to mind, is an agent on the end point the answer to the question?

It is neither yes or no. Agents have two main problems, reach and failure rate. For reach, you have to either force an agent out via a systems management systems solution, GPO, script, or distribution via a portal. To have a 100% reach for a large usually becomes either too expensive or outright impossible if your network is segmented into areas of different management segments, such as lab versus production.

The right answer is a mix, where you use agents on high risk desktops, laptops and mobile devices, applications or appliances on email servers and data center servers such as repository systems line of business applications and data bases, and applications/appliances on network ingress/egress points. It is also important to note that if you need to transport sensitive information between organizations, you need to ensure contractual obligations are put in place and met between the organizations.

There are several good ways to deploy agents. One is to use Group Policy Software Installation, GPSI, another is to use System Center, Tivoli or other agent management systems. You could of course also use a portal such that if a user went to a portal (Line of Business) to retrieve sensitive information, they would have to download and install an agent before they were allowed access to the information. The benefit of using an agent management system is of course the breadth of information these systems provide of installation metrics, health metrics, reach etc.

In my opinion, the perfect agent would be installed seamlessly via an agent management system, and control what the user can do with the information without impeding productivity. So for example, blocking USB might not be the answer if the user has a genuine need to transport information using a USB key. A better solution would be, if information goes on a USB, is it sensitive and is it protected? If the information is sensitive and it is not protected, the solution should interact with the user and make it easy to do the right thing. The same goes for emails, and any other communication where the user may divulge sensitive information. For file transfers, a transfer would either be approved or disapproved based on the content sensitivity and where it is going, and protected appropriately.

No comments: