Are you using a security product to manage or block the storage of confidential data on endpoint devices (USB drives, CD burners, etc.)?

“Hi ...., Your question is in multiple layers. As you have underlined, the options are 1- Solutions that block endpoint ports (USB drives, CD, media bays etc) 2- Solutions that can encrypt removable media 3- Solutions that can enforce polices on endpoint ports 4- Solutions that can tag data as internal only For questions 1-3, the endpoint security vendors can provide answers for most of the requirements. You are probably familiar with the solutions, but you can crosscheck SafeBoot, Utimaco, Pointsec (Check Point), PGP, Promisec, Centennial, Fiberlink, Safend, SecureWave and Smartline. If you want to tag data, I would recommend the DRM tools. Active DRM deployment for critical data will confine your data to internal systems. On theory tagged data will be useless on USB or CD when DRM system is not present. (I haven’t deployed a large scale DRM system so far) We have deployed PGP and PointSec in several locations (more than 1000s in some occasions) as a part of disk encryption initiatives. My personal belief is to minimize the total number of security clients on endpoints; endpoints are not like enterprise security systems where we can deploy 10 different tools. Patch Management, Firewall, IPS, VPN Client, Application Control, Backup,Web Filtering, AV, Encryption, Port control, the list goes on. This (multiple clients) is the biggest reason for a "no go" for an endpoint security solution. Other problems are lack of understanding for application deployment on endpoints, compatibility with specific operating systems, and integration with other central management tools were the other problems I have seen. I would check clientless solutions through policy control for USB and CD based device control. Promisec is an interesting approach... Or I would go with a single vendor that can answer many endpoint needs. If you have a specific question, let me know, regards, - yinal ozkan”