DeviceLock provides network administrators the ability to set and enforce contextual policies for how, when, where to, and by whom data can or can’t be moved to or from company laptops or desktop PCs via devices like phones, digital cameras, USB sticks, CD/DVD-R, tablets, printers or MP3 players. In addition, policies can be set and enforced for copy operations via the Windows Clipboard, as well as screenshot operations on the endpoint computer.
NetworkLock adds contextual-level control of user network communications via the Internet through such means as: company email, personal webmail, instant messaging services, social networks (like Facebook, Google+, Twitter), web surfing, FTP file transfers, as well as cloud-based file sharing services like Dropbox, SkyDrive and Google Drive.
ContentLock adds the capability to look inside files and other data objects (like emails and webmails, chats, blog posts, etc.) for sensitive information like social security numbers, credit card numbers, bank account numbers or other user-definable information and to make block-or-allow decisions based on policies having to do with file contents.
Discovery is a separately licensed component, which helps network administrators and security personnel locating certain types of content stored within and outside the limits of the corporate network. Discovering unwanted content is essential when trying to protect the company’s intellectual property, control employee activities and administer computer networks.
Search Server is an optional separately licensed component, which provides full-text searching of logged data. The full-text search functionality is especially useful in situations when you need to search for shadow copies of documents based on their contents.
The combination of all of these modules working together is the DeviceLock DLP Suite. The DLP Suite provides protection against local and network data leaks at the endpoint (laptop, desktop or server) via a wide array of threat vectors.
These include: iPhones, Androids, BlackBerry, other smart-phones, iPods, iPads, digital cameras, Wi-Fi, Bluetooth, FireWire, social media, IM, webmail, company email, printing, CD or DVD ROM, USB flash drives, Compact Flash, FTP/FTPS, HTTP/HTTPS and the clipboard.
Natively integrated with Microsoft Active Directory Group Policy, the DeviceLock DLP Suite is very easy and straight-forward to install and configure. Typical installations are handled by Microsoft Network Administrators and do not require expensive, specially trained resources.
The other great customer benefit of DeviceLock’s tight integration with Active Directory is that it gives the solution virtually limitless scalability. The DeviceLock DLP Suite can effortlessly run on every endpoint listed in your Active Directory database … even if there are tens of thousands.
The DeviceLock® DLP Suite provides both contextual and content-based control for maximum data leak prevention at minimum upfront and total cost of ownership. Its multi-layered inspection and interception engine provides fine-grained control over a full range of data leakage pathways at the context level. For further confidence that no sensitive data is escaping, content analysis and filtering can be applied to endpoint data exchanges with removable media and PnP devices, as well as with the network. With DeviceLock, security administrators can precisely match user rights to job function with regard to transferring, receiving and storing data on corporate computers. The resulting secure computing environment allows all legitimate users’ actions to proceed unimpeded while blocking any inadvertent or deliberate attempts to perform operations outside of preset bounds.
The DeviceLock DLP Suite is comprised of a modular set of complementary functional components that can be licensed separately or in any combination that suits current security requirements.
The DeviceLock component includes an entire set of context controls together with event logging and data shadowing for all local data channels on protected computers including peripheral devices and ports, clipboard, connected smartphones/PDA’s, and document printing. DeviceLock also provides the core platform for all other functional modules of the product suite and includes its central management and administration components.
IMPORTANT: Customers MUST purchase a DeviceLock license in order to run either of the other modules: NetworkLock and/or ContentLock. All three products are distributed as a single integrated code-base with NetworkLock and ContentLock activated as separate ADD-ON licenses. The DeviceLock DLP Suite is the combined offering of all three modules licensed together for full endpoint DLP protection.
The NetworkLock™ component performs all context control functions over endpoint network communications including port-independent protocol/application detection and selective control, message and session reconstruction with file, data, and parameter extraction, as well as event logging and data shadowing. (”Data Shadowing” is making an archival copy of the file in question in its current state at the time of the transfer or attempted transfer. This copy can later be used for forensic or litigation purposes to prove what was in the file at the time of the incident in question.)
The ContentLock™ component implements content monitoring and filtering of files transferred to and from removable media and Plug-n-Play devices, as well as of various data objects of network communications reconstructed and passed to it by NetworkLock™ – like emails, instant messages, web forms, files, social media exchanges, and telnet sessions. ContentLock can inspect both the body of emails and other communications as well as the content of file attachments -- even if those attachments happen to be encrypted and/or Zipped.
DeviceLock® Discovery is a separately licensed component. It designed to scan users’ workstations and storage systems located inside and outside the company’s corporate network, looking for certain types of content according to pre-defined rules. Administrators can assign rules specifying which content is not allowed on the corporate network.
DeviceLock® Search Server (DLSS) is another separately licensed component. It performs full-text search in the central shadowing and event log database. DLSS is aimed at making the labor-intensive processes of information security compliance auditing, incident investigations, and forensic analysis more precise, convenient and time-efficient.
For enterprises standardized on software and hardware-based encryption solutions, DeviceLock® allows administrators to centrally define and remotely control the encryption policies their employees must follow when using removable devices for storing and retrieving corporate data. For example, certain employees or their groups can be allowed to write-to and read-from only specifically encrypted USB flash drives, while other users of the corporate network can be permitted to "read-only" from non-encrypted removable storage devices but not write to them. DeviceLock® provides a level of precision control over devices and network resources unavailable via Windows Group Policy - and it does so with an interface that is seamlessly integrated into the Windows Group Policy Editor. As such, it’s easier to implement and manage across a large number of workstations and can scale massively. In fact, some current DeviceLock customers have deployed on over 80,000 endpoints without any scalability or performance issues.