Sanctuary Suite 4.1.3 promises to protect users against data loss and malware by giving IT departments control over which hardware devices and applications are allowed. IT can enforce polices against removable media, such as flash drives, and prevent the use of unwanted applications that might be conduits for malware.
The best antivirus software, patch management systems, and firewalls can't protect corporate assets from end users with unrestricted control of their computers. USB drives and high-capacity iPods mean users can not only spirit away huge amounts of sensitive information, they can install unauthorized apps that could open channels for data to sneak out -- or malware to creep in.
PatchLink is one of a few companies offering simple, flexible means to control and monitor application execution and removable media and devices on Windows computers. However, administrators must be vigilant in staying abreast of new application updates lest Sanctuary disrupt user productivity.
Most companies have policies regulating copying of corporate data and forbidding installation of unauthorized software. But a policy without an enforcement mechanism is only marginally better than posting a memo on the lunchroom wall.
If you're serious about endpoint security, take a look at PatchLink's Sanctuary Suite. We tested the 4.1.3 version in our Syracuse University InformationWeek Labs and found its application- and device-control features essential to helping IT departments put teeth behind corporate policies.
Using Sanctuary, IT can create whitelists of approved applications; software not on the lists simply won't execute. It also enforces policies around the use of removable media and connectivity options, including wireless LANs and Bluetooth.
On the downside, Sanctuary will cause administrative headaches: Some employees will clamor for exceptions, leading to a multitude of policies to manage, and any application whitelist requires constant vigilance to include the latest versions of mission-critical apps and browser plug-ins. But given today's regulatory climate and the never-ending hit parade of malware that people bring into the business environment, we say, pop a few Advil and get over it.
PatchLink is competing in this space with Bit9's Parity, which uses both blacklists and whitelists to define applications that can run on managed PCs. Its device-control feature can enable or disable the use of removable media and log data being copied to portable storage systems. Data-leak prevention vendors also are releasing client software that includes device control. Code Green Networks, for example, offers a client that can prevent sensitive files from being reproduced, and Vontu's Vontu 7 alerts administrators if restricted data is copied to removable media.