3

We have a client who's requiring that we implement dataloss prevention on workstations that are accessing their project's data. If Alice attaches removable media (USB, FireWire, CD, DVD) to her computer, we need an audit report that she copied files X, Y, Z to/from media. We have a 100% Mac user base.

I've looked at endpoint protector products from CoSoSys and Sophos, but neither supports removable media control on the Mac. I'm looking at McAfee right now, but their product literature is making my head spin.

Can anybody recommend a product to do this? Or are we looking at building something from scratch?

Thanks in advance...

Christopher DeMarco
  • 41

3 Answers3

1

Hmm.. Are you sure CoSoSys doesn't support removable media control on the Mac? It completely seems like they do: http://www.cososys.com/software/device_management_for_Mac_OS_X.html:

Device Management for Mac OS X

  • Centralized Device Management / Device Whitelist
    • For Mac OS X the use of USB storage devices, FireWire devices and CD/DVD is controlled.
  • Support for Mac OS X and Windows (XP, Vista, 7)
  • File Tracing - Control your Data Flow (for Endpoint Protector)
  • Offline Temporary Password
  • Enforcement of your Device use Policy
  • Reporting and Analysis
    • My Endpoint Protector offers powerful reporting and analysis tools that lets you analyse all activity (e.g. devices connected, files transferred, etc) at the endpoint.


What is it missing from your requirements?

l0c0b0x
  • 12,187
1

I'm Anca from Endpoint Protector Community. I think that we have what you are looking for. It is a new product called Endpoint Protector Appliance, which has the Audit Trail feature available for MAC together with File Tracing and File Shadowing. You can check our product here: http://www.endpointprotector.com/en/index.php/products/endpoint_protector_appliance If you have any questions or you need more information, please let me know.

Anca
  • 11
0

If you find a working solution there is still another problem I am not sure you can avoid on a Mac: There is always the possibility to mount the physical disk to another computer read-only and copy the data this way, thus leaving no trails at all. You can easily prevent the easiest way of doing this with locking target mode in EFI, but beyond that you will need at least a seal to detect something has been tampered with. The only protection from this would be an encryption that is tied to the hardware (AFAIK you can get that for some PCs) or would work in conjunction with your monitoring software.

Sven
  • 100,763