Sophos Endpoint Security and Data Protection 9.7 review
ESDP’s device control isn’t a patch on DeviceLock, as it can only control access to floppy, optical and USB removable storage, plus wireless, Bluetooth and modems. However, you can passively monitor and log usage, block access entirely, or allow read-only or full access. With a policy set to block all usage, we inserted USB sticks on some of our endpoints, and received pop-up warnings advising us that access wasn’t permitted.
Data control policies allow you to apply file-matching rules to stop them being copied or emailed. File contents can be checked for keywords, phrases and patterns. Sophos provides a huge predefined list that includes types required for compliancy with HIPAA, PCI DSS and PII standards.
We tested these policies using a number of documents, some including banned words and some without. The latter were let through but, when we tried emailing or copying those with content that matched a policy, they were blocked.
Although an entry in the ESDP console is provided for NAC, all you can do is list its policies, as configuration is handled by a separate console. NAC policies combine profiles which look for specific software on endpoints before allowing them access.
Profiles include checks for OSes, patches and service packs, along with the ESDP antivirus and firewall components. Remediation services can be used by policies in which users are sent to the location of the necessary software.
Last up is the SafeGuard encryption utility, which is separate to ESDP. It provides tools to automate full disk encryption on endpoints with sensitive data, but uses a separate server component to handle key management and encryption policies, and needs yet more agents installed on endpoints that must be run manually.
All in all, SMBs will find the main ESDP suite easy to deploy, fairly simple to manage and capable of providing an extensive range of workstation security features. However, although the NAC and SafeGuard components add a lot of value, they can only be managed and configured from separate, standalone consoles – it’s worth bearing in mind the increased support burden that brings.
|Software subcategory||Internet security|