We start our Rolling Review of data loss prevention products with Safend Protector Endpoint, the lone entry in our DLP mix whose primary emphasis is endpoint security. The other players have strong DLP capabilities at both the network level and the endpoint, but we wanted to include a company that operates exclusively in the endpoint market because not all IT shops want, or can afford, a soup-to-nuts system from the likes of RSA, Websense, or Symantec.

Regardless of how large or complex your organization is, battling data loss threats must start with an emphasis on the endpoint. Safend estimates that 60% of corporate data resides on endpoints, and that's where Safend Protector Endpoint aims its DLP resources.

We test endpoint security systems on many challenges, including how easy each product is to deploy and manage; how well it alerts, reports, and mitigates policy violations; and how robust its protection mechanisms are from a physical, file, and application standpoint. Safend Protector delivers on most accounts, but not all.

We appreciate the ease and speed with which we deployed the Protector Management Server. Companies can deploy the central policy server via any Microsoft Windows 2003 server, but Safend recommends more robust server back-ending to an external SQL database for more than 1,000 users.

The Protector client and policy definitions can be deployed via login script or any software-distribution mechanism, and policy updates between client and server can be scheduled via Windows management interface. Tight integration with Active Directory allowed us to easily deploy multiple policy definitions to different user communities based on Organization Unit membership. Even better, Protector Management Server is free with the purchase of client licenses.

Safend's Protector client puts solid defense around physical port, device, storage, file, and Wi-Fi security, and passed our physical port security test with flying colors. By selecting Allow, Block, or Restrict within the policy manager, IT can control access to every type of physical port or storage device imaginable on a given system. USB, FireWire, serial/parallel, PCMCIA, Bluetooth, IrDA, SD cards, modem, floppy/CD/tape -- you name it, Protector can lock it down. IT policy makers also can define which types of devices, for example, are allowed to plug in to a USB port, such as a printer, a thumb drive, or a smartphone.

If you want to ensure that your employees are using approved USB thumb drives issued by IT only, you can lock down policy to include only the serial numbers of approved USB thumb drives. Furthermore, you can force encryption of data copied to the thumb drive, and prevent users from accessing the data on that thumb drive from a non-company PC.

Safend's file protection gives IT teams the ability to apply policy based on the type of file being accessed, such as a Microsoft Office file, a database, a Web page, or an image, among other formats. Policy options include allowing access to a certain file type, blocking it, or allowing and shadowing its use to aid in collecting forensic evidence on how the file is used and transported. By configuring logging and alerting appropriately, the administrator can get a heads-up on potential data leaks before they become a bigger problem.

Our only knock on Safend's file protection is that we couldn't create custom file definitions within the broadly defined "MS Office" file type -- or any other type, for that matter. As a result, we had to treat Excel spreadsheets with the same policy set as a Word document, which in some environments might represent a lower-priority leakage target.

In addition, we'd like to see some functionality to proactively search file contents for items that might raise a red flag, such as a spreadsheet that contains credit card or Social Security data, and enforce encryption or take another type of action based on that detection.