Selection Guide for Domestic Data Leakage Prevention Products
At present, several influential data leakage prevention products in China mainly include secure container (SDC sandbox) and DLP, document encryption, cloud desktop, etc. The advantages and disadvantages are objectively compared as follows:
compare content |
Secure Container (SDC Sandbox) |
DLP |
document encryption |
cloud desktop |
Representative manufacturer |
*Cinda |
Sell coffee, Symantec |
Yi*tong, IP Gad, *Dun, *Tu |
Four outstanding, deep* clothing |
design concept |
Based on the isolation container and access technology, a data security environment is built that only enters and exits, and requires approval to exit. Data in the environment are treated equally, regardless of file format, and are all protected. |
Based on content identification and analysis, content identification is performed on files sent out in the form of emails, U disk copies, etc., usually by finding sensitive keywords to determine security policies, and recording or blocking |
Based on the file transparent encryption and decryption technology, it performs transparent encryption and decryption of files in the specified format within the environment. |
No data is kept locally, all working data is on the server |
Method to realize |
Build a kernel-level defense-in-depth container security environment through disk filter drivers, volume filter drivers, file filter drivers, device filter drivers, and network filter drivers, and transparently encrypt and decrypt data in the environment. Data outside the environment can only enter and exit. |
With the client engine as the center, the internal documents are first scanned, identified and graded, and then analyzed with common protocols such as emails and U disks. If sensitive content is found to be sent, it will be blocked or alarmed. |
Through the file filter driver, transparent encryption and decryption are performed on the reading and writing of files in the specified process and specified format. |
By virtualizing several working environments on the server side, users can log in remotely. |
Basic protection (email, U disk, network disk, network) |
All data that is included in the safe working environment cannot be released, and it needs to be approved and declassified if it is to be released. External data can freely come in |
Identify the content of incoming and outgoing files, and intercept or alarm sensitive content and files found |
Files can be sent freely without restriction, but encrypted files in specified formats are garbled when sent externally |
Through physical disconnection and isolation, there is no local file to achieve security. Once the email, U disk, and network are opened, there is no control |
Virtual Machine Protection |
A VMWare virtual machine can be used in the container, and the virtual machine follows the security rules of the container. |
The virtual machine can bypass the client engine, and the data files can be forwarded through the virtual machine. |
Operations in the virtual machine cannot be controlled, but encrypted files are transferred out of the virtual machine as ciphertext. |
itself is a virtual machine |
WinPE boot disk |
Start from the WinPE boot disk and see that the data in the container is encrypted |
Start from the WinPE boot disk, you can copy data arbitrarily to bypass the DLP engine |
Start from the WinPE boot disk, and see that the encrypted file in the specified format is still an encrypted file |
Does not support Win PE disk booting |
tool kill process |
Kill the sandbox process through tools, all drivers still work, container shrinkage defense, and effective control |
Kill the DLP engine, the control is invalid, and all data is free to enter and exit |
Kill the process, the file filter driver is still there, and the encryption is still valid. |
no process to kill |
compare content |
Secure Container (SDC Sandbox) |
DLP |
document encryption |
cloud desktop |
Data Warping (Basic) |
Converted format saved, compressed and renamed, all transferred in the container, still effectively controlled. |
Save the converted format, compress and rename, especially encrypt and compress, which can bypass the engine inspection. |
It is possible to bypass the transformation format and save it, compress and rename it. |
The data is all on the server, but the network and peripherals cannot be used |
Data Warping (Advanced) |
Creating a new process through programming to save the printout, log, socket communication, pipeline, shared memory, etc. cannot leak secrets. Converting the code into a web page and publishing it through IIS or tomcat cannot be separated from the container, that is, it cannot be leaked. |
Create a new process through programming to save encrypted output, logs, socket communication, pipelines, shared memory, web pages, etc. can easily bypass the DLP engine |
Create a new process through programming to save the printout, log, socket communication, pipeline, shared memory, etc. can leak secrets. Converting the code into a web page and publishing it through IIS or tomcat can leak secrets. |
The data is all on the server, but the network and peripherals cannot be allowed. Network and peripherals need to be managed separately |
non-file data |
It can control the non-file data and form reports in the CRM and ERP systems in the environment |
Non-file data and form reports in CRM and ERP systems can be controlled |
Non-file data and form reports in CRM and ERP systems cannot be controlled, but file attachments can be encrypted. |
The data is all on the server, but the network and peripherals cannot be used |
Large files/heavy software |
no effect |
difficult to analyze |
There is a probability of damage to large files, and compilation software is prone to errors |
Slow performance, no need to think about UG, etc., 3D analog input |
Smart port (U/network/serial/parallel port) |
Through the protocol analysis of the smart port, access to the device is performed, and the content audit of the downloaded and burned data is performed. |
Only disabled, no control if allowed |
No control, only the supported encrypted format files are downloaded without decryption |
Can only be disabled, once enabled, no control. |
support OS |
Windows/linux/Successful Kirin |
Windows (linux unknown) |
Windows, some manufacturers support linux |
Windows/linux/Successful Kirin |
advantage |
For all data, regardless of format and file size, it can be targeted at code developers |
Easy to deploy, in line with foreign habits |
Simple and clear, easy for customers to understand |
Easy to operate and maintain, looks very safe and tall |
shortcoming |
Not flexible enough, laborious to deploy |
Slow performance, too dependent on the client engine, easy to bypass |
Single technology, difficult operation and maintenance, software upgrade is a nightmare |
High cost, poor effect, low performance |
Applicable customers |
Code R & D enterprises, and provide R & D output product reinforcement encryption |
Foreign-funded enterprises, large enterprises |
Office office enterprises (documents, drawings) |
Large enterprises, wealthy patrons, closed environment |
suggestion |
Only do research and development enterprises |
Large enterprises with low security requirements |
It is recommended to be a small and medium-sized office design enterprise |
It is recommended to embed the smart port of SDC sandbox, it will be perfect |