Defending Sensitive Data on macOS with Endpoint Protector
In the last decade, Macs have gradually made their way into the workplace. Long the computer of choice in specialized fields such as design and media, their numbers rose with the implementation of Bring-Your-Own-Device (BYOD) and Choose-Your-Own-Device (CYOD) policies that allowed employees to decide on the type of device they work on.
With its solid Unix-based architecture, native encryption options and recent transition of extensions from the kernel to a controlled user-space, macOS has never been more secure. At the same time, Macs’ mounting popularity in the work environment, especially among C-level executives, have made them an attractive target for malicious outsiders. And while Macs might be more secure against brute force attacks and viruses, they are just as vulnerable as machines running on other operating systems to human error which can take the form of both negligent practices and employees targeted through phishing and social engineering attacks.
The protection of sensitive data is now mandatory under legislation around the globe from the EU’s General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA) to Brazil’s Lei Geral de Proteção de Dados (LGPD) and Japan’s Act on the Protection of Personal Information (APPI). This means that companies must be compliant with data protection requirements that are not OS-specific and be able to prove it to Data Protection Authorities.
Most of these issues cannot be solved through conventional cybersecurity tools such as antiviruses and firewalls that offer device-level protection. Data Loss Prevention (DLP) solutions that specifically address the security of sensitive information have thus emerged as an essential part of data protection efforts.
From the very beginning, at Endpoint Protector, we saw the potential of Macs in the enterprise and anticipated the rise of their adoption in offices across the world. We therefore developed Endpoint Protector as a cross-platform solution that offers feature parity for Windows, macOS and Linux. This means that, regardless of the operating system a device is running on, computers will have the same level of protection and features. As one of the first DLP tools for macOS on the market, Endpoint Protector fast became the solution of choice for companies running multi-operating-system networks.
Zero-day support and KEXTless agent
Endpoint Protector has shown its tireless commitment to macOS over the last 16 years, offering zero-day support ahead of the release of all the operating system’s major new updates. This means that companies can confidently allow employees to deploy the latest macOS versions as Endpoint Protector will already be compatible with them and thus data protection will continue as normal without its security being compromised.
After Apple announced its intention of deprecating kernel extensions in favor of more secure system extensions, Endpoint Protector was one of the first DLP vendors to release an agent that doesn’t use a kernel extension. The new KEXTless agent, built on Apple’s new Endpoint Security Framework, was ready for use before the release of macOS Big Sur. At the same time, Endpoint Protector’s legacy client, which is notarized under the Apple notarization requirement, will continue to work for older versions of the operating system from macOS 10.8 to macOS 10.15.
Data visibility and protection
To build effective data protection strategies, data visibility is crucial. Companies must know what sensitive data they collect, where it is being stored and how it is being used. Endpoint Protector offers organizations the possibility to monitor all sensitive data on Macs as it travels in and out of the company network. By logging the movement of every file containing sensitive information, organizations can discover weak points in their security practices and how they can more effectively train employees by using everyday examples.
Endpoint Protector does not only monitor and log the movements of sensitive data, but also offers the possibility to address policy violations automatically. Sensitive data transfers can be blocked completely or allowed only through approved channels such as company email addresses and in-house software solutions.
Sensitive data control does not stop at transfers over the internet, but, through tools such as Endpoint Protector’s powerful PII Scanner, companies can search over 100 file types on Macs for sensitive data across company networks and take remediation actions such as deleting or encrypting files when they are found on unauthorized computers.
Flexibility is key for a data protection strategy that is effective without compromising employees’ productivity. Endpoint Protector allows companies to apply its policies to different groups, departments, individuals and devices, based on their level of access to sensitive data on a daily basis or any other relevant criteria. Organizations can also customize their data protection settings through whitelists and blacklists. They can choose to only monitor and log activities related to sensitive data, block its movement completely or partially.
Endpoint Protector comes with a large database of predefined policies for the most common types of sensitive data such as personally identifiable information, but also policies tailored to support compliance efforts with data protection legislation such as GDPR, GLBA, HIPAA etc.
Removable device control and encryption
Another easy pathway for data loss and device infection are removable devices. USBs, in particular, have long been a blind spot of data protection strategies as they are easy to conceal, steal and lose. Endpoint Protector offers the possibility to monitor and control Macs’ USB and peripheral ports, limiting their use to trusted devices or blocking their use all together.
Another useful feature is Enforced Encryption for macOS that allows companies to deploy an encryption solution automatically to any trusted USB storage device connected to an endpoint. Any files copied onto the USBs will then be encrypted with government-approved 256bit AES CBC-mode encryption, limiting access to the device to individuals who have the password. To make it even more secure, an expiration date can be set for a password and the number of times someone can insert it can be limited. Passwords can also be reset remotely.
Endpoint Protector has become the most trusted DLP solution for macOS on the market due to its commitment to evolving its products at the same level across all operating systems it supports. And, through its dedicated macOS team, it ensure compatibility at all times, continually protecting data every time there is an upgrade or new developments in Apple’s operating system.
Download our free ebook on
Data Loss Prevention Best Practices
Helping IT Managers, IT Administrators and data security staff understand the concept and purpose of DLP and how to easily implement it.