Clearswift Content Inspection Engine (SDK)

2

Information – the new currency

Information is the new currency. The beating heart of any organisation, it’s potentially one of your greatest assets, but it’s also your biggest risk. Data leaks, malicious or accidental, can do untold damage to your organisation and its reputation, so it’s absolutely vital that your information, and its use, is managed.

Because of the sheer volume and dynamism of today’s corporate data, applications must be ‘content aware’. Only if you understand your content can you make informed decisions with your data.

To avoid the potentially serious implications of breaching regulations, you must start inspecting the information you create and share. Your content needs to be reviewed dynamically, in real time. Which is where deep content inspection technology comes in.

Clearswift products have, for many years, provided mission-critical content filtering for thousands of customers worldwide; the content inspection engine at the heart of these products has a proven track record of secure, robust, high-performance deep content inspection. With the advent of the Clearswift Content Inspection Engine Software Development Kit (SDK), third parties can now embed this technology into their own applications.

As an application vendor, the requirement to make your application more content-aware may seem like a massive task; the beauty of the Clearswift Content Inspection Engine (SDK) is that it’s all been done for you. The SDK enables developers to add powerful content inspection features to their applications and services. Using the feature-rich yet simple-to-use API, an application can define the rules that comprise its acceptable content policy. It then determines which rules, if any, are violated by particular files or other items of data.

Possible use-cases include:

• Enforce data usage policy

• Ensure regulatory compliance

• Prevent data leakage

• Detect inappropriate communications, such as slanderous tweets or offensive comments

• Prevent reputational damage

• Detect sensitive or classified information

• Avoid accidental disclosures

Clearswift Content Inspection Engine (SDK)

• InterfacesinC,C++andJava

• Client-Serverarchitecture

• x32andx64

• WindowsServer(2003/2008)

• RedHatEnterpriseLinux(5/6)

• BAESTOPOS

• Codesamplesanddocumentation

SDKdetails

3

Recognise, understand and process

Clearswift’s Content Inspection Engine (SDK) recognises over 150 different file or data format types. It uses strong signature and data parsing techniques that ignore unreliable external indicators like file extensions. The engine performs recursive decomposition, and systematically opens and searches within archive files like ZIP and TAR to look for embedded objects – for example images, or active content within Office documents.

The decomposition of data continues until there either is nothing more to process, or the recursion depth has been reached.

By recognising particular file types, it is possible to set a policy to decide which file types are acceptable, and which should be blocked.

Textual search

With documents and text objects the engine can use the powerful text analysis rules that search for expressions of any format, regardless of language or character set:

• Expressions can be keywords, phrases, regular expressions or known patterns

• Known patterns include credit card numbers, social security numbers (US), NI numbers (UK) and IBAN numbers. Algorithms are used to validate the patterns to reduce false positives

• Each expression can have its own weighting

• Logical operators: AND, OR, XOR, ANDNOT

• Proximity operators: NEAR, BEFORE, AFTER, FOLLOWEDBY

• Search within body, headers, footers, meta-data or whole document

By recognising the presence of terms such as ‘Top Secret’ in the footer of Word documents or credit card numbers in Excel worksheets it is possible to build policies that strictly control which data is processed through the system.

Malware, active code and damaged data

Apart from checking for content violations, you may still need to ensure that the data you are processing does not contain malware or suspicious content that could potentially slip through commercial anti-virus tools.

The Content Inspection Engine (SDK) can be configured to use anti-virus tools, but it also benefits from built-in routines to determine:

• Whether the data contains active code, such as macros in Microsoft Office, or scripts in Adobe PDF

• If the data does not conform to the relevant format specification and appears to be corrupt or has been tampered in some way. This is important to determine because non-conformity may be indicative of malware designed to exploit a weakness in the application normally used to open the file

• Files that have been concatenated in an effort to bypass detection can also be recognised

Even if you deploy anti-virus on the desktop, incorporating another layer of malware scanning and checking for suspicious files is advisable, especially for sensitive organisations within the military and government.

Clearswift Content Inspection Engine (SDK)

aA

4

Architecture

The Content Inspection Engine (SDK) is supported on Windows and Linux. Its flexible client-server architecture facilitates a number of different deployment options. The server component, which runs as a service on Windows and a daemon on Linux, supports multiple simultaneous clients. The client-side component, a DLL on Windows and a shared library on Linux, is linked into the target application and can connect to a server on the same host or to a remote server, running on a different operating system if desired.

In operation, data items are passed to the Content Inspection Engine (SDK) for validation against a defined policy. The Content Inspection Engine examines the source content, disassembling it and checking the contents before returning an outcome. If the data is acceptable, the host application can process it normally, whereas violations can be handled accordingly. A key strength of the Content Inspection Engine (SDK) is that all rule violations are reported, not just the first one detected; this means that an application can make a fully-informed decision regarding the handling of the data.

Sample uses – cross-domain

While many cross-domain solutions have the bandwidth to transfer large volumes of data, adding content checking can introduce bottlenecks, particularly with large files. Used in conjunction with a cross-domain guard, the Clearswift Content Inspection Engine (SDK) permits the secure transfer of large files – up to 16Gb in size – to be verified against a defined security policy.

Clearswift Content Inspection Engine (SDK)

LOW SECURITY NETWORK HIGH SECURITY NETWORK

GUARDS GUARDS

HOST APPLICATION

Data + Rules Result

Content Inspection Engine

5

Sample uses – managed file transfer

For the fast and secure transfer of large files, managed file transfer (MFT) products have traditionally been the quickest and most economical. These solutions typically focus on the transport methods of the delivery, rather than on the content being sent. For organisations wanting to ensure all of their points of egress are covered for data security, adding a content inspection engine is the obvious solution.

Sample uses – collaboration

Collaboration tools are big business; SharePoint for example has over 100 million users, and there are plenty of other vendors with similar products¹. The business benefits of these collaboration tools are widely-known, but with sharing comes risk. People make mistakes and accidents happen, so safeguards ensuring that only appropriate content is shared are vital. If you are using SharePoint to allow your partners to access your data, how do you prevent ‘internal’ documents accidentally being posted for partners to see? By integrating the Clearswift Content Inspection Engine SDK into the publishing process, accidental disclosure can be prevented.

To summarise, Clearswift’s trusted deep content inspection capabilities ensure peace of mind for thousands of customers worldwide; and now we can do the same for you too.

The SDK brings Clearswift’s content inspection technology into an environment that can be integrated with third party applications, including email, web, cross domain, managed file transfer, enterprise content management and many other applications.

Protecting the integrity of your data is what we do best. Addressing the growing demand for deep content inspection of ISO images, the SDK scrutinises compressed files (ZIP, TAR, CAB etc), Windows backup and many others that can be utilised in a variety of different applications. In short, any application that needs to be certain the content is appropriate is a candidate for the Clearswift Content Inspection Engine (SDK).

Clearswift Content Inspection Engine (SDK)

MFT APP

Data + Rules Result

Content Inspection Engine

FTP

S/FTP

SCP

Authentication File Validation Encryption

¹ http://www.zdnet.com/blog/microsoft/microsoft-were-adding-20000-new-sharepoint-users-a-day/9011

6

UKinfo@clearswift.com+44 (0)118 903 8903

Australiainfo@clearswift.com.au+61 2 9424 1200

Germanyinfo@clearswift.de

+49 (0)89 904 05 206

Japaninfo.jp@clearswift.com+81 (3)5326 3470

Rest of Europeinfo.es@clearswift.com+34 91 572 6764

United Statesinfo@us.clearswift.com +1 856 359 2360

If you’d like to find out more, contact your local Clearswift team:

About Us

Clearswift’s content-aware, policy based solutions (Clearswift Secure Web Gateway, Clearswift Secure Email Gateway, MIMEsweeper for SMTP) enable over 17,000 organisations in 50 countries to manage and maintain no-compromise data, email and web security across all gateways and in all directions.

Clearswift developed many features the security industry now considers standard, such as image scanning, policy-based encryption and user-level message tracking. Clearswift’s content-aware solutions enable safe and effective communication without compromising on security.

Please contact us at oem@clearswift.com to discuss your requirements.