What is our primary use case?
I am actually very familiar with the on-premises solution. I am just starting to try out the cloud version. I have not really had the opportunity to exercise the capabilities fully because I need to buy the license to do that. I work with Cyber Security Africa Distribution, but even being that type of organization we still have to purchase our license to try the full solution. I have seen it work with the MVISION Cloud, but I have not tried out the data protection path. But I have reviewed all the features.
What is most valuable?
I am not really an end-user so my answer is addressed talking more from the integration side. I do a lot of integration, and from this point of view, using McAfee as a data protection solution and for data classification is most valuable. I think McAfee actually fits very well with providing literally all the use cases for you. If end-users cannot classify data and solve the problem of data classification, then they can not successfully move forward and get on to data discovery using something like the McAfee Discover running it from the endpoint or running it from the network and doing network DLP (Data Loss Prevention/Data Loss Protection). We are sometimes having to look at it more from a perspective of the cost rather than actually solving the problem. It will work out so long as it helps end-users to classify their data. Some clients have some budget restrictions.
So, for some use cases, I think it will be good for a certain type of user. It would be best for those who need data enforcement from both endpoints and from the network. I think it is perfect for shadow IT as well. With the proper policies in place, it could prevent you from sending corporate data to both cloud storage or to flash drives. If you look at it as a device control feature, it limits what you can send to removable storage devices. Configured a different way, you can send your other unclassified data to cloud storage and the like.
Looking at it from a general use case as a security consultant, what most organizations try to prevent is data extrication. If you can prevent people from moving corporate data to their private clouds or to their own personal storage devices, you would have saved yourself a lot of stress. If the employee exits their security system carelessly, someone can actually extricate data during that process breach.
Another use case is preventing loss of confidentiality. If you are trying to ensure the confidentiality of your data, using McAfee DLP you can prevent certain classification levels of data from being sent to printers or sent through emails.
There is file and folder encryption and there is also complete McAfee Drive Encryption. The beauty of McAfee is that they are not looking at encryption from one single standpoint. It is a broader solution.
If I have FileVault on my Mac Pro, I can protect my Mac. McAfee has encryption that helps you manage encryption natively. If you have BitLocker and you prefer to use it on your products, you can and you can still have a central management console for both your endpoint and your other encryption with McAfee. I think that is actually a perfect example of how you can use MNE (Management of Native Encryption) to manage your native encryption along with other products.
What needs improvement?
I think in looking at this as to how it can be improved, the drive encryption side is not as straightforward as it could be. It is a little bit heavy on the configuration part. There are a lot of options to look at. Maybe it is just that the training needs to fine-tuned a little bit or maybe the UI needs to be a little more interactive. There are so many options that you have in the product that you may not know exactly what something does if you enable an option. There is a gray area, for example, as to whether or not it is best practice is to have a pre-boot authentication or not. The usual argument is that if you do not turn on pre-boot authentication, your encryption can actually be bypassed.
There is a question and it is not an argument that you can easily answer because the product is not doing enough to help you out. They need a publication that actually sets that record straight, or probably they could have something like a best practice configuration guide so users can take advantage of that for determining exactly what options are best for them.
People do not always know what are the best practices for their environment. They try out a lot of stuff, and then if it does not work with their system, they just come to the conclusion that the solution does not work. They blame the product rather than the configuration which they do not have set correctly. So with a best practice configuration guide or something similar, it would help people take proper advantage of the solution and help them to better see the total benefits of what the solution has to offer.
So their configuration is complex, but this can have advantages as well if they provided the user with the information they need.
For how long have I used the solution?
I think I have been using McAfee Endpoint Solution or McAfee Data Protection solutions for about five to six years now. I have been following the company's journey with product development since version 9.2 or 9.3.
What do I think about the scalability of the solution?
McAfee Complete Data Protection is quite stable. I think the only module that a lot of people seem to have had some issues with is the file and folder encryption. I am not talking about this from my point of view as I never experienced the issue personally. At one point, I used to manage a team of seven people and all my engineers always had issues with file and folder encryption.
In reality, I think file and folder encryption is actually more complicated than server encryption. Well, for me I think it is. Looking at encryption from two points, drive encryption does disk encryption. It does not encrypt to the file level. File and folder encryption actually encrypts to the individual file and folder level. I think the real option is — and I am not sure if McAfee is trying to achieve this drive management with file encryption or not — but I think for me if FRP (File and Removable Media Protection) worked more like a drive management system, then it would be perfect. The idea would be for it to store files and folders more like drive management than just using encryption. Right now, the way it works is more like just locking the file or the folder. If it worked more like drive management, I think there would be more value to it than there is to it today.
How are customer service and technical support?
To be honest, I have actually never really needed to call support overall. The product has been working all these years and I do not have any major problems with the functionality.
What's my experience with pricing, setup cost, and licensing?
Data protection solutions are quite expensive, which is expected. I have had customers complain about the licensing costs of various solutions.
Where I actually have issues with cost would be in the cloud. If you look at the MVISION portfolio, you see that the device control is not the same as on-premises. I am not sure which parts of the MVISION products actually have device controls with the encryption.
The problem is that after seeing that single product within MVISION, in order to access it from the cloud, you still have to buy the full version of it. As we are on-prem and just beginning testing on the cloud, I am not exactly sure of the capabilities.
I think that part of the pricing is confusing to a lot of end-users. When they purchase the license from us they see that they have device control. But when I get to the cloud, there is no device control. As resellers, that puts us in a bad place, because we have to explain it to the customer. They have to purchase something additional for device protection that they thought they already had.
I think there was no communication about that change in the licensing when it was changed over to the cloud. So we had to take the initiative in doing other things when coaching our customers.
There is always back and forth when doing consultations with the customers before we finally come to a configuration that is the right one for the client. I look at information online and then see they have device control on the cloud but then there is a question as to why the client is using device control in certain circumstances. There is a question as to why they are putting certain data on the cloud even. Some do not understand best practices and that putting data on the cloud is not the solution they want anyway.
What other advice do I have?
On a scale from one to ten where one is the worst and ten is the best, I would rate this McAfee Complete Data Protection product as an eight or even a nine-out-of-ten. Just for the encryption part, I think I will say nine. The solution is actually quite stable and otherwise, it is quite good. I would definitely recommend this product to other users. The core of McAfee has been my end solution for all types of situations for me for a long time. If I have not switched yet to work with any other solution, obviously, I think it is a good one and I definitely recommend McAfee.
On the DLP side, I am not sure if there is much they can change in that system, because I think one part compliments the other. But on the DLP you do not have the same type of endpoints control you have in the cloud. So I think on the DLP side, they must provide better controls so the solutions are more similar in that way from both ends. If there is a way to balance from what you have on-premises and what you have in cloud, then it becomes a better product from the user perspective.
For data encryption, I think they need to work on the interface and the configuration and make it easier. If it could work more like a comprehensive management system, it will make more sense. It will make more sense and it will actually create more market value for end-users than just doing file and folder encryption.
The possibilities for integration with McAfee CDP are important. You can integrate with that solution. Not all people in all environments want to run McAfee for Endpoints. Some people also want to have that kind of synergy McAfee has in DLP and encryption. So if you are trying to encrypt the network for a sensitive environment and you have a checkpoint policy to use McAfee on your endpoint and on your DLP, configure it to mask or to encrypt a file. There has to be that type of relationship between DLP and encryption for it to work properly and accomplish these ultimate goals.
Some organizations use other solutions for the DLP and they also have that in the architecture. I have not yet seen that scenario, but I can imagine that there can be environments that start with McAfee endpoints and they have access to encryption and they want to extend that integration. It might be possible to do but it seems to me that it is not actually a very common way of doing things.
Which deployment model are you using for this solution?