One of the thorniest problems facing enterprises with increasingly mobile workforces is how to keep the sensitive data on their notebook computers from getting into the wrong hands.

Senforce Technologies calls its Enterprise Mobile Security Manager (EMSM) a one-of-a-kind solution that uses centrally controlled group policies to manage notebook users' access to the various conduits through which sensitive data can be siphoned. At $89 per managed workstation, the solution is reasonably priced when you consider the peace of mind you get in return.

While behind an enterprise firewall, sensitive data may be prevented--by a variety of security solutions--from exiting the corporate network. Still, there are several ways that such data can find its way off a hard drive and into the wrong hands. What prevents a pocket-sized, USB-based thumb drive from being plugged into a system's USB port, having sensitive data copied onto it, and then leaving the building in someone's pocket? Also, CD and DVD-writing drives, which are becoming more commonplace as standard equipment on notebooks, represent an opportunity for sensitive data to leak into the wrong hands.

Taking a notebook computer off premises, away from the protection of network-based solutions, creates even more opportunities for data to be stolen or transmitted in ways that organizational policies are designed to prevent. For example, a notebook with built-in Wi-Fi makes it possible for that notebook to connect to an unauthorized WLAN where users can either escape the watchful eyes of the corporate technologies designed to secure corporate data, or the machine, now in the wild, can be compromised by a virus, worm, spyware, or other form of hack that ultimately results in the unauthorized theft or transmission of sensitive information.

To keep a lid on the problem, EMSM uses location-based policies to control when notebook systems can and cannot access the various paths that might otherwise leave data open to some form of hacking or theft. For example, a notebook can be programmed to work with only one wireless network adapter and a policy can be set to prevent that wireless adapter from connecting to any WLAN but the ones that are authorized by the IT department. In such a scenario, a notebook might only be allowed to connect to an enterprise's WLAN where other technologies are in place to keep sensitive data from leaking onto the Internet but never the Wi-Fi hotspot at the local Starbucks where no such safeguards exist.

The location-based policies can also be used to control which network applications users have access to and when. For example, the ports used for applications like FTP can be opened and closed according to the centrally controlled policies. With that granular level of control, the IT department can design policies that say public hotspot access is allowed but all network applications are disabled until the notebook is attached to the corporate VPN where its transmissions are once again on safe turf..

The infrastructure behind the solution involves agent software that runs on each of the notebooks under EMSM's governance and a central server and console through which the policies are authored, assigned to groups, and ultimately pushed out to the notebook systems, where the agents collect policy updates and take charge of enforcement.

As with any policy-based system, it's likely that IT managers using EMSM for the first time will have to do some trial-and-error testing in order to find those policy sweet spots where mobile data is secure while, at the same time, allowing mobile workers to get their jobs done.

For example, suppose a policy is so restrictive that a notebook user is denied access to any sort of connectivity when outside of the office and the USB-ports are disabled so that data cannot be copied onto a thumb drive. Now suppose that notebook user updates a PowerPoint presentation and needs to make sure that his or her traveling companion has the newly updated file. Such a situation might require those notebooks to be updated with a less restrictive policy. Unfortunately, a call to the IT department isn't going to help because, with no connectivity, there's no way to push a new policy to the notebook computers. To deal with such situations, the policies that are pushed out to the notebook computers can be programmed to allow the notebook's user to override the policy. For obvious reasons, that sort of user-override capability must be granted quite selectively.

Currently, enforcement of USB-port restrictions using EMSM could also result in interoperability problems with handheld devices such as Palm- or PocketPC-based PDAs. Under EMSM, when a PDA is connected to a notebook computer's USB-port, the PDA appears to EMSM as a removable drive. In the event that an EMSM policy disallows access to USB-based removable drives, it would also disallow access to USB-connected PDAs and would therefore prevent the synchronization of e-mail, files, and contacts between the notebook computer and the PDA. According to company officials, a forthcoming version of EMSM will be able to distinguish between different USB-based devices such as PDAs and thumb drives and, as result, it will be possible to develop more granular policies that allow access for one, but not the other.

Could a clever hacker work around the restrictions on a locked-down notebook? Though I haven't tested the product, there are most certainly some other ways to get data off a computer. For example, a determined thief could use a digital camera to take snapshots of displayed sensitive data. There are other methods as well. But for $89 per workstation, EMSM appears to do a good job of erecting barriers to the inadvertent copying of data or the theft of it through worms and spyware.

You can write to me at david.berlind@cnet.com. If you're looking for my commentaries on other IT topics, check the archives.