10:00 PM
Connect Directly

Taming Data Before It Escapes To The Wild

As employees adopt cloud services, companies risk losing control of their data, with solutions running the gamut from basic to complex and expensive

With the proliferation of personal devices in the workplace and the use of cloud services for collaboration, business information has spread far wider than the traditional boundary of the corporate firewall. Defending that boundary was once enough to protect a business's sensitive data, but no longer.

In many ways, it is a losing battle, says Branden Williams, chief technology officer for security technology company RSA. If a company is looking for absolute control of their data, they will not find it, he says.

"Once information is created, they've pretty much lost control of it," Williams says. "Once it moves onto a laptop or personal device, even a corporate device or thumb drive, the business can no longer trust that a copy has been made."

While companies must accept that data will not be controlled absolutely, they should not give up, either, he says. There are good processes and technologies to give companies a better handle to account for and protect their sensitive data.

The first step, however, is to identify what data is considered a valuable asset, says Bill Kleyman, virtualization and cloud architect for consultancy MTM Technologies. Companies need to determine not only which data is important to the business, but also which data might be subject to compliance regulations.

"Any controls that you implement will require that you know which assets need to be protected, so you need to identify those assets," he says.

By going through the analysis, a company can determine cloud models that best fit its way of doing business, says Kleyman. Using services such as Dropbox, for example, is most likely a big no-no for any company that has to comply with federal regulations.

[Workers need file-sharing services to do their job; smart businesses should secure the data without making employees pay in lost productivity. See Securing File Sharing Without Losing Productivity Gains.]

After identifying important data, companies have a wide variety of options to protect it, from encryption and enterprise rights management to more minimal protections, such as monitoring data usage.

Sales data, for example, needs to be widely shared and may not be that sensitive, so it could be treated differently than medical data that falls under regulatory requirements, says Bill Munroe, vice president of products for data-protection firm Verdasys.

"With sales data, you might just want to lightly protect that, or use no protection and just monitor the data," Munroe says. "But with, for example, x-ray data, how do you make sure that, if it's outside your network, that it's protected? The endpoint can manage a lot of the protection, but you have to have faith that the user will not do something stupid."

Encrypting data and placing access restrictions on the information can help a company better control sensitive data and trade secrets, but at a significant cost. Using enterprise rights management and trusted computing technology to lock information to specific hardware can minimize the danger that data is leaked, but also requires a significant investment in technology and resources.

"It's a pretty nice way to go, but it's an expensive way to go," says RSA's Williams. "It's not that such things are impossible, but there are so many other little ways to improve the situation that aren't as expensive."

Another option for companies is using virtual desktop infrastructure: Put the data in the digital equivalent of a clean-room environment by using virtualized desktops that let employees view and interact with data, but not move it to their own systems.

With the increasing popularity of more aggressive forms of defense, some companies have become more proactive, using misinformation to create decoy data. When an attacker attempts to copy the data or transfer the information, the company is alerted and can gather more information on the attackers.

"As you start to put disinformation in there, it gums up the works for the attacker," says RSA's Williams. "It leads them into places where they don't get access to any real data."

In the end, such technologies--including proactive monitoring systems, such as data-loss prevention (DLP) systems that scan for exposed data--are still considered next generation, so only companies with good technical resources should consider adopting them, says MTM's Kleyman. Focusing on more simple methods of protection on a subset of the companies data may be the best approach, he says.

"People want to jump on the bandwagon, but what people don't realize is that the wheels aren't built yet," Kleyman says. "When you move to cloud computing, there are resource implications, policy implications, and absolutely security implications."

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Gerry Grealish
Gerry Grealish,
User Rank: Apprentice
1/25/2013 | 9:37:07 PM
re: Taming Data Before It Escapes To The Wild

article. I could not agree more with the idea that all enterprises tackle a
data classification exercise and truly understand the exposure associated with
info that is going out to the cloud. Two points that differ with some of the
ideas in the article though:

* Sensitive
data, unfortunately, does not know the boundaries of certain categories of
cloud applications...we have worked with many enterprises that needed to keep
sensitive data out of Sales and CRM applications, Human Capital Management
systems, IT Management systems, etc (for example)

* Encryption
solutions (or tokenization) are unique in their ability to truly render data
"meaningless" in cloud applications; and products like PerspecSys
that are gateways that enable the deployment of encryption/tokenization while
maintaining the overall usability of the cloud applications, are
straight-forward to deploy and extremely cost-effective.

Drew Conry-Murray
Drew Conry-Murray,
User Rank: Ninja
1/25/2013 | 9:20:14 PM
re: Taming Data Before It Escapes To The Wild
Companies have been wrestling with this issue in earnest since the rise of laptops. Cloud services and mobile devices exacerbate the problem, but the essential risk remains the same. Unfortunately, as the article points out, there's no silver bullet. As with other areas of security, this problem requires smart policies, a variety of tools, and ongoing monitoring and enforcement.

My guess is that if someone can crack the rights management nut (that is, balance security controls with the business requirements of moving and sharing data), they'll be sitting on a gold mine.

Drew Conry-Murray
Editor, Network Computing
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2014-07-11
Dahua DVR 2.608.0000.0 and 2.608.GV00.0 allows remote attackers to bypass authentication and obtain sensitive information including user credentials, change user passwords, clear log files, and perform other actions via a request to TCP port 37777.

Published: 2014-07-11
Cumin (aka MRG Management Console), as used in Red Hat Enterprise MRG 2.5, does not include the HTTPOnly flag in a Set-Cookie header for the session cookie, which makes it easier for remote attackers to obtain potentially sensitive information via script access to this cookie.

Published: 2014-07-11
The REST API in the ovirt-engine in oVirt, as used in Red Hat Enterprise Virtualization (rhevm) 3.4, allows remote authenticated users to read arbitrary files and have other unspecified impact via unknown vectors, related to an XML External Entity (XXE) issue.

Published: 2014-07-11
Docker 1.0.0 uses world-readable and world-writable permissions on the management socket, which allows local users to gain privileges via unspecified vectors.

Published: 2014-07-11
Apache Syncope 1.1.x before 1.1.8 uses weak random values to generate passwords, which makes it easier for remote attackers to guess the password via a brute force attack.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Marilyn Cohodas and her guests look at the evolving nature of the relationship between CIO and CSO.