PCI Won't Save You

You'd think that the Payment Card Industry (PCI) standard for protecting consumer credit card information would be chock full of requirements for protecting against the loss of personally identifiable information. Or that security teams would be able to use the 12 requirements as a template for protecting against all kinds of sensitive data losses.

Unfortunately, it's not, and they can't.

Both PCI and the Sarbanes-Oxley Act focus more on the integrity of the data and the processing infrastructure. Neither one requires much in the way of data leakage detection. So to avoid being the next TJX on your block, here are a few steps to consider for protecting your business:

Use virtualization and application delivery to keep sensitive data in the data center.
We all know about the power and air-conditioning savings of the virtualization story in reducing operating costs. A major security benefit of virtualization is that IT can keep application execution and sensitive data within the data center where it can be controlled.

Expand data leakage protection to cover databases, file shares, email, and portals.
Most organizations are totally focused on email, but the fact is that confidential information is more often found in databases and file shares, with SharePoint portals becoming increasingly popular. Use technology and processes to check for inappropriate access behavior (e.g. large queries, off-hours operations, access from home) that would allow you to detect data leakage at an early stage.

Exceed PCI requirements -- archive audit data for five years.
While PCI only requires retention for a single year, a more pragmatic choice is to archive audit data for at least 5 years. You never want to be in the position of not being able to determine the extent of a breach. Keep the archived data around -- and be sure to encrypt it all.

Control endpoint use of applications, removable storage devices, and especially USBs.
People dealing with sensitive data should have controls placed on the use of removable media. Products can block or audit copies of data to removable storage devices. Most of these products can also prohibit installation of unauthorized applications as well. One way to keep data secure is to make sure users cannot take it home with them.

Clean sensitive data off endpoints after an SSL session.
If you must use SSL for remote sessions, be sure to clean up after yourself. It's like hiking in the national forests –- whatever you bring in must come out with you. Use the capability of SSL VPN clients to transparently erase temporary storage.

The TJX saga is harmful to all of us. Not because they lost consumer data -– honestly, a breach can happen to anyone. But it's hard to imagine that the breach could be active for years without detection in an organization with vigilant security and auditing teams. Compliance with PCI or SOX does not buy data leakage detection. Thankfully, there are plenty of ways to supplement these starting points.

— Eric Ogren is the principal analyst and founder of the Ogren Group, a firm specializing in consulting services for security vendors. Ogren's background includes more than 15 years of enterprise security experience with both the Yankee Group and Enterprise Strategy Group. Ogren has also served in a variety of senior positions at vendors including Tizor, Okena, RSA Security, and Digital Equipment. Special to Dark Reading.