Taming Data Before It Escapes To The Wild

With the proliferation of personal devices in the workplace and the use of cloud services for collaboration, business information has spread far wider than the traditional boundary of the corporate firewall. Defending that boundary was once enough to protect a business's sensitive data, but no longer.

In many ways, it is a losing battle, says Branden Williams, chief technology officer for security technology company RSA. If a company is looking for absolute control of their data, they will not find it, he says.

"Once information is created, they've pretty much lost control of it," Williams says. "Once it moves onto a laptop or personal device, even a corporate device or thumb drive, the business can no longer trust that a copy has been made."

While companies must accept that data will not be controlled absolutely, they should not give up, either, he says. There are good processes and technologies to give companies a better handle to account for and protect their sensitive data.

The first step, however, is to identify what data is considered a valuable asset, says Bill Kleyman, virtualization and cloud architect for consultancy MTM Technologies. Companies need to determine not only which data is important to the business, but also which data might be subject to compliance regulations.

"Any controls that you implement will require that you know which assets need to be protected, so you need to identify those assets," he says.

By going through the analysis, a company can determine cloud models that best fit its way of doing business, says Kleyman. Using services such as Dropbox, for example, is most likely a big no-no for any company that has to comply with federal regulations.

[Workers need file-sharing services to do their job; smart businesses should secure the data without making employees pay in lost productivity. See Securing File Sharing Without Losing Productivity Gains.]

After identifying important data, companies have a wide variety of options to protect it, from encryption and enterprise rights management to more minimal protections, such as monitoring data usage.

Sales data, for example, needs to be widely shared and may not be that sensitive, so it could be treated differently than medical data that falls under regulatory requirements, says Bill Munroe, vice president of products for data-protection firm Verdasys.

"With sales data, you might just want to lightly protect that, or use no protection and just monitor the data," Munroe says. "But with, for example, x-ray data, how do you make sure that, if it's outside your network, that it's protected? The endpoint can manage a lot of the protection, but you have to have faith that the user will not do something stupid."

Encrypting data and placing access restrictions on the information can help a company better control sensitive data and trade secrets, but at a significant cost. Using enterprise rights management and trusted computing technology to lock information to specific hardware can minimize the danger that data is leaked, but also requires a significant investment in technology and resources.

"It's a pretty nice way to go, but it's an expensive way to go," says RSA's Williams. "It's not that such things are impossible, but there are so many other little ways to improve the situation that aren't as expensive."

Another option for companies is using virtual desktop infrastructure: Put the data in the digital equivalent of a clean-room environment by using virtualized desktops that let employees view and interact with data, but not move it to their own systems.

With the increasing popularity of more aggressive forms of defense, some companies have become more proactive, using misinformation to create decoy data. When an attacker attempts to copy the data or transfer the information, the company is alerted and can gather more information on the attackers.

"As you start to put disinformation in there, it gums up the works for the attacker," says RSA's Williams. "It leads them into places where they don't get access to any real data."

In the end, such technologies--including proactive monitoring systems, such as data-loss prevention (DLP) systems that scan for exposed data--are still considered next generation, so only companies with good technical resources should consider adopting them, says MTM's Kleyman. Focusing on more simple methods of protection on a subset of the companies data may be the best approach, he says.

"People want to jump on the bandwagon, but what people don't realize is that the wheels aren't built yet," Kleyman says. "When you move to cloud computing, there are resource implications, policy implications, and absolutely security implications."

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.