Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Cloud

1/22/2013
10:00 PM
50%
50%

Taming Data Before It Escapes To The Wild

As employees adopt cloud services, companies risk losing control of their data, with solutions running the gamut from basic to complex and expensive

With the proliferation of personal devices in the workplace and the use of cloud services for collaboration, business information has spread far wider than the traditional boundary of the corporate firewall. Defending that boundary was once enough to protect a business's sensitive data, but no longer.

In many ways, it is a losing battle, says Branden Williams, chief technology officer for security technology company RSA. If a company is looking for absolute control of their data, they will not find it, he says.

"Once information is created, they've pretty much lost control of it," Williams says. "Once it moves onto a laptop or personal device, even a corporate device or thumb drive, the business can no longer trust that a copy has been made."

While companies must accept that data will not be controlled absolutely, they should not give up, either, he says. There are good processes and technologies to give companies a better handle to account for and protect their sensitive data.

The first step, however, is to identify what data is considered a valuable asset, says Bill Kleyman, virtualization and cloud architect for consultancy MTM Technologies. Companies need to determine not only which data is important to the business, but also which data might be subject to compliance regulations.

"Any controls that you implement will require that you know which assets need to be protected, so you need to identify those assets," he says.

By going through the analysis, a company can determine cloud models that best fit its way of doing business, says Kleyman. Using services such as Dropbox, for example, is most likely a big no-no for any company that has to comply with federal regulations.

[Workers need file-sharing services to do their job; smart businesses should secure the data without making employees pay in lost productivity. See Securing File Sharing Without Losing Productivity Gains.]

After identifying important data, companies have a wide variety of options to protect it, from encryption and enterprise rights management to more minimal protections, such as monitoring data usage.

Sales data, for example, needs to be widely shared and may not be that sensitive, so it could be treated differently than medical data that falls under regulatory requirements, says Bill Munroe, vice president of products for data-protection firm Verdasys.

"With sales data, you might just want to lightly protect that, or use no protection and just monitor the data," Munroe says. "But with, for example, x-ray data, how do you make sure that, if it's outside your network, that it's protected? The endpoint can manage a lot of the protection, but you have to have faith that the user will not do something stupid."

Encrypting data and placing access restrictions on the information can help a company better control sensitive data and trade secrets, but at a significant cost. Using enterprise rights management and trusted computing technology to lock information to specific hardware can minimize the danger that data is leaked, but also requires a significant investment in technology and resources.

"It's a pretty nice way to go, but it's an expensive way to go," says RSA's Williams. "It's not that such things are impossible, but there are so many other little ways to improve the situation that aren't as expensive."

Another option for companies is using virtual desktop infrastructure: Put the data in the digital equivalent of a clean-room environment by using virtualized desktops that let employees view and interact with data, but not move it to their own systems.

With the increasing popularity of more aggressive forms of defense, some companies have become more proactive, using misinformation to create decoy data. When an attacker attempts to copy the data or transfer the information, the company is alerted and can gather more information on the attackers.

"As you start to put disinformation in there, it gums up the works for the attacker," says RSA's Williams. "It leads them into places where they don't get access to any real data."

In the end, such technologies--including proactive monitoring systems, such as data-loss prevention (DLP) systems that scan for exposed data--are still considered next generation, so only companies with good technical resources should consider adopting them, says MTM's Kleyman. Focusing on more simple methods of protection on a subset of the companies data may be the best approach, he says.

"People want to jump on the bandwagon, but what people don't realize is that the wheels aren't built yet," Kleyman says. "When you move to cloud computing, there are resource implications, policy implications, and absolutely security implications."

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Gerry Grealish
50%
50%
Gerry Grealish,
User Rank: Author
1/25/2013 | 9:37:07 PM
re: Taming Data Before It Escapes To The Wild


Excellent
article. I could not agree more with the idea that all enterprises tackle a
data classification exercise and truly understand the exposure associated with
info that is going out to the cloud. Two points that differ with some of the
ideas in the article though:

* Sensitive
data, unfortunately, does not know the boundaries of certain categories of
cloud applications...we have worked with many enterprises that needed to keep
sensitive data out of Sales and CRM applications, Human Capital Management
systems, IT Management systems, etc (for example)

* Encryption
solutions (or tokenization) are unique in their ability to truly render data
"meaningless" in cloud applications; and products like PerspecSys
that are gateways that enable the deployment of encryption/tokenization while
maintaining the overall usability of the cloud applications, are
straight-forward to deploy and extremely cost-effective.

Drew Conry-Murray
50%
50%
Drew Conry-Murray,
User Rank: Ninja
1/25/2013 | 9:20:14 PM
re: Taming Data Before It Escapes To The Wild
Companies have been wrestling with this issue in earnest since the rise of laptops. Cloud services and mobile devices exacerbate the problem, but the essential risk remains the same. Unfortunately, as the article points out, there's no silver bullet. As with other areas of security, this problem requires smart policies, a variety of tools, and ongoing monitoring and enforcement.

My guess is that if someone can crack the rights management nut (that is, balance security controls with the business requirements of moving and sharing data), they'll be sitting on a gold mine.

Drew Conry-Murray
Editor, Network Computing
COVID-19: Latest Security News & Commentary
Dark Reading Staff 11/19/2020
The Yellow Brick Road to Risk Management
Andrew Lowe, Senior Information Security Consultant, TalaTek,  11/19/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: He hits the gong anytime he sees someone click on an email link.
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-7779
PUBLISHED: 2020-11-26
All versions of package djvalidator are vulnerable to Regular Expression Denial of Service (ReDoS) by sending crafted invalid emails - for example, [email protected]-----------------------------------------------------------!.
CVE-2020-7778
PUBLISHED: 2020-11-26
This affects the package systeminformation before 4.30.2. The attacker can overwrite the properties and functions of an object, which can lead to executing OS commands.
CVE-2020-29128
PUBLISHED: 2020-11-26
petl before 1.68, in some configurations, allows resolution of entities in an XML document.
CVE-2020-27251
PUBLISHED: 2020-11-26
A heap overflow vulnerability exists within FactoryTalk Linx Version 6.11 and prior. This vulnerability could allow a remote, unauthenticated attacker to send malicious port ranges, which could result in remote code execution.
CVE-2020-27253
PUBLISHED: 2020-11-26
A flaw exists in the Ingress/Egress checks routine of FactoryTalk Linx Version 6.11 and prior. This vulnerability could allow a remote, unauthenticated attacker to specifically craft a malicious packet resulting in a denial-of-service condition on the device.