Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


10:00 PM

Taming Data Before It Escapes To The Wild

As employees adopt cloud services, companies risk losing control of their data, with solutions running the gamut from basic to complex and expensive

With the proliferation of personal devices in the workplace and the use of cloud services for collaboration, business information has spread far wider than the traditional boundary of the corporate firewall. Defending that boundary was once enough to protect a business's sensitive data, but no longer.

In many ways, it is a losing battle, says Branden Williams, chief technology officer for security technology company RSA. If a company is looking for absolute control of their data, they will not find it, he says.

"Once information is created, they've pretty much lost control of it," Williams says. "Once it moves onto a laptop or personal device, even a corporate device or thumb drive, the business can no longer trust that a copy has been made."

While companies must accept that data will not be controlled absolutely, they should not give up, either, he says. There are good processes and technologies to give companies a better handle to account for and protect their sensitive data.

The first step, however, is to identify what data is considered a valuable asset, says Bill Kleyman, virtualization and cloud architect for consultancy MTM Technologies. Companies need to determine not only which data is important to the business, but also which data might be subject to compliance regulations.

"Any controls that you implement will require that you know which assets need to be protected, so you need to identify those assets," he says.

By going through the analysis, a company can determine cloud models that best fit its way of doing business, says Kleyman. Using services such as Dropbox, for example, is most likely a big no-no for any company that has to comply with federal regulations.

[Workers need file-sharing services to do their job; smart businesses should secure the data without making employees pay in lost productivity. See Securing File Sharing Without Losing Productivity Gains.]

After identifying important data, companies have a wide variety of options to protect it, from encryption and enterprise rights management to more minimal protections, such as monitoring data usage.

Sales data, for example, needs to be widely shared and may not be that sensitive, so it could be treated differently than medical data that falls under regulatory requirements, says Bill Munroe, vice president of products for data-protection firm Verdasys.

"With sales data, you might just want to lightly protect that, or use no protection and just monitor the data," Munroe says. "But with, for example, x-ray data, how do you make sure that, if it's outside your network, that it's protected? The endpoint can manage a lot of the protection, but you have to have faith that the user will not do something stupid."

Encrypting data and placing access restrictions on the information can help a company better control sensitive data and trade secrets, but at a significant cost. Using enterprise rights management and trusted computing technology to lock information to specific hardware can minimize the danger that data is leaked, but also requires a significant investment in technology and resources.

"It's a pretty nice way to go, but it's an expensive way to go," says RSA's Williams. "It's not that such things are impossible, but there are so many other little ways to improve the situation that aren't as expensive."

Another option for companies is using virtual desktop infrastructure: Put the data in the digital equivalent of a clean-room environment by using virtualized desktops that let employees view and interact with data, but not move it to their own systems.

With the increasing popularity of more aggressive forms of defense, some companies have become more proactive, using misinformation to create decoy data. When an attacker attempts to copy the data or transfer the information, the company is alerted and can gather more information on the attackers.

"As you start to put disinformation in there, it gums up the works for the attacker," says RSA's Williams. "It leads them into places where they don't get access to any real data."

In the end, such technologies--including proactive monitoring systems, such as data-loss prevention (DLP) systems that scan for exposed data--are still considered next generation, so only companies with good technical resources should consider adopting them, says MTM's Kleyman. Focusing on more simple methods of protection on a subset of the companies data may be the best approach, he says.

"People want to jump on the bandwagon, but what people don't realize is that the wheels aren't built yet," Kleyman says. "When you move to cloud computing, there are resource implications, policy implications, and absolutely security implications."

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Gerry Grealish
Gerry Grealish,
User Rank: Author
1/25/2013 | 9:37:07 PM
re: Taming Data Before It Escapes To The Wild

article. I could not agree more with the idea that all enterprises tackle a
data classification exercise and truly understand the exposure associated with
info that is going out to the cloud. Two points that differ with some of the
ideas in the article though:

* Sensitive
data, unfortunately, does not know the boundaries of certain categories of
cloud applications...we have worked with many enterprises that needed to keep
sensitive data out of Sales and CRM applications, Human Capital Management
systems, IT Management systems, etc (for example)

* Encryption
solutions (or tokenization) are unique in their ability to truly render data
"meaningless" in cloud applications; and products like PerspecSys
that are gateways that enable the deployment of encryption/tokenization while
maintaining the overall usability of the cloud applications, are
straight-forward to deploy and extremely cost-effective.

Drew Conry-Murray
Drew Conry-Murray,
User Rank: Ninja
1/25/2013 | 9:20:14 PM
re: Taming Data Before It Escapes To The Wild
Companies have been wrestling with this issue in earnest since the rise of laptops. Cloud services and mobile devices exacerbate the problem, but the essential risk remains the same. Unfortunately, as the article points out, there's no silver bullet. As with other areas of security, this problem requires smart policies, a variety of tools, and ongoing monitoring and enforcement.

My guess is that if someone can crack the rights management nut (that is, balance security controls with the business requirements of moving and sharing data), they'll be sitting on a gold mine.

Drew Conry-Murray
Editor, Network Computing
7 Old IT Things Every New InfoSec Pro Should Know
Joan Goodchild, Staff Editor,  4/20/2021
Cloud-Native Businesses Struggle With Security
Robert Lemos, Contributing Writer,  5/6/2021
Defending Against Web Scraping Attacks
Rob Simon, Principal Security Consultant at TrustedSec,  5/7/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-05-13
An improper access control vulnerability has been reported to affect earlier versions of Music Station. If exploited, this vulnerability allows attackers to compromise the security of the software by gaining privileges, reading sensitive information, executing commands, evading detection, etc. This ...
PUBLISHED: 2021-05-13
A command injection vulnerability has been reported to affect certain versions of Malware Remover. If exploited, this vulnerability allows remote attackers to execute arbitrary commands. This issue affects: QNAP Systems Inc. Malware Remover versions prior to This issue does not affect: QNAP...
PUBLISHED: 2021-05-13
An improper authorization vulnerability has been reported to affect QNAP NAS running HBS 3 (Hybrid Backup Sync. ) If exploited, the vulnerability allows remote attackers to log in to a device. This issue affects: QNAP Systems Inc. HBS 3 versions prior to v16.0.0415 on QTS 4.5.2; versions prior to v3...
PUBLISHED: 2021-05-13
An Authentication Bypass vulnerability in the SAML Authentication component of BlackBerry Workspaces Server (deployed with Appliance-X) version(s) 10.1, 9.1 and earlier could allow an attacker to potentially gain access to the application in the context of the targeted user’s acco...
PUBLISHED: 2021-05-12
Use After Free vulnerability in nfc sockets in the Linux Kernel before 5.12.2 allows local attackers to elevate their privileges. In typical configurations, the issue can only be triggered by a privileged local user with the CAP_NET_RAW capability.