Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


10:00 PM

Taming Data Before It Escapes To The Wild

As employees adopt cloud services, companies risk losing control of their data, with solutions running the gamut from basic to complex and expensive

With the proliferation of personal devices in the workplace and the use of cloud services for collaboration, business information has spread far wider than the traditional boundary of the corporate firewall. Defending that boundary was once enough to protect a business's sensitive data, but no longer.

In many ways, it is a losing battle, says Branden Williams, chief technology officer for security technology company RSA. If a company is looking for absolute control of their data, they will not find it, he says.

"Once information is created, they've pretty much lost control of it," Williams says. "Once it moves onto a laptop or personal device, even a corporate device or thumb drive, the business can no longer trust that a copy has been made."

While companies must accept that data will not be controlled absolutely, they should not give up, either, he says. There are good processes and technologies to give companies a better handle to account for and protect their sensitive data.

The first step, however, is to identify what data is considered a valuable asset, says Bill Kleyman, virtualization and cloud architect for consultancy MTM Technologies. Companies need to determine not only which data is important to the business, but also which data might be subject to compliance regulations.

"Any controls that you implement will require that you know which assets need to be protected, so you need to identify those assets," he says.

By going through the analysis, a company can determine cloud models that best fit its way of doing business, says Kleyman. Using services such as Dropbox, for example, is most likely a big no-no for any company that has to comply with federal regulations.

[Workers need file-sharing services to do their job; smart businesses should secure the data without making employees pay in lost productivity. See Securing File Sharing Without Losing Productivity Gains.]

After identifying important data, companies have a wide variety of options to protect it, from encryption and enterprise rights management to more minimal protections, such as monitoring data usage.

Sales data, for example, needs to be widely shared and may not be that sensitive, so it could be treated differently than medical data that falls under regulatory requirements, says Bill Munroe, vice president of products for data-protection firm Verdasys.

"With sales data, you might just want to lightly protect that, or use no protection and just monitor the data," Munroe says. "But with, for example, x-ray data, how do you make sure that, if it's outside your network, that it's protected? The endpoint can manage a lot of the protection, but you have to have faith that the user will not do something stupid."

Encrypting data and placing access restrictions on the information can help a company better control sensitive data and trade secrets, but at a significant cost. Using enterprise rights management and trusted computing technology to lock information to specific hardware can minimize the danger that data is leaked, but also requires a significant investment in technology and resources.

"It's a pretty nice way to go, but it's an expensive way to go," says RSA's Williams. "It's not that such things are impossible, but there are so many other little ways to improve the situation that aren't as expensive."

Another option for companies is using virtual desktop infrastructure: Put the data in the digital equivalent of a clean-room environment by using virtualized desktops that let employees view and interact with data, but not move it to their own systems.

With the increasing popularity of more aggressive forms of defense, some companies have become more proactive, using misinformation to create decoy data. When an attacker attempts to copy the data or transfer the information, the company is alerted and can gather more information on the attackers.

"As you start to put disinformation in there, it gums up the works for the attacker," says RSA's Williams. "It leads them into places where they don't get access to any real data."

In the end, such technologies--including proactive monitoring systems, such as data-loss prevention (DLP) systems that scan for exposed data--are still considered next generation, so only companies with good technical resources should consider adopting them, says MTM's Kleyman. Focusing on more simple methods of protection on a subset of the companies data may be the best approach, he says.

"People want to jump on the bandwagon, but what people don't realize is that the wheels aren't built yet," Kleyman says. "When you move to cloud computing, there are resource implications, policy implications, and absolutely security implications."

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Comment  | 
Print  | 
More Insights
Oldest First  |  Newest First  |  Threaded View
Drew Conry-Murray
Drew Conry-Murray,
User Rank: Ninja
1/25/2013 | 9:20:14 PM
re: Taming Data Before It Escapes To The Wild
Companies have been wrestling with this issue in earnest since the rise of laptops. Cloud services and mobile devices exacerbate the problem, but the essential risk remains the same. Unfortunately, as the article points out, there's no silver bullet. As with other areas of security, this problem requires smart policies, a variety of tools, and ongoing monitoring and enforcement.

My guess is that if someone can crack the rights management nut (that is, balance security controls with the business requirements of moving and sharing data), they'll be sitting on a gold mine.

Drew Conry-Murray
Editor, Network Computing
Gerry Grealish
Gerry Grealish,
User Rank: Author
1/25/2013 | 9:37:07 PM
re: Taming Data Before It Escapes To The Wild

article. I could not agree more with the idea that all enterprises tackle a
data classification exercise and truly understand the exposure associated with
info that is going out to the cloud. Two points that differ with some of the
ideas in the article though:

* Sensitive
data, unfortunately, does not know the boundaries of certain categories of
cloud applications...we have worked with many enterprises that needed to keep
sensitive data out of Sales and CRM applications, Human Capital Management
systems, IT Management systems, etc (for example)

* Encryption
solutions (or tokenization) are unique in their ability to truly render data
"meaningless" in cloud applications; and products like PerspecSys
that are gateways that enable the deployment of encryption/tokenization while
maintaining the overall usability of the cloud applications, are
straight-forward to deploy and extremely cost-effective.

Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Current Issue
2020: The Year in Security
Download this Tech Digest for a look at the biggest security stories that - so far - have shaped a very strange and stressful year.
Flash Poll
Assessing Cybersecurity Risk in Today's Enterprises
Assessing Cybersecurity Risk in Today's Enterprises
COVID-19 has created a new IT paradigm in the enterprise -- and a new level of cybersecurity risk. This report offers a look at how enterprises are assessing and managing cyber-risk under the new normal.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-01-22
Pepperl+Fuchs Comtrol IO-Link Master in Version 1.5.48 and below is prone to an authenticated reflected POST Cross-Site Scripting
PUBLISHED: 2021-01-22
Pepperl+Fuchs Comtrol IO-Link Master in Version 1.5.48 and below is prone to an authenticated blind OS Command Injection.
PUBLISHED: 2021-01-22
Pepperl+Fuchs Comtrol IO-Link Master in Version 1.5.48 and below is prone to a NULL Pointer Dereference that leads to a DoS in discoveryd
PUBLISHED: 2021-01-22
M&M Software fdtCONTAINER Component in versions below 3.5.20304.x and between 3.6 and 3.6.20304.x is vulnerable to deserialization of untrusted data in its project storage.
PUBLISHED: 2021-01-22
Pepperl+Fuchs Comtrol IO-Link Master in Version 1.5.48 and below is prone to a Cross-Site Request Forgery (CSRF) in the web interface.