When data classification products trickled into the market over the last year or so, their main goal was to help manage storage by assigning value to data. (See De-Classifying Data Classification.)
But Terrence Griffin, VP of information services for Atlanta Postal Credit Union (APCU), is one among other early adopters of data classification software who is finding it also works for security and compliance purposes.
APCU uses FiLink's Compliance Protector Solution, an OEM version of Scentric's Desinty data classification application to fill several holes in the credit union's security policy. (See Scentric Gets Classified.)
"We put this document together called, 'Five Steps to Secure Data Information,'" he says. "We knew we had some holes in there. We didn't know where all our information was. The CTO came to me and said, 'Do you know if people are taking data out on hard drives of laptops?' We had policies against taking data out, but we didn't have tools to enforce compliance and keep the data safe."
APCU has about 150 internal users and keeps sensitive information about its more than 94,000 U.S. Postal workers and families who are members.
"People could download reports and even create Excel spreadsheets with all that information," he says.
APCU had several pieces of its security plan in place. It was already using Compliance Commander from Intrusion to block sensitive information from escaping via email or attachments, and ZixMail from ZixCorp. to encrypt email and attachments.
"That took care of data in flight," Griffin says. "We also wanted to secure data at rest, to look on our laptops or desktops and see what important information was being housed on our PCs."
APCU signed on over the summer as a beta tester for Compliance Protector Solution. CPS lets the union classify information on users' laptops and PCs and removes data that shouldn't be there. It also uses Destiny's risk analysis reports to identify where there might be exposed privacy data.
"It looks at data on PCs, says this information has to be classified and stored on the data center server, moves it to the data center, and puts a link to it," he says. "The employee goes in the next day, doesn't know data is moved, he only seeks a link. We can get information off desktops, off laptops, and put them on a secure server here. If the laptop gets stolen it's just a link to our secure server. They would have to link back to access it. It also avoids having to encrypt PCs and laptops, because the data never resides there."
Grffin says the application lets APCU set different levels of security. "We can tell what PC a document is on, the users that have access to that information, where the information is, how it got moved," he says. "We track the whole lifecycle of the data through the Destiny console."
"If theres something on a PC, it will alert us and move it automatically. If you're a front line employee, say you work in the mailroom, why do you have this much information on your PC? If it's a manager or an executive, it might be different."
Even with all the gaping holes plugged, Griffin is still working to improve security. Next year he plans to consolidate several NAS servers into a larger SAN connected to the APCU's mainframe. "We want to consolidate all that information on the mainframe, one device to back up, control data, control storage space, so we don't have stuff spread across platforms."
He's also considering NeoScale for hardware encryption because of performance concerns about doing too much encryption in software. But what he's still searching for is a way to integrate all of his security applications and devices.
"We have all these security products out there, not tied together," he says. "We're looking to integrate them in some fashion. We're looking for better reporting across the board -- 'here's what we have, this is what we need.'"
Dave Raffo, News Editor, Byte and Switch