Practicing Safe Data

Worried about data protection? You should be

Are you starting to get dragged into discussion about which data leakage product is the best? Are you forming an incident response team to address a recent report of a lost or stolen laptop? Have you just banned iPods from the workplace? You're not alone.

Data protection is worth worrying about. It's not an easily addressable problem, like spam or spyware. Countering those threats usually involves evaluating a few products and making a purchasing decision.

Data protection is much harder. The threats come from both the outside and the inside. On the outside, you have overzealous teenagers in Canada, competitors, and crime syndicates based in Russia. On the inside, you have engineers packing up to join a competitor, sales people squirreling away customer lists, and fraudsters mining for gold – not to mention the oft-cited disgruntled employee.

Think Ignacio Lopez, the infamous purchasing czar at General Motors who quit one evening and took dozens of boxes of strategic documents with him as he set up shop at Volkswagen. Or the Indian Security Agency flunky who delivered a USB thumb drive, purportedly loaded with information on India’s nuclear program, to a U.S. embassy operative.

There are three facets to data protection: encryption, device control, and leak prevention. Some types of information have to be encrypted while they are at rest, such as credit card information. You would not want to suffer the fate of CardSystems Solutions Inc. that went out of business last fall due to the loss of a huge number of records to a hacker. Besides, the credit card associations stop just short of requiring encryption if you want to handle their cards.

But do you want encryption everywhere else? Do you want the headaches of handling keys for all those files, users, servers, and backup devices? I don’t think so. Look for tactical opportunities to exploit the power of encryption. Cyber-Ark Software and Ingrian Networks, for example, have created manageable tools for encrypting valuable information.

Device management – the ability to set and enforce policies on the types of devices that can be attached to the network – is something most organizations have not even begun to look at. Centennial Software, Safend, and SecureWave provide centrally managed solutions that can see every USB device that is attached to the network. Policies can be created by device and user, allowing or disallowing the use of a particular device. So, no more worries about 30 gigs of data being downloaded to an iPod on an employee’s last day.

Leak prevention is all about monitoring the network for suspect activity that indicates someone is misappropriating or misusing data. It can be deployed in existing network attached devices, such as an email gateway like Proofpoint's or an IPS device like Force10’s P series. But several emerging companies also are addressing the leakage issue: PortAuthority, Reconnex, Tablus, Vericept, and Vontu among them.

At this early stage, the keys to choosing a leak prevention solution are:

  • Ease of deployment. A solution that requires you to set granular policies and manually identify critical information will be too cumbersome and expensive to deploy. The ideal solution should be capable of operation on the first day, and should start generating useful results immediately. Spiders that crawl the network, indexing and fingerprinting data, can ease the data discovery phase. Default policies based on activity monitoring will get a solution up and running quickly.
  • Accuracy. The underlying algorithms that decide when data is being leaked should minimize false positives. Every alert sets off a forensic response. False positives waste time and lead to embarrassing investigations. Too many false positives and the tool will no longer be used.
  • Reporting. Yawn. Gotta have it.

I believe that the ability to actively block is not critical at this early stage. Making insiders aware of your ability to monitor their activity will curtail over 90 percent of the data leakage you are probably experiencing today. Blocking real traffic could cause more problems than it solves, especially if a network device is configured to fail in that situation. Finding and disciplining the people who are abusing your data is the most important step to take in data protection.

Encryption, device management, and leak prevention work together to diminish the risk of data loss. Encrypting data at rest protects it from outsiders and unauthorized insiders, as well as inadvertent loss off the back of a delivery truck. Quickly deployed and well managed leak prevention can help to control insiders’ behavior. Device management blocks the insider who is determined to steal data via a thumb drive or iPod.

Of course, none of this can stop the determined industrial spy – just use your cellphone's camera to take a picture of the unencrypted data on the computer screen, and you've foiled all of these defenses. But the combination of these three technologies will reduce your exposure and put you in compliance with the industry's best practices.

— Richard Stiennon is founder of IT-Harvest Inc. Special to Dark Reading

  • Centennial Software Ltd.
  • Cyber-Ark Software Ltd.
  • Force10 Networks Inc.
  • Ingrian Networks Inc.
  • PortAuthority Technologies Inc.
  • Proofpoint Inc.
  • Reconnex Corp.
  • Safend Inc.
  • SecureWave S.A.
  • Tablus Inc.
  • Vericept Corp.
  • Vontu Inc.