COMMENT ON THIS ARTICLE
Corporate security lapses are once again sweeping the news hour, but these days the culprit is just as likely to be an inside source — a paid employee at a reputable company — as a hacker doing evil somewhere in a Moscow basement.
Pity poor Boeing, which made headlines in December after personal information including salaries, social security numbers, and home addresses of approximately 382,000 retired and current employees was stolen. According to news reports, a thief made off with an employee’s laptop.
Unfortunately, the laptop’s owner violated Boeing’s policy by failing to encrypt the data after it had been downloaded from a server. In an e-mail sent to Boeing employees, Jim McNerney, chairman, president, and CEO wrote, “This latest incident resulted from a clear violation of our data-protection policy.”
That wouldn’t surprise Brian Contos, CSO of security vendor ArcSight and author of Enemy at the Water Cooler: Real-Life Stories of Insider Threats and Enterprise Security Management Countermeasures. In the book, he notes, “Too often policies and procedures are outdated, forgotten, not well-communicated through awareness programs, or not even written.”
Financial liability aside, information leaks can disrupt corporate strategy and leave an embarrassing bruise. In January, full details about Cingular Wireless’s latest Palm Treo 750 were leaked to the Web a week before the announcement date. A sales presentation that was supposed to be embargoed until the big day was instead debuted prematurely.
PLUGGING THE LEAKS
Such events are leading to a surge of interest in ILP (information leak prevention), which targets policy-compliance monitoring and enforcement pertaining to information on the desktop and all data that moves along the internal network and across the corporate boundary.
“Maybe we were naïve, but until we installed PortAuthority at the beginning of 2006 we had no system for auditing [outbound] e-mail,” says Ron Uno, an IT manager at Kuakini Health System and a key player in an ongoing effort to be HIPAA-compliant. “It flags everything [suspicious].”
A Fortune 1000 CSO, who asked that his name be withheld, describes both the frustration and urgency bound with ILP. “If an employee goes against company policy and takes data home to be more productive, how would I know? Not a single person in any company knows where all the data is. And if you don’t know where the data is, how can you even begin to protect it?”
Protecting information assets will always be a challenge of the highest order, but there are specific tasks you can perform to decrease your risk. The first step in the ILP process is to develop a data protection policy. Corporate security officers should evaluate their ILP threats and institute risk-appropriate solutions.
Company officials must first decide what information is important to keep confidential. How can the data be accessed? Who can access it? When? And for how long? Information must be assigned a value, using implicit and explicit costs. The relative threats and risks to it must be evaluated, and a cost-of-defense threshold developed. A determination must be made as to how much the company is willing to spend to protect its confidential information.
Defining the confidential and critical information, the risks to each type of information, and the value to the organization allows ILP planners to focus on mission-critical assets first. In short, a data-protection plan follows the same steps that an organization would take when developing a business continuity plan — only the focus is different. In a business continuity or disaster recovery plan, the focus is on the infrastructure and processes and what it takes to make a company’s mission-critical tasks operational again. A data protection policy is, by contrast, information-centric.
After the data-protection policy is developed, educating employees is the next order of business. Understanding and adhering to the policy should be part of the hiring package, and employees should know the consequences, for example, of taking home data without permission.
Further, there are numerous policies to prevent information loss that leave users out of the loop, regardless of whether or not their intentions are malicious. One is to ensure that backup media is encrypted by default; another is to disable USB to prevent loss by way of flash memory drives. Whatever the policies are, they should be clearly communicated to staff and contractors in writing.
INFORMATION IS POWER
Next, information stores and communication channels must be defined. IT must know where all the critical data are stored and how it’s communicated between hosts. Consider client computers, file servers, e-mail servers, print servers, and database servers. Information is often transmitted using HTTP and e-mail, but don’t forget instant-messaging channels or removable media such as DVDs, CD-ROMs, and USB flash drives.
Also consider third-parties if they store or have access to your data. Negotiating the right to inspect and audit their controls on a periodic basis can go a long way toward reducing risk. It’s wise to include a clause in your contract that they forfeit the job the minute they fail to ensure adequate controls.
After you’ve hypothesized where the information is, find it and monitor it. Several vendors make tools that look for confidential information. Some scan server and workstation hard drives looking for tell-tale signs of protected data. The use of predefined data formats such as XXX-XX-XXXX would be recognized as a social security number and send out the proper alerts, while others do the same listening on network connections.
PortAuthority, which was recently acquired by Websense, sells software called Precise ID. The software uses multiple detection methods to identify and classify structured or unstructured data, including rules, dictionaries, keywords, threshold counts, categories, lexicons, statistical analysis and content-matching. It recognizes more than 370 file formats, including popular archival types such as .zip. Searches can be made on storage media (what PortAuthority calls “data at rest”) or while the data is in use.
Quicklink 071573
SIDEBAR: Tools of the ILP trade
Preventing data leaks requires a multi-pronged approach. Although no single product can do it all, many companies are buying ILP-specific technologies, such as those found in PortAuthority Technologies’ product line.
Securent CEO Rajiv Gupta puts it best: “Companies are tasked with making their applications more broadly available to a wider range of customers, end users and partners while at the same time making sure unauthorized access isn’t granted. If everyone is sharing the same data, it often takes a ‘Chinese Wall’ type of product to help keep users and data appropriately segregated to ensure compliance.”
Securent’s Entitlement Management Solutions attempt to keep internal and external parties away from data sources by focusing on authorization. Other vendor systems handle identity and authentication, but then administrators define user authorization policies to enforce who can see what. Securent’s products work by wrapping end-point applications in an application-level shim. Securent’s policy engine and enforcement points can provide additional granularity that the application or operating system itself cannot deliver.
PortAuthority Protector Appliances passively monitor network communications, looking for confidential data in e-mail, IM, file transfers and Web postings. If protected content is detected, the i