Hardly a week passes without a report of consumer or company data being compromised. According to the Privacy Rights Clearinghouse, a non-profit consumer organization, more than 90 million data records containing sensitive personal information have been involved in security breaches since February 2005.
We have all read about high profile cases such as the U.S. Department of Veterans Affairs and AOL from the headlines of our morning newspapers. Sipping our coffee, we assure ourselves that a data breach could never happen to us.
What we find when we read further, however, is that these data breaches frequently occur as a result of a lost or stolen laptop, an insider stealing information, or a targeted hack into a corporate network.
Dealing With the Data
Several questions come to mind as we delve into each affected organization’s data breach story. How did this happen? What was the affected company’s policy with regard to sensitive information? And, most importantly, could this happen at my organization?
IDC reports that approximately 50 percent of data loss incidents are due to insiders, with the FBI rating insider data loss around 70 percent. Both groups agree the majority of these incidents are the result of poor corporate policies or lack of organizational definition of what constitutes sensitive information. In large distributed enterprises with hundreds or thousand of users, data can be anywhere and everywhere. It is this issue of not knowing where sensitive data resides that creates a potential accident waiting to happen. And when it does occur, the affected company is subject to potential fines, customer or shareholder lawsuits and a loss of brand equity.
Faced with these potential consequences, companies are struggling to implement a content protection mechanism that will not interrupt their general course of business. The most secure approach would be to lock down all sensitive data in a central server and not allow any information to migrate to a user’s desktop. While this would almost certainly guarantee the safety of sensitive information, it makes for an almost unusable system. Another approach is to write a strict policy for that sensitive data and audit the company’s employees to ensure compliance, but this would be very hard to manage in today’s dynamic corporate environment.
Security and compliance officers should only write policies that they can easily implement and enforce through a combination of people, process and technology. Tools that are straightforward to implement, highly scalable when deployed and accurate in their findings are invaluable in this effort.
When looking at the security technology options available, a holistic view of the data leakage problem is necessary. When an organization implements a strong policy around sensitive data and restricts its use, then all potential information leakage points need to be addressed.
Covering All the Bases
Data can be thought of in three stages. The first stage, data at rest, is comprised of information residing on computers, corporate servers or network shares at endpoints of the network. The high risk presented by data at rest is the potential to leak unstructured data stored in various office applications.
The second stage, data in motion, is comprised of data moving through the network and leaving through various exit points. Data in motion can be found in e-mail, instant messaging, FTP downloads, or other data transfer formats exiting the network to known and unknown points.
Finally, the third stage, data in use, is information on a computer which is being analyzed or worked on. For data in use, most organizations want to restrict what their users can do with that data, including preventing them from downloading it to removable media devices.
The importance of understanding the three stages of data is that security policies and technology purchases must take each interrelated stage into account. Organizations may focus their initial attention on the protection of one component, but unless that enterprise truly examines how data flows within their company, it is likely to be compromised.
What is the first step to protecting data? Companies must first decide what information is critical to their operations. It might be Personally Identifiable Information (PII), details governed by the Payment Card Industry (PCI) Standard, sales pipeline details, employee 401K history, or intellectual property.
Different Solutions for Different Stages
Data at Rest – The primary challenge presented by data at rest is locating it. For large enterprises, data at rest can be almost anywhere — languishing in temporary files or sitting in un-emptied recycle bins. Products exist today that can find this data by either crawling network endpoints or through the use of client agents which report data in violation of policy back to a central administrator. Remediation is the next challenge. In some cases the administrator may want to delete offending data, quarantine it or move it to a secure server. All of these options exist today with the latest content protection solutions.
Data in Motion – Data in motion, or data exiting corporate networks, is a high priority for content protection. There are many challenges here. Data travels rapidly in today’s modern networks, so content protection products must analyze and classify data at gigabyte/second data rates. Organizations should also consider that a lot of data in motion begins its life in databases which are normally secure. However, once the data starts moving, its security gets increasingly complicated. There are a number of products which can “fingerprint” structured data in databases and then watch for it as it exits the enterprise. In these instances, accuracy is critical in minimizing false positives, which can slow down the network. Some remediation measures available today include the ability to block or quarantine sensitive data in violation of corporate policy.
Data in Use – Breaches involving instances of data in use comprise one of the most overlooked data security challenges facing corporations today. Corporate computer users have innumerable options to copy sensitive data for later use. This data can then be downloaded to a variety of removable media devices, burned onto a CD, printed, screen-captured or cut and pasted into another document. In most cases the transfer of data in use is almost untraceable. In order to fully prevent this type of data loss, each client machine must have an agent which restricts the use of data according to policy. A further challenge is to keep those restrictions in place when the computer is disconnected from the network. This disconnected use requires a persistent agent, which is continually updated once the client reconnects to the network.
Enforcing Corporate Content Protection
More than half of U.S. states have passed legislation requiring that individuals be notified of security breaches over the last two years, and federal consumer privacy protection laws are pending. Companies are realizing that by not fully protecting sensitive information, they could face serious consequences.
Today’s sophisticated content protection products offer solutions for all types of data. In order to be truly effective, enterprises must take a complete view of potential data security and privacy problems their organizations could face, blocking all potential exit points for confidential data. Complete corporate content protection keeps organizations out of the headlines, but requires strong policies, clear thinking of what constitutes sensitive information and diligence on executing a full and comprehensive data protection solution.
Anne Bonaparte is president and CEO of Tablus, a leading provider of content protection solutions.