The Right Formula for Data Leak Protection
Whether on the race track, on the web or in the boardroom, data leaks are invariably bad news. Just ask Ferrari and McLaren, the F1 giants embroiled in controversy over allegedly stolen technical documents. Or Facebook, who mistakenly exposed a slice of their own source code recently, and thereby possibly their own users. Or Monster.com, who made the monster mistake of losing over a million customer records to expert “phishers.”
Companies are facing spiralling pressures to protect all types of business data. Almost all businesses fall under a regulatory mandate to protect private or personal information, and all worry about internal, confidential information falling into the wrong hands. It has become a race to secure data against increasingly sophisticated hackers. In your organization, who will cross the finish line first?
A moving target
There’s a real urgency to find solutions to this problem. The situation is further complicated by the need to protect sensitive data whether it’s parked at rest – i.e. stored within the enterprise, or on enterprise devices – or in motion, either on the corporate network or on external links. However, the main part of the task is controlling access to and use of sensitive data by insiders: employees and trusted third parties.
This task has been compounded by the influx of consumer-based technology into the workplace, such as digital media players, cameras, IM and social networking sites, and USB devices, which are all potential sources of leaks. Hence the growing interest in data leak protection (DLP), as companies searching for the policies, processes and tools to help protect their intellectual property and stop leaks. So what’s the right formula for DLP? What should organizations protect, and how should they manage that protection?
A 2007 Gartner report identified consumer products in the enterprise as one of the biggest threats to corporate security. The security holes these products and applications create need to be closed, and business’ acceptable use policies extended to cover these areas. The report named four key technologies as presenting the biggest risks. Let’s deal with each of these in turn, and evaluate the solutions and policies that can deliver management of each risk type.
Stopping the bus
USB devices (cameras, MP3 players, portable drives etc) represent a key risk, according to the Gartner report. The starting point for protection is to include them in the business acceptable usage policy (AUP), to educate users on the importance of following policy, and the business risks if they do not. But policies alone aren’t enough, so they must be backed up and enforced.
Some companies have taken the empirical approach of blocking USB ports with epoxy glue, but a more manageable method is investing in a port control product, which can automatically block USB devices from being connected to PCs without authorisation. More advanced products also include transparent encryption, so that information copied to USB devices is automatically rendered inaccessible to thieves.
Curbing the office social
Blogging, and use of social networking websites should also be added to the AUP. With blogging, you’ll need to specify what the business is comfortable allowing employees to discuss. Company intellectual property and confidential information should obviously be restricted from blogs, and the same with social networking sites. As with USB devices, policies should be enforced by products, to truly limit risk.
Mobile devices run increasingly robust applications, carry a great deal of business data and increasingly are a target for malicious code. Enterprises can take precautions to limit the risks of these devices without resorting to an unenforceable outright ban – an example being deployment of encryption for all approved mobile devices that have access to sensitive data. Ensure that the encryption product you choose is proven, transparent and automatic, eliminating user interaction and creating a fully enforceable solution that holds up to stringent compliance requirements.
Employees connect to enterprise resources through both unmanaged networks and unmanaged remote devices, reported Gartner. This can increase productivity, but it can also punch holes in the company’s network security. Companies should deploy VPNs to restrict access based on checks of the security of the user’s endpoint. The VPN can be SSL or IPSec, according to the company’s needs. IPSec clients enable increased control and management of the remote access point, which in turn increases protection of corporate assets.
Combined, these four steps result in a formula that will rapidly take most companies a long way towards plugging potential leaks. It’s a long race, but the Winner’s Circle will be much sweeter than crashing out on the track.