Block Data Leakage at the Source
Computer networks today have become increasingly open, with greater reliance on IP. More and more staff are accessing a greater number of applications and databases, while remote access has grown hugely. Staff are accessing applications not just from within the office, but from various locations outside the office. These teleworkers and day extenders are significantly increasing remote access, as are mobile workers, including those using wireless hotspots. Company networks are also being remotely accessed by suppliers and third parties.
Our use of email has mushroomed to the point where it pretty much inconceivable to run many businesses without it. The number and size of attachments has also grown very significantly. This openness and our enthusiasm for email, while it can make life easier and improves productivity, has many disadvantages. One of the main ones is the greater difficulty we have in protecting the confidentiality of information. The opportunities for unauthorised viewing of data, data theft and data leakage have increased tremendously and organisations are now having to look urgently at managing this problem.
What data is at risk?
The increased standardisation on IP can mean that all confidential data which is held on a network is at risk and needs to be protected from unauthorised access, both inside and outside an organisation. Internally, there are risks from employees and skilled IT staff. It may be non-malicious, with people wanting to find out other people’s salaries. Or it may be staff accessing confidential company data, including personnel files, company plans and financial information. It could also be malicious, such as viewing and stealing customer information or company confidential information (e.g. research) to pass on to others. It may be employees who feel the need, for whatever reason, to leak company or government information.
Employees can also inadvertently expose confidential data to the outside world through the use of unprotected wireless, unprotected remote access or careless laptop use. Valuable sales information, for example, could be seen by competitors. Confidential information about customers or the public could be leaked. The large number of high profile cases of data leakage highlights this problem. Interestingly as mobile and remote workers increasingly store highly confidential personal information, such as passwords and bank details on company equipment, they are also at significant personal risk.
Another high risk area is the use of USBs and mobile devices such as PDAs and Blackberrys for the storage of confidential information. The very mobility of these devices renders them vulnerable to accidental loss or theft. Additionally, failure to manage these devices means that they are often the conduit for data theft and leakage from organisations. Data is also at risk of exposure from people outside an organisation. Industrial espionage is well known and “spies’ might be after valuable R&D information or other information which will give them a competitive edge, such as contract tendering details.
Externally, companies are at risk from hackers or others who might want to find something detrimental on an organisation which they can publicise. Criminals, wanting to use information (particularly financial) to carry out crimes, are also a significantly increasing threat. The large sums available from these types of crimes, the low risks of detection and punishment, and the ease of carrying them out has made this much more attractive than many other areas of crime. It will continue to grow at an increasing pace over the next few years.
Data leakage is a very important issue, not least because companies have a legal requirement, under The Data Protection Act, alongside other statutory requirements, to secure information on their employees and on their customers. Even if information held on a system has come from a third party such as a supplier, companies are still liable to protect that information from being seen by unauthorised people. The impact of negligent data loss on their reputation is also now moving organisations to focus on an area that has traditionally been ignored.
According to the Department of Trade and Industry (DTI) Information Security Breaches Survey 2006, only one company in seven actually encrypts data on hard disks. Recently, a laptop containing salary details, addresses, dates of birth, national insurance and phone numbers of some 26,000 employees went missing from a printing firm, which was writing to M&S workers about pension changes. Identity theft is the possible result of such losses.
You only have to use email on the Internet, and receive “phishing’ emails, to be aware of the many criminals out there today who want to get access to your personal data so they can steal from you. If your company is the repository for sensitive personal data, then it is more important today than ever to protect it. If you carry out credit card transactions and hold information on company networks, then you have to comply with the latest PCI (Payment Card Industry) data security standard by next year, or you may be financially penalised.
Is current protection adequate?
We have used various methods up until now to protect company data, but they are no longer enough in themselves, because of the increased risks we face. Firewalls and access control are commonly used and networks may be protected by multiple layers of firewalls. However, computers being used by staff at home to communicate with the office and access information may not have firewall protection. Even if they do, the user may not have enabled the firewall or may not have updated it. And, of course, if access control is inadequate, firewalls will not stop data being read.
Currently, access control may be a simple password, which is generally recognised as an inadequate security mechanism, which may put data at risk. According to the DTI Information Security Survey 2006, the vast majority of companies still rely on weak, static passwords. Companies may also use more sophisticated means, such as strong two-factor authentication. This involves a password in conjunction with another method of authentication, for logging in. The other method could be a token, but could also include biometrics, smart cards or virtual tokens.
Traditionally, larger companies have relied on the security of mainframe systems to protect key data. However with this company confidential data now routinely accessible from and downloadable onto the network, this protection has significantly diminished. Regularly reviewing access control lists is another key component in data security, as is managing emails and instant messaging, because unencrypted emails are vulnerable to interception.
These methods are all components in safeguarding data. However, the computing scenario has now changed so much that, on their own, they are unable to cope with the current state of threat. One strong area of risk is allowing unauthorised (or departed) members of staff to have unmanaged access rights to data, for which they have no valid need. This is a major cause of data leakage. A common failure in larger companies is to terminate the departing user’s rights at the last place he/she was located, but neglecting to terminate access rights at previous divisions or locations.
Companies now need to review how the risks to their organisations have changed, with regard to data confidentiality, and assess what the current dangers are. A risk assessment can be carried out and positive action drawn up to protect against the relevant threats. A key part of any programme will be to regularly communicate to staff that data protection is the responsibility of everyone in an organisation, and not just the IT team. It should also be re-iterated that any unauthorised access to or misuse of data by staff, whether it is non-malicious but done without authorisation, or whether it is done with criminal intent, is not acceptable.
High risk areas
Email is a key area of risk for many organisations. The route for email over the Internet is via servers. Sending unencrypted emails is the equivalent of sending postcards by ordinary mail. They are easy to intercept and read, without the sender or intended recipient being any the wiser. There are actually companies whose business it is to use key word searching to find (to order) information for interested businesses.
The solution is to use email encryption which enables you to secure the communication and restrict read access to the named recipient only. There are a number of ways of carrying out email encryption which don’t impact the business. For example, encryption specialist Utimaco has a system that enables you to send email as encrypted PDFs, readable by the recipient using a password. Other systems operate around PKI and the use of public and private keys. The common thread is that confidential information can be freely sent over the Internet, with the data secured by encryption.
If you’re emailing remotely, then VPNs can also have an important role to play. This is because VPN encryption will protect the confidentiality of your emails. This applies to both SSL and IPSec VPNs. So companies can require the use of VPNs by employees picking up email remotely. Similarly, VPNs use can be enforced for wireless users. If you don’t want to encrypt all emails, you can just make sure you encrypt confidential emails. Encryption is also a good idea for confidential internal emails. As discussed earlier, the curiosity of some employees can get the better of them. Most administrators have access to email. Or access to internal systems may be gained by outsiders if access control is not secure enough.
Remote and laptop use
The DTI Survey 2006 found that 60% of companies that allow remote access do not encrypt their transmissions and that businesses that allow remote access are more likely to have their networks penetrated. Security is a particular risk when people are working away from the office either at home or while travelling. All remote access to head office applications should be done over encrypted VPNs (either IPsec or SSL) which as already mentioned, will protect data confidentiality.
Laptops are particularly at risk of theft or loss, disappearing from employees’ homes, cars, hotels, etc., etc. The cases of laptop theft quoted earlier, which exposed personal data, would not have been a problem if the companies concerned had encrypted the laptop hard disk. Thieves would have been unable to decipher the information on the laptops.
Wireless computing is a particularly risky area, whether used in or away from the office. Without proper protection, using wireless is like broadcasting in open air for anyone to see. The original wireless security standard, WEP, is flawed and unreliable. The world record for cracking WEP, set in April 2007, currently stands at 3 seconds. WEP’s vulnerability was demonstrated by recent problems at TJX, the parent company of TK Maxx, where the biggest loss of credit card data in history took place. Hackers stole 45 million customer records from the TK Maxx parent company, by breaking into the company’s wireless LAN. WEP had been used to secure the wireless network but WEP is one of the weakest ways of securing wireless and it didn’t stand up to the attack. If the customer records had been securely encrypted, the customer data would have been safeguarded.
Wireless hotspots and Internet cafÃ©s can be risky places to use a computer. Someone could easily pick up your password and details. If you’re sending confidential emails using a wireless computer then, not only do you need to use an encrypted SSL VPN or IPSec VPN connection, but you should also consider whether to encrypt the email itself. Don’t send it in open text. It is far too risky. Similarly, if your organisation is using unencrypted wireless in the office, all the information held on your network can be at risk. This is one reason it is wise to encrypt all relevant confidential files, data, internal emails and network attached storage (NAS). The DTI Survey 2006 revealed that 20% of wireless networks are completely unprotected, while a further 20% are not encrypted. 40% of companies that allow staff to connect via public wireless hotspots do not encrypt the transmissions.3
Securing data across the organisation with UEM
The easiest and most effective way of stopping sensitive data being read by unauthorised personnel or outsiders is to encrypt it. Access to the data should only be given to those individuals and teams that need it and are authorised to use it. How widely should you use encryption and where is it especially needed? It should be evaluated for use throughout an organisation, with a particular focus on email, business-critical stored data, remote access and wireless use, although you don’t have to encrypt everything, just data which is confidential.
While encryption is an obvious solution, it is one that has historically only been implemented by a minority, largely due to the high cost and the difficulty of using older-style encryption solutions, which traditionally also had high processor overheads. Another previous limiting factor was the historic difficulty of centrally managing encryption across all elements of the enterprise. Major improvements in technology, increased awareness of the threats coupled with reductions in pricing have now radically changed the landscape for encryption. There have been significant increases in encryption speed and a huge growth in processor speeds.
Another major advance in encryption technology has been the ability to easily manage encryption across all data risk areas including desktops, laptops, PDAs, USB sticks and other removable media, greatly improving overall security. This comprehensive approach is known as unified encryption management (UEM) and it is revolutionising encryption. If you can’t start afresh in implementing a UEM strategy, you can proceed bit-by-bit, gradually migrating to a structured, organisation-wide encryption environment. Perhaps a key factor in people’s changing attitude to encryption is a reduction in the costs of deployment. All these developments have contributed to an increased use of encryption solutions.
Improved centralised management capabilities, which support UEM, are part of solutions from companies such as Utimaco and Pointsec. Utimaco, for example, offers a management centre which manages and co-ordinates encryption across the whole network, whether it be for laptops, mobile devices, wireless devices, for your LAN, USB sticks, or network attached storage.
How do encryption solutions work? If we take one of the traditionally weakest points, the laptop, a typical solution would encrypt the hard disk and encrypt or decrypt information as the user accesses it. No unauthorised user would be able to read the data stored on it. The data on the laptop will be securely protected, even if the hard disk is removed. Complete encryption of the hard disk and a secure user authentication procedure, which runs before the operating system boots, will provide secure protection for the laptop. Office or home desktop PCs can also use similar encryption software.
Products such as Utimaco’s SafeGuard Easy encryption solution can operate transparently in the background, so end users don’t need any training, nor do they have to change the way they work. However, encryption is only one component in an access control programme, which should also include authentication and, in turn, be part of wider company wide security policies. Key elements of such policies are actually identifying data that is confidential, analysing the risk of loss, and determining how to secure it. While this would appear to be self-evident, in practice many organisations do not carry out these tasks.
With increased network access to an ever-growing number of applications, from an ever-growing number of locations, data resident on computers, laptops and other removable media is more at risk than ever of being seen by unauthorised personnel or outsiders. The growth of organised criminal activity seeking personal and financial details will continue to be a problem, particularly considering the large profits to be made here. This means that data leakage is moving from corporate embarrassment to significant commercial threat.
Encryption has now become a vital part of the security equation if companies are to protect confidential data, both to safeguard their company, and also to fulfil legal and moral obligations to employees, customers and others on whom they hold data. Encryption solutions from suppliers such as Utimaco and Pointsec are increasingly cost-effective and easy-to-use, so there is now little excuse for organisations not to secure themselves, particularly as the cost of any rectification will almost certainly involve the purchase and hurried deployment of an encryption solution!
If you’ve read this far, you probably don’t have encryption widely deployed. A question to consider is: “Would your company deploy (or be forced to deploy) encryption, if you experienced a high profile data breach?” If the answer is yes, then perhaps it is better to install encryption first before that happens, so the installation can take place in a controlled and cost effective manner. The growth of encryption is moving towards centralised unified encryption management, in preference to single point encryption solutions. This trend is expected to continue. Alongside this development, there is an increasing awareness of the threat of data loss, together with an increased implementation of risk assessment and protection around the issue of data leakage.