• Put unified endpoint security policies in place.
• Data encryption is a must to protect data in motion.
• Install a secure communications perimeter around your internal network.
You can stick your enterprise’s data center into the equivalent of Fort Knox, but without a plan of action to contend with data leaks, you might as well toss your organization’s intellectual coinage in the nearest dumpster. And seemingly any strategy you put in place has to take so many variables into account—from careless sales staff leaving their data-laden smartphones at an airport bar to the equally clichéd (but worrisome) third-world hacker worming his way into your network via various phishing techniques.
“Data leakage has been one of the top headlines in the IT world for 2009,” says Chet Wisniewski, senior security advisor at security solutions provider Sophos (www.sophos.com). “Most organizations have recognized the need to protect [portable devices such as laptops, thumb drives, and smartphones] against theft and compromise using full disk encryption, but there is much more an administrator can do to ensure their business is protected.”
So what should you keep in mind when devising a coherent data protection plan? Here is a look at some expert advice on how to properly keep your data in check and safe—and out of the news.
Go To The End Points
The first step to preventing data leaks is to simplify and centralize the control and management of your data end points, says David Ferre, senior product manager of endpoint security at Novell (www.novell.com). Ferre suggests a policy-based approach to systematically prevent data leaks before they can take place, stressing three key areas: removable storage devices, wireless security, and data encryption.
Security policies for removable storage devices such as USB-enabled and other mobile devices put an audit trail in place so that users who copy large amounts of corporate data may be tracked. Moreover, they can prevent users from accessing enterprise data from devices that haven’t been authorized for use by your organization, which helps to decrease the risk of viruses and malicious software being introduced into your network, Ferre says.
Similarly, wireless security policies control which users can connect to your network via the Internet as well as where and when they can connect. “With wireless security policies in place, IT administrators can ensure users access only approved Internet connections and prevent hackers from accessing corporate data through unsecured wireless access points at airports, coffee shops, or other similar locations,” Ferre says.
Protecting Data In Motion
A comprehensive file and full disk data encryption scheme protects your data while it is on the move and is most prone to being stolen or misplaced. Moreover, data encryption policies help to keep your data compliant with regulations such as PCI DSS (Payment Card Industry Data Security Standard) and HIPAA, says Ferre.
For his part, Sophos’ Wisniewski says that file-level encryption is especially important given that many organizations are seeing data stolen directly from compromised desktops or servers within the data center. “Encrypting that data directly on file shares can help prevent hijacked data from being of use to the attacker,” he says.
Wisniewski says that controlling the movement of what he calls “data in motion” also is key both for protecting data and for refining your overall data protection policy. “Most companies do not have good visibility into where much of their sensitive data is or where it has been going,” he says. “By using a desktop data leakage prevention product, you can see who is accessing sensitive information and where that information resides.”
Limit The Applications Accessing Your Data
It isn’t enough, however, to simply encrypt your data if your employees are able to decrypt said data and use it on any application. Wisniewski says that limiting the types of applications they can use will save you a lot of grief in keeping your data safe.
“The Department of Defense had to acknowledge that secret blueprints for sensitive aircrafts were recently leaked onto peer-to-peer networking sites,” he says. “Controlling the use of peer-to-peer and other unwanted applications in the enterprise goes a long way in stopping the leakage at the source.”
Secure The Servers
No matter how well you patrol end points, enforce security using encryption methods and control the ways in which applications on your network can access your data, leaks will still occur on the servers themselves, says K. Scott Morrison, CTO at security vendor Layer 7 Technologies (www.layer7tech.com).
Morrison recommends counteracting server-level data leakage by implementing redaction gateways. “You set up a secure communications perimeter surrounding your internal network that inspects all data going outside the network for information that should not be allowed outside,” he explains. “If it finds anything, it can either stop the transaction entirely or remove the data in question—like the classic black marker redaction on a document.”
According to Morrison, the concept is simple, although you do need fairly sophisticated querying capabilities to distinguish what constitutes a leak. “Customers can set up scans for certain key words and patterns that should be redacted if they appear in a communications stream, whether it originates inside the organization or is a reply to a request originating outside the organization,” Morrison says, adding that there have been several government deployments of this type of technology to protect classified data from leaking outside the internal network.
by Robyn Weisman
Stop Steganography |
Steganography, the practice of encoding sensitive information inside innocuous files, is more widespread than you might believe. Jim Wingate, vice president at Backbone Security (www.backbonesecurity.com) and director of its Steganography Analysis and Research Center (or SARC; www.sarc-wv.com), says that steganography applications are easily available via the Web and require little tech savvy to use.
Wingate points out that people attempting to steal information from within an organization are trying to do so without getting caught, and as more companies become savvy to encryption and other data protection strategies, some percentage of these malefactors land upon steganography as an effective way to avoid getting caught. And if you’re not actively monitoring for it, don’t expect those using it to wave their hands and spell out what they’re doing, he says. (For more information on this topic, see “Steganalysis Experts” on page 27.)