By Jarina D'Auria
When it comes to protecting data, there isn't one end-all, be-all solution. That's more true now than ever, when your most likely threat is your own employees.
As more workers blur the line that surrounds the workday and bring their laptops, smartphones and other devices home, they are potentially putting their companies' data at risk. In a recent CIO survey, 34 percent of respondents had a security breach where their own current employee was the culprit.
Data loss prevention tools provide ways to identify risky data-handling activity and enforce a remediation action, said Jonathan Penn, VP of security and risk management at Forrester Research. Currently available software to prevent data loss addresses three levels of security: protecting networks from rogue devices, protecting systems from inappropriate access and protecting the data itself. A modern strategy to keep data secure should involve a bit of each, said Penn.
Block Unknown Devices
Deputy CIO Jeff Kuhns needed to protect the networks of 24 campuses within the Pennsylvania State University System against rogue devices-that is, any device not expected to be on the LAN. To address this need, Kuhns deployed software from Mirage Networks.
The software offers a traditional approach to protecting data by keeping outsiders at bay. Once installed, the Mirage system locates connected devices. The IT department can set up access policies for each device and for individuals or groups of users. The system protects data by blocking unauthorized devices from accessing prohibited data.
Such "agentless" solutions are good for organizations that have little control over the devices that end users choose, said John Kindervag, a senior analyst at Forrester. Unlike agent-based solutions, which require software on the device itself, agentless solutions reside on the network. However, as with any security tools, they can't stand on their own. "Agentless [technology] has been the primary way data loss prevention has been deployed," said Penn, "but few vendors have rich agent functionality that is unified with network scanning and remote discovery."
At Penn State, said Kuhns, Mirage software is part of "a defense-in-depth deployment of multiple systems and strategies." These include traditional security devices and software such as firewalls and antivirus technology.
From Devices to Databases
With limits to network-based protection in mind, some organizations have turned to tools that ensure legitimate users don't access data improperly. That's the problem that Nick Ray, CEO of expressHR, wanted to address.
ExpressHR helps companies in the UK manage temporary workers. "Our whole business is this application of sensitive data," including Social Security numbers and passport information. "If there was a security breach, it would be terminal," said Ray. Before heading up expressHR, he was cofounder and CEO of Prevx, an Internet security company.
"The biggest potential risk was from someone on the inside abusing the system and using the information for something other than work," he said. ExpressHR has tens of thousands of users (including recruiters and hiring managers) who access their database.
Ray deployed software from Secerno, which provides activity monitoring of databases. "It could learn what were normal requests from the database," said Ray. With the information the Secerno product gathered, it could automatically build rules to prevent unauthorized usage of expressHR's data.
The software allows systems administrators to define rules that reflect their particular database's activity. The software learns how the customer's application talks to the database-such as how many times a day a file is accessed or whether it's ever printed. Those typical queries become the basis for access policies. If data is accessed in an unusual way, the system notifies IT managers and automatically executes policies for containing the problem (such as quarantining users or locking down the data).
Ray said the biggest downside to a rule-based solution is the potential to block a legitimate transaction if a rule is improperly specified.
Ultimately, he said, the risk of blocking a normal transaction is negligible.
Once you've given someone access and have established access polices, then what? There are granular questions to ponder: Who can edit the data? Or print it? And who can distill it into a different format? Those are normal workflow questions, so it's important to figure out how people use the data when trying to implement security and usage policies.
"You could make your organization extremely secure, but at the expense of the workflow," said Ed Gaudet, SVP of corporate development and marketing at Liquid Machines, a provider of enterprise rights management software.
Companies such as Goldman Sachs and Dow Chemical use Liquid Machines software to protect intellectual property by defining not only who can use the information but also how they can use it. The software is typically used to encrypt all corporate data and lets systems administrators create access and usage rights to protect against misuse. When unauthorized users access data they don't have rights to, they get a message telling them the file is protected.
Controlling information at the data level allows different policies to be set for individual users who travel with the data, even when it leaves the network. This level of control allows security policies to be based on the type of job a person has to do.
That approach maps well with collaborative workflow, said Gaudet, because role-based controls can change as workflow changes. Whatever tools you use, effective data loss prevention requires you to classify your data, a step many organizations often skip, notes Kindervag. "Until companies classify their data correctly," he said, "all data loss prevention efforts will fail."