Data leakage problem tough to solve

By Marcia Savage, Features Editor, Information Security magazine 29 Jun 2007 | SearchSecurity.com

Digg This!     StumbleUpon     Del.icio.us

SAN FRANCISCO -- Data leakage is a big problem for enterprises but there are no clear-cut solutions, McAfee's chief security architect said Thursday at the Burton Group Catalyst Conference.

Sensitive customer information and confidential corporate data can slip out of an organization via email, lost laptops, USB drives and a host of other ways, said John Viega, who also is vice president of engineering at McAfee. Under pressure from breach disclosure laws and regulations like Sarbanes-Oxley, enterprises are exploring a range of solutions: policies, data leakage gateways, endpoint device protection, and disk encryption.

But there are drawbacks to all of the options and no one technology fully addresses the problem, Viega said.

He said it's tough getting employees to follow data handling policies and training doesn't stick. Data leakage gateways can help enforce policies on the network but can't stop an employee from copying confidential data onto a USB storage device or from taking a laptop home and sending confidential data via Web mail. Classifying sensitive documents on the network can require investment in professional services, Viega said.

Endpoint device protection technologies that track operating system and application operations to enforce policies at the desktop can block someone from copying data to a USB drive, but it won't be on all devices in an organization and it can become too costly to block people from doing what they want to do, he said. Companies tend to deploy such technologies in "advise" mode rather than "block" mode so that IT isn't inundated by requests for policy exceptions.

Hard-disk encryption is "by far the most commonly" deployed technology for data leak prevention, Viega said. The price tag is lower than other options but it doesn't address some leakage scenarios and can be a hassle when passwords are lost, he added.

Digital rights management can extend data handling policies to hosts without monitoring protection but there's no clear technology leader in the space, Viega said.

After the session, an architect at a manufacturing company who declined to give his name said Viega "basically stated the obvious -- there's no silver bullet." With any of the technologies "you still can't guarantee there won't be any leaks," he said.

Another attendee -- a security engineer at a pharmaceutical company who also declined to give his name -- said the session presented more problems than solutions. He would have liked to hear more about enterprise rights management.

"Going after the USB fobs, the iPods -- whatever you can connect to a computer -- is just a losing game … You need to protect [data] at the source," he said.

Tags: Data breaches and prevention strategies,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Data breaches and prevention strategies Gartner's Avivah Litan on the online banking fraud surge Bank computer technician indicted in identity theft scheme Survey: Consumers don't trust banks to keep their data secure ChoicePoint settles with FTC over second data security breach Data breach lawsuit puts spotlight on bank's security measures Google ordered to deactivate Gmail account after bank email error Threat of insider fraud growing with bad economy Data breach protection: Implementing vendor breach safeguards Zeus Trojan hitting banking customers hard TJX settles with banks for $525,000

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary Governance, Risk and Compliance  (SearchFinancialSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary