An enterprise data leak is a scary proposition. Security practitioners have always had to deal with data leakage issues that arise from email, IM and other Internet channels. But now with the proliferation of mobile technology, it's easier than ever for data loss to occur, whether accidentally or maliciously.
Preparing for data protection
While there are plenty of tools on the market for keeping mobile and stationary data from leaving the company surreptitiously, the best ones use a combination of prevention and detection methods, such as a detection engine and a data blocker.
However, before doing anything, it's crucial to understand what data types are being protected and the level of risk. You should create and codify data classification levels for all of your company's data according to the organization's IT security standards. Data types can be ranked on a scale from low to high, based on the risk of its loss or exposure.
Some examples of high-risk data might include the following:
Customer or employee information with names, addresses, social security numbers and other identity-related information
Customer lists that could be used by a competitor for poaching clients
Trade secrets and intellectual property
Confidential engineering and manufacturing plans for products
- Financial information or soon-to-be-released marketing plans for upcoming products
Once you understand what data should be protected and have classified and documented risk levels, you can begin investigating which tools would best suit your enterprise's needs.
Data leakage prevention tools
Data leakage prevention tools can be roughly compared to application-level firewalls. Like firewalls, they examine the content of outbound data, rather than just ports and packet types, and ultimately decide what can leave the company. When investigating data leakage prevention tools, you'll find that the three big players in the market are Vontu Inc., Reconnex Inc. and Vericept Corp.
The Vontu 6.0 suite contains a set of tools that can monitor all types of Web traffic, including SSL, IM and Web mail. It detects malicious outbound traffic with its three algorithms: Exact Data Matching, Indexed Document Matching and Described Content Matching. Vontu 6.0 can be finely tuned to target specific groups of employees, locations or types of content.
Reconnex's iGuard platform consists of two useful devices. Reconnex's iGuard is a network appliance that monitors the content of outbound traffic and can also spot malicious activity. Their other product, Reconnex InSight Console, is a database that makes detection easier by storing sensitive data info. As with Vontu, the Reconnex platform can be tuned to suit a company's needs.
Vericept's 360-degree Visibility and Control is a customizable tool predominantly used for content monitoring. It uses what it calls its proprietary Intelligent Content Control Engine. Vericept not only monitors the whole range of Web traffic -- like FTP, SSL, IM and P2P -- but also monitors blog postings, chat rooms and Web sites, all places where sensitive company data and secrets could end up.
- Two other vendors that may be useful are PortAuthority Technologies Inc. and GTB Technologies Inc. Like the other products mentioned above, these companies offer hardware appliances that monitor outbound IP traffic for specific types of corporate data.
Since these products are network appliances that simply sit behind firewalls, it is important to ensure they integrate with your existing security infrastructure. Vontu's product, for example, can be integrated with products from Cisco Systems Inc., IronPort Systems Inc. and Blue Coat Systems Inc. Reconnex and Vericept products also work with Blue Coat and other Web proxies.
Mobile devices and data leakage
Mobile devices present yet another challenge for data leakage. USB keys, Bluetooth devices or removable CD drives, for example, can all circumvent network controls without a system administrator's knowledge. As hardware storage devices, they outdo the sophisticated Internet and Web-monitoring tools just described.
One such tool, Safend Protector V3.0, can be installed as a client on all the desktops and laptops in your enterprise. It can be centrally managed via a Web-based interface and, like the Web monitoring tools, can be tuned to check for certain types of data being moved through USB, Firewire or wireless ports. The tool is tamper-proof, invisible to users, and silent until something is connected to an external port. Additionally, Safend Protector V3.0 can be tuned to completely block access to any removable device, restrict certain devices based on capacity, or allow read-only access and policies can integrated into the Group Policy Objects (GPO) of Active Directory to provide access to devices for selected users.
At first glance, the problem of data leakage prevention seems overwhelming. But with a few commercially available tools, leakage can be tamed, whether online, through the Web or by storage device.
About the author:
Joel Dubin, CISSP, is an independent computer security consultant. He is a Microsoft MVP in security, specializing in Web and application security, and is the author of The Little Black Book of Computer Security available from Amazon.
This was first published in January 2008