Controlling information leaks

When data ends up in the wrong places for too long, it's a recipe for disaster

Last week I vented about Congress’ proposed weakening of personal-information protection and disclosure laws with the pending vote on the Data Accountability and Trust Act. But if you’re the CEO or security officer of a company that stores the personal information of consumers, I'm not ignoring your side. After all, it’s not like CEOs or corporate network security officers want to allow confidential information to be stolen.

Theft usually occurs because an effective security plan is not put in place or isn't followed consistently. More often, it’s because confidential information ends up in the wrong places or remains there for too long.

Unfortunately, in most companies the flow of confidential data isn’t controlled or monitored. There really aren’t many tools in the public sector to help with the task of managing data from many disparate places and making sure data gets deleted when a user is finished with it.

For example, say one executive asks a department to run a query for a particular product and another manager asks IT to export and clean up data for doing business with an external partner. Live data is frequently copied and used to create and test programs, but that data remains in old programs, so over a period of time, confidential data ends up everywhere.

Can any company really know where all of its confidential data is stored?

Offerings such as Microsoft’s Rights Management Services are partial solutions. RMS allows data creators/owners to determine who can do what with protected files, with rights to perform actions -- such as viewing or printing -- controlled per user or removed after a particular date.

It's a good idea, but without a lot of customizing, RMS works only with a small set of data types and isn’t completely reliable. For instance, even if RMS says I can only view the data, with a screen-capturing utility I can grab the data I’m viewing and manipulate it outside of RMS. And even if RMS and other, similar applications were perfect, most companies aren’t using them yet.

Nevertheless, many vendors -- especially since the enactments of Sarbanes-Oxley and the California privacy laws -- have been creating products to help companies find and control data leakage. These tools look for confidential information, such as Social Security or credit card numbers, and either flag alerts or block the information’s dissemination to unauthorized resources. No single company has a perfect solution, but Tablus has enough of one to merit a mention.

I’m impressed only by a few computer security products each year; most vendors will tell you I’m an especially tough reviewer. Tablus has made my list of interesting products not only because of its data-control products but because the company really does seem to understand the larger problem at hand.

Tablus has three main products to prevent information leakage. The newest is called Content Sentinel. This sends out client-side agents that install to end-point computers (only Windows at this time) using RPC connections and the administrative password for the service account. The agent installs and then downloads a larger scanning program, which searches every file and data structure on all hard drives and reports back any matching confidential-content hits. After that, it deletes itself. The agent runs only when the clients have idle time as measured by CPU and disk utilization.

Second in the triumvirate is Content Alarm NW, which sits at network choke points and reads packets, looking for controlled content heading to or from unauthorized locations. It can also crawl the network looking for confidential content.

Rounding out the offerings is Content Alarm DT, a desktop product that looks for monitored content sent in e-mail, via IM, to USB keys, and so on.

Data management starts by defining legitimate locations and types of confidential information. Content Sentinel automates the process of fingerprinting information in well-defined repositories so that Content Alarm NW can detect whether it -- or content derived from it -- is trying to leave the network. Content Sentinel looks for sensitive information in places it shouldn't be.

Tablus even has a heuristic scanning engine to detect previously undefined content that contains suspicious formatting -- such as Social Security or credit card numbers. Administrators can define queries and allow the Tablus crawler mechanisms to discover more legitimate and unauthorized locations. Information will even be found in browser caches, PDFs, XML files, Word files, and the Recycle Bin.

Findings requiring attention are brought to the forefront for action through thoughtfully created screens; the first screens show the worst, high-risk targets so you can -- and should -- start with the worst offenders.

When unauthorized content is found, the security administrator can choose to remove a particular user’s permissions from the content -- however, removing the individual user’s permissions will not override ACLs if the user is also a member of the Administrators group -- or delete the offending file. Soon, you'll also be able to encrypt and/or move the information to a safe quarantine location.

I like Tablus’ data-leak prevention solution for four reasons. One, it has a multitiered approach that attacks the problem at the desktop and network layers. Two, the user interface screens are created to give quick bang-for-the-buck alerts. Third, the product provides flexibility and customization that many similar products don’t. Last, it seems expressly built to tackle the source problem of how to identify information leakage. With Tablus, there should be fewer places for unauthorized, confidential data to hide.

This doesn’t mean the Tablus solution is perfect; it is, after all, still in the first generation, and I can already think of a few ways around it. Stay tuned for a more in-depth review from the InfoWorld Test Center in a future issue -- I can’t wait to see the results.

And while you're waiting for that review, write your representative about stopping the DATA Act -- if you haven't already.