Zeroing in and locking down
When the panic subsides, the hard work of discovery begins. Fortunately, enterprises have more data security tools at their disposal today than ever before.
Most companies in the DLP space, including Vontu and Tizor, can audit network activity to find sensitive data such as credit card numbers, magnetic-stripe data, or intellectual property on database and file servers, and monitor user access to that data. Firms such as PointSec — now part of CheckPoint — and startup Provilla can perform similar audits at the desktop level, monitoring file copying to portable storage devices, as well as e-mail and Internet-based file transfers.
Once that key data has been identified, DLP firms offer various strategies for securing it — from tagging key intellectual property with signatures that raise alarms whenever they pass outside of the company’s control to blocking USB ports to prevent data transfer to portable devices. None of those approaches is sufficient to protect data without larger organizational changes, experts say.
“There are really cultural changes that need to occur,” Guardium’s Neray says. “You’ve got to focus on insiders and trust — trust and verify.”
Companies need to define security policies that cover critical data and educate employees about acceptable behavior. “If you’ve got an SAP application, your company might access the database 22,000 times a day as part of your normal business processes. But if someone’s using Microsoft Excel and bogus credentials to access SAP, that’s a violation of policy,” Neray says, adding that traditional perimeter defenses and identity- and access-management products also play a vital role in data security. In particular, companies should use their identity-management platforms and strict policies to link specific IP addresses to specific users, rather than allowing shared credentials to muddy the waters should a forensic examination need to take place. “The problem is you’ve got applications like SAP and Oracle eBusiness Suite, which have privileged credentials to access the database, and those are widely available in the IT environment. Developers are using them, [database administrators], and the help desk,” he says.
Enterprises also need to build practical, bottom-up policies that actually get enforced, rather than imposing unrealistic, top-down security policies that just get ignored, Stamp says. “Once you have a handle [on] where your data is and where it’s going, you can start shoring up your infrastructure from the ground up.”
Some of those measures can be straightforward. Companies seeking to protect data on laptops and other mobile devices have been a boon to top-tier data encryption vendors such as RSA and PGP.
Even at PKWare, makers of PKZip, simple encryption features that work across diverse platforms have helped drive sales. Data security now accounts for half of the company’s business, compared with just 20 percent three years ago, says Todd McLees, vice president of marketing.
As CDS has discovered, start with the obvious and build from there. The company used a layered approach to get a handle on external security — with standard security measures such as firewalls, VPNs, and SSL encryption — then added configuration control technology from Tripwire. More recently, McCarthy says, CDS has deployed outbound filtering technology from Palisade Systems that can do packet-level inspection and spot data such as credit card numbers that might be traversing the company’s network or leaving the company over FTP or HTTP.
CDS has gone further than tackling sensitive data as it flows among authorized employees inside the company. It also has determined the behavior of hundreds of companies that contract with the magazines CDS works with, many of which pay far less attention to data security — and may send spreadsheets or CDs with sensitive subscriber data to the company.
Nonetheless, the threat of a Gary Min-style rogue insider looms large. The goal, McCarthy says, is to put up enough barriers that it becomes almost impossible for a lone insider to do significant damage.
“You want to reduce it to the point where nobody can act alone and do something,” McCarthy says, “where you need a conspiracy of persons to make it happen.”