In the ever changing world of computing, users will use devices for both personal and corporate use. In the absence of DLP (Data Leakage Protection) technical controls, data will leak. In this article we will venture into the world of Data Leakage Protection, and describe how to use this technology to better protect corporate data on personal and corporate devices.
A data breach or data leak is a security incident in which sensitive or confidential data is copied, transmitted, viewed, stolen or used by an unauthorised individual. The information could include financial data (bank or card details), personal health information, and personal identifiable details, trade secrets and corporation's intellectual property.
The issue of data leakage has always arisen from data at rest, data in transit, email, IM and various other internet channels, however now with the rise of mobile technology, data leakage is occurring with greater ease, whether by accident or malice. The threat of data leakage from outside the corporation is still a concern, however substantial data leakage results from internal activities as well.
Every employee and every device that stores company information is a potential threat, a lost laptop can quickly become a threat to data leakage, if recovered by an outsider with malevolent intent. Data leakage could result from employee lack of awareness, they may be oblivious to the fact that their behaviour or actions are unsafe; it is often taken for granted that all employees are aware of security measures and precautions to safeguard sensitive corporate data. To achieve protection of corporate data one needs to be innovative and persistent in addressing the security threats especially in the fast moving and ever changing mobile age.
Data can leave the network through various exit points within the IT infrastructure. Enterprises should prioritise the management of data loss risk by choosing DLP solutions that monitor and act at these exit points.
Common behaviours resulting in potential risk of data leakage
- Speaking loudly in public areas about sensitive corporate data
- Failing to logoff laptops
- Leaving passwords unprotected
- Accessing unauthorised websites
- Loss or theft of corporate devices (Laptops, Mobile phones, Portable hard drives)
- Loss or theft of personal devices now also being used for corporate practices
- Thumb drives
- Optical media
- Instant messaging
- Access control both physical and logical
- Lack of encryption
- Lack of two factor authentication
- Lack of remote access control
How can we go about preventing data leakage?
Potential data leakage can be managed by various data loss tools, also known as data leakage prevention or content monitoring and filtering tools. They are intended to prevent unintentional or deliberate exposure of sensitive enterprise information. It is accomplished through identifying content, tracking activity and potentially blocking sensitive data from being moved.
Data Leakage prevention can be managed through the following steps
- By performing content-aware, deep packet inspection on the network traffic as well as email and various other protocols. Content-aware data leakage prevention identifies critical data based on policies and rules previously determined and set up. It can be deployed at different stages: they are on the network, Endpoint or on stored data.
- By ensuring that complete sessions are always being tracked for analysis and not only singular packets.
- By using both statistical and linguistic techniques for analysis, like expressions, document fingerprinting and machine learning.
- By detecting, blocking and controlling the use of specific content based on rules and policies, thus not allowing saving, printing and forwarding of specific predetermined content.
- By monitoring network traffic, email traffic and multiple channels through one product and an individual management interface
- By blocking policy violations over email and other external communication methods like IM.
- By ensuring an end user policy compliance solution, by controlling what end-users do on their computers through managing the use of connected devices and network interfaces, managing the applications they use and by managing websites which users are able to access. An end point solution manages the threat of portable storage devices by giving administrators control over what devices are in use, when they are in use and by whom as well as knowledge of the data that has been copied. Activity of media players, USB drives, memory cards, PDA's, mobile phones, network cards etc. can be logged, as well as centrally disabled if need be
- By encrypting all communications and data (email, file shares, hard drives, external storage and removable media)
How to roll out a DLP Strategy effectively
When looking at rolling out a DLP strategy in your corporate environment the following should be considered to achieve optimal effectiveness.
- Ensure that your security policy is transparent to all your users, adopted and signed off by senior management.
One should aim at making the security policy simple for all involved to understand. The security documents should be made accessible to all users, highlighting and explaining the key areas of the DLP policy. The document should include the types of data being monitored as well as the reasons for wanting to monitor and protect the specific chosen types of data. The DLP strategy should be made aware to everyone, so that the trust within the corporation is maintained, and the anxiety of the DLP solution being used as a "spying" solution is reduced.
Organise and deploy data protection technologies to avert unintentional data loss.
Accidents do happen, more than we would like to admit, users often lose laptops and devices or send an email to the incorrect recipient. By deploying strategies such as content and device control and encryption (rendering emails unreadable in the wrong hands) wherever possible, one can protect against accidental data loss.
Start small and expand over time (but make a start now!)
When setting up the security policies prioritise the data so that the rules are not all turned on instantaneously. Monitoring is almost always the best start. Turn on the rules for a small batch of data and users, of most importance and expand the rules over the remaining data with time. If it is all done at once it will be overwhelming for IT as well as users which could cause avoidable complications. Starting with a small group of IT users is a safe bet.
Ensure security messages are constructed well
When writing the security communications ensure careful well-constructed, clear concise and user understandable language is used. Avoid accusatory language in the messages, yet ensure that the messages are clear and to the point, explaining the breech that will occur if the action follows through.
The aim of the security policy is not to catch people out but to educate them, by advising how to perform an operation with reduced security risk. The more the users are educated the easier this process will be and the higher the adoption rate.
Types of DLP solutions
Encryption is a simple solution yet very effective. When data is encrypted it cannot be read by unauthorised individuals. Encrypted removable media allows corporations to ensure that any data taken outside the corporate environment is secured at all times. This is necessary where personal devices are now being used for corporate purposes as well. This solution can be applied to many devices, including flash drives, PDAs, Smartphones or literally any removable device.
Data on an encrypted portable storage device can be read on a machine that is running removable media encryption software installed with the corresponding encryption key; however on any other computer the data will be inaccessible. Encryptions software can also implement authorisation standards that permit only the replication of specified files onto removable devices and automatically encrypt data on these devices.
Digital rights management technology (DRM)
This technology is beneficial for wider security. This technology protects files via encryption and only allows access to the encrypted files once the users' identity has been authenticated and its rights to the access verified. This is a great form of encryption as it remains active whenever the content is, within the corporate environment or on a shared personal/corporate mobile device, both behind and beyond d the corporate firewall.
Synchronize DRM and Content Management Systems (CMS)
Numerous corporate enterprises embrace content management systems (CMSs) to help organize digital content. CMSs are intended to be control centers for entire content, including content creation, management, production and distribution. Integrated DRM-CMS solutions provide corporate assurance that content and document operations conform to current regulatory rules, responsibility, privacy and security legislation.
As with everything, the numerous benefits of the ever increasing mobile age come with many challenges. There will always be numerous potential security risks brought about by the mobile and remote working age, however organizations all need to do what they can to curb or prevent these security breaches where possible. If corporates effectively combine the security measures available, encryption (in its many forms), DRM, DLP and CMS technologies, a virtually fool-proof data leakage prevention system can be accomplished. Corporations should make it a priority to meet the challenge of data leakage prevention or the beneficial remote productivity could end in corporate loss and not meet upcoming global compliance laws.