Data Leakage Prevention
Data security policies organizations should put in place
Employees put sensitive business information at risk.
by Edy Almer
Widespread layoffs in the wake of today’s economic meltdown highlight the need to tighten data security, as the exodus of pink-slipped staff can put companies’ intellectual property at risk. As employees walk out the door, what data could they take with them and how could they use it? This situation underscores the need for enforceable data-leakage prevention policies.
Organizations are often wary of establishing security policies that hinder productivity. Restricting the use of all thumb drives on company computers would be easy, for example, but that can affect productivity for many users. Businesses, therefore, can choose to sacrifice productivity and introduce wholesale restrictions, or protect productivity and do nothing to prevent internal data leakage and theft.
There is no need, however, to employ rigid security solutions that resort to on/off restrictions. Organizations can control access with a degree of granularity that provides the ability to tighten security without getting in the way of existing business processes or reducing productivity. The following steps can help protect sensitive data and prevent internal data leakage.
Apply policies for the transfer of sensitive data. In most enterprises, sensitive data is spread throughout the organization and resides on many endpoints. Building a content-aware data security solution involves identifying where sensitive information lies and the myriad instances where it might be used. Instead of getting bogged down in identifying every single piece of confidential data, however, organizations can begin by setting limits on the channel through which the data flows. Establish policies that dictate what rights are available based on the user and type of information. The organization, for example, can establish a policy stating that files containing Social Security numbers cannot be copied to a mobile device, e-mailed or printed. This policy provides the company the right balance of usability and security. It allows authorized human resource staff to view the information as needed, but prevents this data from being transmitted.
Encrypt everything. IT administrators should ensure that all data, including data residing on laptops and removable media, is secure. Removable media encryption can be applied to thumb drives, digital cameras, PDAs, MP3 players, smart phones and other portable devices. An organization can enforce a rule, for example, that allows for the copying of designated files onto removable media with automatic encryption of the data using AES 128/256-bit encryption. When these portable devices with encrypted data on them are moved outside of the company walls, the information is still protected.
Allow access only via company-issued devices. Many companies restrict downloads to only those devices that are owned by the company and are protected by AES 128-256-bit encryption. Endpoint data leakage prevention software enables companies to control access based on the unique serial number of the device itself.
Extend existing security policies to all removable media. The proliferation of high-capacity mobile devices, such as thumb drives, memory cards and smart phones, allows an employee or contractor to capture vast amounts of confidential information in a matter of seconds. Administrators should ensure that existing security policies are applied to all removable media. Using a unified client that brings together encryption, port control and device control, and automatically applies predefined security policies can enforce these policies in a way that does not create a burden for the IT department. Classify the types of sensitive data within the organization. Companies should establish specific levels of data security, which involves clearly differentiating between proprietary and personal content. Identification of file type can be useful in this effort (e.g., PowerPoint files are likely to be work-related, and .WAV files are likely to be personal).
Build transparency into the work process. This enables the organization to have greater insight into how and where sensitive data is being shared, while preserving the way the business operates. In some instances, administrators may decide to prevent certain users from transferring data to or from the network using mobile devices altogether. Others may be allowed to move data to and from mobile devices and have their activities monitored. If a staff member copies sensitive information to a mobile device, it is automatically recorded. By receiving instant alerts of policy infractions, IT administrators can quickly put a stop to unauthorized activities.
Organizations can even take this a step further through file shadowing, whereby the administrator automatically receives and retains a copy of any file an employee transfers from the company network onto a mobile device. This approach can pinpoint exactly what files are being transferred and take necessary action. The organization has an exact snapshot of the files in question should they be needed as evidence.
Edy Almer is associate vice president of product management at Safend, Philadelphia, Pa.
Click here to read more at the website.
|