Data Leakage Prevention
Data security policies organizations
should put in place
Employees put sensitive business
information at risk.
by Edy Almer
Widespread layoffs in the wake of today’s
economic meltdown highlight the need to
tighten data security, as the exodus of
pink-slipped staff can put companies’
intellectual property at risk. As employees
walk out the door, what data could they take
with them and how could they use it? This
situation underscores the need for
enforceable data-leakage prevention
policies.
Organizations are often wary of
establishing security policies that hinder
productivity. Restricting the use of all
thumb drives on company computers would be
easy, for example, but that can affect
productivity for many users. Businesses,
therefore, can choose to sacrifice
productivity and introduce wholesale
restrictions, or protect productivity and do
nothing to prevent internal data leakage and
theft.
There is no need, however, to employ
rigid security solutions that resort to
on/off restrictions. Organizations can
control access with a degree of granularity
that provides the ability to tighten
security without getting in the way of
existing business processes or reducing
productivity. The following steps can help
protect sensitive data and prevent internal
data leakage.
Apply policies for the transfer of
sensitive data.
In most enterprises, sensitive data is
spread throughout the organization and
resides on many endpoints. Building a
content-aware data security solution
involves identifying where sensitive
information lies and the myriad
instances where it might be used.
Instead of getting bogged down in
identifying every single piece of
confidential data, however,
organizations can begin by setting
limits on the channel through which the
data flows. Establish policies that
dictate what rights are available based
on the user and type of information. The
organization, for example, can establish
a policy stating that files containing
Social Security numbers cannot be copied
to a mobile device, e-mailed or printed.
This policy provides the company the
right balance of usability and security.
It allows authorized human resource
staff to view the information as needed,
but prevents this data from being
transmitted.
Encrypt everything. IT
administrators should ensure that all data,
including data residing on laptops and
removable media, is secure. Removable media
encryption can be applied to thumb drives,
digital cameras, PDAs, MP3 players, smart
phones and other portable devices. An
organization can enforce a rule, for
example, that allows for the copying of
designated files onto removable media with
automatic encryption of the data using AES
128/256-bit encryption. When these portable
devices with encrypted data on them are
moved outside of the company walls, the
information is still protected.
Allow access only via company-issued
devices.
Many companies restrict downloads to only
those devices that are owned by the company
and are protected by AES 128-256-bit
encryption. Endpoint data leakage prevention
software enables companies to control access
based on the unique serial number of the
device itself.
Extend existing security policies to
all removable media. The proliferation
of high-capacity mobile devices, such as
thumb drives, memory cards and smart phones,
allows an employee or contractor to capture
vast amounts of confidential information in
a matter of seconds. Administrators should
ensure that existing security policies are
applied to all removable media. Using a
unified client that brings together
encryption, port control and device control,
and automatically applies predefined
security policies can enforce these policies
in a way that does not create a burden for
the IT department.
Classify the types of sensitive data
within the organization. Companies should
establish specific levels of data security,
which involves clearly differentiating
between proprietary and personal content.
Identification of file type can be useful in
this effort (e.g., PowerPoint files are
likely to be work-related, and .WAV files
are likely to be personal).
Build transparency into the work
process.
This enables the organization to have
greater insight into how and where sensitive
data is being shared, while preserving the
way the business operates. In some
instances, administrators may decide to
prevent certain users from transferring data
to or from the network using mobile devices
altogether. Others may be allowed to move
data to and from mobile devices and have
their activities monitored. If a staff
member copies sensitive information to a
mobile device, it is automatically recorded.
By receiving instant alerts of policy
infractions, IT administrators can quickly
put a stop to unauthorized activities.
Organizations can even take this a step
further through file shadowing, whereby the
administrator automatically receives and
retains a copy of any file an employee
transfers from the company network onto a
mobile device. This approach can pinpoint
exactly what files are being transferred and
take necessary action. The organization has
an exact snapshot of the files in question
should they be needed as evidence.
Edy Almer is associate vice president
of product management at Safend,
Philadelphia, Pa.
Safend