Enemy inside the firewall

ILP software and strategies help ensure information doesn't land in the wrong hands

By Roger A. Grimes

February 02, 2007

Corporate security lapses are once again sweeping the news hour, but these days the culprit is just as likely to be an inside source -- a paid employee at a reputable company -- as a hacker doing evil somewhere in a Moscow basement.

Pity poor Boeing, which made headlines in December after personal information including salaries, Social Security numbers, and home addresses of approximately 382,000 retired and current employees, was stolen. According to news reports, a thief made off with an employee’s laptop. Unfortunately, the laptop’s owner violated Boeing’s policy by failing to encrypt the data after it had been downloaded from a server. In an e-mail sent to Boeing employees, Jim McNerney, chairman, president, and CEO wrote, “This latest incident resulted from a clear violation of our data-protection policy.”

Click for larger view.

That wouldn’t surprise Brian Contos, CSO of security vendor ArcSight and author of Enemy at the Water Cooler: Real-Life Stories of Insider Threats and Enterprise Security Management Countermeasures. In the book, he notes, “Too often policies and procedures are outdated, forgotten, not well-communicated through awareness programs, or not even written.”

Financial liability aside, information leaks can disrupt corporate strategy and leave an embarrassing bruise. In January, full details about Cingular Wireless’s latest Palm Treo 750 were leaked to the Web a week before the announcement date. A sales presentation that was supposed to be embargoed until the big day instead made its premature debut on Engadget Mobile.

Such events are leading to a surge of interest in ILP (information leak prevention), which targets policy-compliance monitoring and enforcement pertaining to information on the desktop and all data that moves along the internal network and across the corporate boundary. “Maybe we were naïve, but until we installed PortAuthority at the beginning of 2006 we had no system for auditing [outbound] e-mail,” says Ron Uno, an IT manager at Kuakini Health System and a key player in an ongoing effort to be HIPAA-compliant. “It flags everything [suspicious].”

A Fortune 1000 CSO who asked that his name be withheld describes both the frustration and urgency bound with ILP. “If an employee goes against company policy and takes data home to be more productive, how would I know? Not a single person in any company knows where all the data is. And if you don’t know where the data is, how can you even begin to protect it?”

Here’s the plan

Protecting information assets will always be a challenge of the highest order, but there are specific tasks you can perform to decrease your risk.

The first step in the ILP process is to develop a data protection policy. Corporate security officers should evaluate their ILP threats and institute risk-appropriate solutions.

Company officials must first decide what information is important to keep confidential. How can the data be accessed? Who can access it? When? And for how long? Information must be assigned a value, using implicit and explicit costs. The relative threats and risks to it must be evaluated, and a cost-of-defense threshold developed. A determination must be made as to how much the company is willing to spend to protect its confidential information.

Defining the confidential and critical information, the risks to each type of information, and the value to the organization allows ILP planners to focus on mission-critical assets first. In short, a data-protection plan follows the same steps that an organization would take when developing a business continuity plan -- only the focus is different. In a business continuity or disaster recovery plan, the focus is on the infrastructure and processes, and what it takes to make a company’s mission-critical tasks operational again. A data protection policy is by contrast information-centric.

After the data-protection policy is developed, educating employees is the next order of business. Understanding and adhering to the policy should be part of the hiring package, and employees should know the consequences, for example, for taking home data without permission. Further, there are numerous policies to prevent information loss that leave users out of the loop, regardless of whether or not their intentions are malicious. One is to ensure that backup media is encrypted by default; another is to disable USB to prevent loss by way of flash memory drives. Whatever the policies are, they should be clearly communicated to staff and contractors in writing.

Information is power

Next, information stores and communication channels must be defined. IT must know where all the critical data is stored and how it’s communicated between hosts. Consider client computers, file servers, e-mail servers, print servers, and database servers. Information is often transmitted using HTTP and e-mail, but don’t forget instant-messaging channels or removable media such as DVDs, CD-ROMs, and USB flash drives.

Also consider third-parties if they store or have access to your data. Negotiating the right to inspect and audit their controls on a periodic basis can go a long way toward reducing risk. It’s wise to include a clause in your contract that they forfeit the job the minute they fail to ensure adequate controls.

After you’ve hypothesized where the information is, find it and monitor it. Several vendors make tools that look for confidential information. Some scan server and workstation hard drives looking for tell-tell signs of protected data. The use of predefined data formats such as XXX-XX-XXXX would be recognized as a Social Security number and send out the proper alerts, while others do the same listening on network connections.

PortAuthority, which was recently acquired by Websense, sells software called Precise ID. The software uses multiple detection methods to identify and classify structured or unstructured data, including rules, dictionaries, keywords, threshold counts, categories, lexicons, statistical analysis, and content-matching. It recognizes more than 370 file formats, including popular archival types such as .zip. Searches can be made on storage media (what PortAuthority calls “data at rest”) or while the data is in use.

Evaluate your options

Preventing data leaks requires a multipronged approach. Although no single product can do it all, many companies are buying ILP-specific technologies, such as those found in PortAuthority Technologies’ product line.

Securent CEO Rajiv Gupta, puts it best: “Companies are tasked with making their applications more broadly available to a wider range of customers, end-users, and partners, while at the same time making sure unauthorized access isn’t granted. If everyone is sharing the same data, it often takes a ‘Chinese Wall’ type of product to help keep users and data appropriately segregated to ensure compliance.”

Securent’s Entitlement Management Solutions attempt to keep internal and external parties away from data sources by focusing on authorization. Other vendor systems handle identity and authentication, but then administrators define user authorization policies to enforce who can see what. Securent’s products work by wrapping end-point applications in an application-level shim. Securent’s policy engine and enforcement points can provide additional granularity that the application or operating system itself cannot deliver.

PortAuthority Protector Appliances passively monitor network communications, looking for confidential data in e-mail, IM, file transfers, and Web postings. If protected content is detected, the information is dropped, the device or its port may be disconnected, and management is notified.

Tablus offers similar protection with its Content series of products. Tablus even comes with several built-in policies that understand what types of information fall under different compliance categories.

Other vendors are providing solutions that lock out inappropriate uses of the data. Microsoft’s RMS (Rights Management System) software encrypts protected data. The data owner or originator can decide what users and uses are valid. For example, data can be sent out to a select group -- some people on the mailing list can edit, print, and forward the data; others may be able only to view the data. Every time a protected data file is accessed, it must “phone home” to an RMS authentication server before the encryption is removed. An employee could be terminated, and even though the former worker has a copy of the document at home in an e-mail inbox, he or she may be unable to open it any longer.

Thin clients manufacturers say they’re seeing a rise in interest in sales as the stripped down machines (no CD-ROM, no USB ports, and so forth) are increasingly viewed as useful in improving overall security while working toward desktop consistency.

Several vendors offer delete-after-it-is-stolen solutions. Suppose a covered laptop containing confidential data is stolen. An administrator can tell a centralized control program that the laptop has been stolen. When the stolen laptop is plugged in and hooked to the Internet for the first time, a hidden client-side app dials home and gets the self-destruct order to format itself. The client-side software program is often configured to self-destruct if it hasn’t reached its server program in X number of days.

The call for ILP is being heard far and wide. Many CSOs are focusing on easy-to-see, high-risk data areas such as lost or stolen laptops. Most are buying encryption products for mobile computing devices and media as a matter of course. Most USB flash memory drives come with built-in encryption. Tape backup software is making its encryption option easy to find and enable. Encryption providers are seeing huge sales growth. OS vendors, such as Microsoft, are providing built-in disk or volume encryption products.

ILP is more than just another acronym; it should be high on your to-do list this year. Otherwise you might be hearing about your oversight on the evening news.