+ All Categories
Home > Documents > Dataloss data prevention loss -...

Dataloss data prevention loss -...

Date post: 09-Jun-2018
Category:
Upload: phunghanh
View: 220 times
Download: 0 times
Share this document with a friend
31
data loss prevention Data loss prevention strategies, practices and tools are more important than ever. Here’s what you need to know. inside p DLP: It’s Not Just for Big Firms Anymore p Protecting Your Secret Sauce p Where Data Lives p Mandating Encryption loss A SEARCHCOMPLIANCE.COM/SEARCHSECURITY.COM E-BOOK
Transcript
Page 1: Dataloss data prevention loss - Bitpipeviewer.media.bitpipe.com/1240246133_118/...Data-Protection_final.pdfdata loss prevention Dataloss prevention ... All companies can improve their

1 DLP ESSENTIALS

datalossprevention

Data losspreventionstrategies,practicesand toolsare moreimportantthan ever.Here’s whatyou needto know. i n s i de

p DLP: It’sNot Justfor Big FirmsAnymore

p ProtectingYour SecretSauce

p WhereData Lives

p MandatingEncryption

loss

A S E A R C H C O M P L I A N C E . C O M / S E A R C H S E C U R I T Y . C O M E - B O O K

Page 2: Dataloss data prevention loss - Bitpipeviewer.media.bitpipe.com/1240246133_118/...Data-Protection_final.pdfdata loss prevention Dataloss prevention ... All companies can improve their

NEW REGULATIONS FROM Massachu-setts and Nevada are forcing organi-zations of all kinds to take data pro-tection seriously.

Massachusetts General Law Chap-ter 93H and its associated regulation201 CMR 17.00 prescribe a risk-based approach that requires organi-zations possessing identity informa-tion to implement both administra-tive and technical controls to protectthe information. Many organizationsthat have never considered them-selves the target of attack or thefocus of privacy regulations are nowfinding that they are every bit asresponsible for compliance with dataprotection regulations as banks, hos-pitals and organizations that handlepayment card data.

The new regulations require organi-zations to place stringent governanceand technical controls in place. Infact, Nevada requires all organiza-tions that store or process paymentcards to comply with the Payment

Card Industry Data Security Standard(PCI DSS)—even those that do nothave contractual requirements tocomply with it. This is good news forconsumers, but bad news for organi-zations hoping to avoid the high costof documentation, assessments andtechnical controls required by PCIDSS because they didn’t fit neatlyinto the category of merchant orservice provider.

The good news for companies isthat these regulations will typicallyapply only when information is com-promised. Why is this good news?Because if you take common sensesteps to protect the data, you canreduce the likelihood of data beingcompromised, and thus reduce thelikelihood that you will be audited forcompliance.

All companies can improve theirsecurity by following these rules:

� Reduce or eliminate unnecessaryliability. The first step any organiza-

2 DLP ESSENTIALS

aCHAPTER 1

DLP: IT’S NOTJUST FOR BIG

FIRMS ANYMORE

aCHAPTER 2

PROTECTINGYOUR SECRET

SAUCE

aCHAPTER 3

WHERE DATALIVES

aCHAPTER 4

MANDATINGENCRYPTION

DLP: It’s Not Justfor Big Firms Anymore

Rules of thumb to keep information safeand move toward compliance.

BB YY RR II CC HH AA RR DD EE .. MM AACC KK EE YY

CHAPTER 1 » DLP: IT’S NOT JUST FOR BIG FIRMS ANYMORE

Page 3: Dataloss data prevention loss - Bitpipeviewer.media.bitpipe.com/1240246133_118/...Data-Protection_final.pdfdata loss prevention Dataloss prevention ... All companies can improve their

CHAPTER 1 » DLP: IT’S NOT JUST FOR BIG FIRMS ANYMORE

3 DLP ESSENTIALS

tion should consider in data protec-tion is eliminating data that is notabsolutely required for the business.It may sound odd, but with some cre-ative thinking, many companies caneliminate the need for regulated data.For example, online merchants can

sometimes store only the transactionID for a credit card purchase andavoid storing the primary accountnumber long term. Health care com-panies can sometimes avoid storingSocial Security numbers of patientsby replacing them with other identi-fiers that are not covered by regula-tions.

This kind of sensitive data elimina-tion can be practiced to varyingdegrees throughout an organization.It may not mean that you eliminate allinstances where compliance isrequired, but it can reduce the num-ber of places where sensitive data isused and make the next step—reduc-ing your profile—easier to complete.

� Reduce your profile. One of thekey PCI DSS requirements and one ofthe fundamental rules of data protec-tion is to confine the protected datato a small and well-defined environ-ment. This practice not only simplifiescompliance by reducing the environ-ment where controls need to beimplemented, but it also facilitatesaccess control, data movement moni-toring, access logging, testing and justabout every other security practice.

The idea is to centralize data in asfew systems and as small a networkenvironment as possible. Once yourdata is centralized, you can restrictaccess to the data to a specific groupof users and applications. If possible,you should provide mechanisms toallow the data to be operated onwhile residing on the centralized sys-tem. In other words, avoid copying itor allowing it to move. Tools like dataloss prevention packages can monitorand restrict data movement to makeyour containment even more effec-tive. To further restrict the environ-ment, deploy firewalls that restrictconnectivity to specific protocolsfrom only particular addresses orzones. Finally, monitor all access anddata movement (even within theenvironment). This will help ensurethat only the right people have accessand help to meet regulatory require-ments as well.

� Share only what you must. Thesedays, very few organizations actually

aCHAPTER 1

DLP: IT’S NOT JUST FOR BIG

FIRMS ANYMORE

aCHAPTER 2

PROTECTING YOUR SECRET

SAUCE

aCHAPTER 3

WHERE DATA LIVES

aCHAPTER 4

MANDATING ENCRYPTION

The first step any organization should consider in data protection is eliminat-ing data that is notabsolutely required for the business.

Page 4: Dataloss data prevention loss - Bitpipeviewer.media.bitpipe.com/1240246133_118/...Data-Protection_final.pdfdata loss prevention Dataloss prevention ... All companies can improve their

go it alone. Most enlist the help ofservice providers in a variety of ways.Unfortunately, sharing data compli-cates data protection and brings withit additional compliance activities. Forexample, Massachusetts’ regulations,PCI DSS and the Health Insurance

Portability and Accountability Act allrequire organizations to assess thesecurity practices of partners withwhich they share protected informa-tion. This can be an expensiveprocess and is best avoided. Borrow-ing an idea we discussed earlier, if youcan, avoid sharing altogether.

A prudent step before handing anysensitive information to a partner isto analyze the information you needto share and replace any identifyinginformation with other types of iden-tifiers. For example, replace SocialSecurity numbers with hashes or IDsthat you can map to the actual num-ber, and replace account IDs withsimilarly obfuscated numbers.

Even if you can’t eliminate all thesensitive information, you may be

able to reduce your exposure byremoving unnecessary data and map-ping other fields. If after your analy-sis, obfuscation and mapping you stillneed to share, you had better under-stand how well your partner will carefor the data.

� Know your partners. As we dis-cussed above, all the latest regula-tions require you to assess the prac-tices of organizations to which youhave entrusted protected data. Fortu-nately for organizations that handlepayment card data, PCI DSSdescribes the standard that must bemet and a set of procedures forassessment. The situation is not soclear cut for other regulations.

Some organizations conduct theirown assessments, some hire consult-ants, and some trust the assessmentsand audits done by third parties.When either conducting assessmentsyourself or using a third party’sassessment, you should ensure thatthe assessment is:

1. Performed with respect to your compliance requirements.

2. Framed around the practicesand environment that will affect your data.

3. Repeated annually.

Following these rules will help youavoid accepting SAS 70 audits foravailability and operations when yourconcern is protection of the confiden-

CHAPTER 1 » DLP: IT’S NOT JUST FOR BIG FIRMS ANYMORE

4 DLP ESSENTIALS

aCHAPTER 1

DLP: IT’S NOT JUST FOR BIG

FIRMS ANYMORE

aCHAPTER 2

PROTECTING YOUR SECRET

SAUCE

aCHAPTER 3

WHERE DATA LIVES

aCHAPTER 4

MANDATING ENCRYPTION

Sharing data compli-cates data protection and brings with it addi-tional compliance activities. … If you can,avoid sharing altogether.

Page 5: Dataloss data prevention loss - Bitpipeviewer.media.bitpipe.com/1240246133_118/...Data-Protection_final.pdfdata loss prevention Dataloss prevention ... All companies can improve their

tiality of identity data.

� Train your employees. Whilesharing your data represents a threat,one of the most frequent causes ofdata exposure is human error. Regula-tions require you to ensure that youremployees understand their responsi-bility in protecting information. Thatmeans understanding policies, usingstrong passwords, keeping passwordsprivate and avoiding exposure bycopying, transmitting or storing datain insecure ways.

� Protect your portable devices.The Massachusetts regulation is thefirst to specifically target “portabledevices” in its requirements. Howev-er, regardless of whether your compa-ny needs to comply with 201 CMR17.00, you should take steps to pro-tect data on any device or mediumthat can be lost or stolen. That meanslaptops, thumb drives, external harddrives and all removable media(including backup tapes).

This chapter is too short to providedetailed guidance on even one ofthese areas, but the following aresome rules of thumb that organiza-tions should follow:

1.Write policies that clearly speci-fy what types of data can or can-not be stored on removablemedia or portable systems.

2.Designate specific devices for

storage of sensitive data (labelthumb drives, portable drives,etc.).

3. Employ file system encryptionon all laptops and dedicatedremovable media.

4. Track media used for storage of sensitive data.

5.Develop a media disposal procedure to ensure that devicesthat have been taken out of usedo not fall into the wrong hands.

6. Either encrypt or provide strongphysical controls for all backupmedia.

Compliance with data protectionregulations and contracts has broad-ened from financial and health careorganizations to every company.However, these new requirementsshould not cause organizations topanic. It is time for all organizationsto understand their responsibilitiesand the risks of compromise, and takeprudent steps to reduce the risk. Byfollowing some fairly straightforwardrules (as outlined here), an organiza-tion can greatly reduce the risk ofcompromise and eventually achievecompliance with both the current andfuture regulations. �

Richard E. Mackey is vice president of System-Experts Corp. and a leading authority on enterprisesecurity architecture and compliance.

CHAPTER 1 » DLP: IT’S NOT JUST FOR BIG FIRMS ANYMORE

5 DLP ESSENTIALS

aCHAPTER 1

DLP: IT’S NOT JUST FOR BIG

FIRMS ANYMORE

aCHAPTER 2

PROTECTING YOUR SECRET

SAUCE

aCHAPTER 3

WHERE DATA LIVES

aCHAPTER 4

MANDATING ENCRYPTION

Page 6: Dataloss data prevention loss - Bitpipeviewer.media.bitpipe.com/1240246133_118/...Data-Protection_final.pdfdata loss prevention Dataloss prevention ... All companies can improve their

Let them

budgets

laptops

auditcut

roamlosesurf

who cares You do! Liberating your people and freeing up time and resources makes productive sense. Sophos security and data protection solutions deliver: Install, set and forget. Easy on your time, easy on your system and easy on your business, everything from Endpoint to Compliance, Email, Web and Encryption is covered and all accessed and controlled with refreshing simplicity.

Now, with security taken care of, you’ve got the rest of the day to do all the other things that can’t wait.

See for yourself – learn more about Sophos today.

Page 7: Dataloss data prevention loss - Bitpipeviewer.media.bitpipe.com/1240246133_118/...Data-Protection_final.pdfdata loss prevention Dataloss prevention ... All companies can improve their

IT’S A COLD day in late November. Twomen are getting ready to board aplane bound for Southeast Asia atSan Francisco International Airport. Intheir luggage is millions of dollars’worth of stolen trade secrets. Thesepilfered project designs, manuals,CDs, floppy disks and third-partylicensed materials will allow nefariousforeign buyers to unlock the secretsof the most innovative U.S. compa-nies and aggressively compete withthem on the open market. But just asthe men are about to step onto theplane, they are arrested by a jointFBI/Computer Hacking and Intellec-tual Property (CHIP) investigativeteam.

It sounds like an episode of a televi-sion crime drama. Yet this actuallyhappened in 2001, when two mentried to flee the country with tradesecrets stolen from a few of thebiggest names in Silicon Valley. In thiscase, the criminals were stopped intheir tracks, but theft of trade secretsis a growing and evolving problem,

says Matt Parrella, assistant U.S.attorney and chief of the San Josebranch of the U.S. Department of Jus-tice’s CHIP unit.

“It’s growing in terms of the num-ber and types of trade secret caseswe’re prosecuting,” he says. “Three tofive years ago we saw physical manu-

als being stolen, whereas today digitalversions of schematics, data sheets,manufacturing processes and sourcecode are at risk. And the number ofcomplaints being filed and investiga-tions pursued are dramatically on therise.”

According to a 2006 report from

CHAPTER 2 » PROTECTING YOUR SECRET SAUCE

7 DLP ESSENTIALS

aCHAPTER 1

DLP: IT’S NOT JUST FOR BIG

FIRMS ANYMORE

aCHAPTER 2

PROTECTING YOUR SECRET

SAUCE

aCHAPTER 3

WHERE DATA LIVES

aCHAPTER 4

MANDATING ENCRYPTION

Protecting Your Secret Sauce Theft of intellectual property is on the rise.

Here are some do’s and don’ts for keeping yourtrade secrets safe.

BB YY RRUU SS SS EE LL LL JJ OO NN EE SS AA NN DD RR EE NN AA MM EE AA RR SS

“It’s growing in terms of the number and typesof trade secret caseswe’re prosecuting.” —MATT PARELLAASSISTANT U.S. ATTORNEY

Page 8: Dataloss data prevention loss - Bitpipeviewer.media.bitpipe.com/1240246133_118/...Data-Protection_final.pdfdata loss prevention Dataloss prevention ... All companies can improve their

the Office of the United States TradeRepresentative, U.S. businesses arelosing approximately $250 billion

annually from trade secret theft. Fed-eral law enforcement officials say themost targeted industries include

CHAPTER 2 » PROTECTING YOUR SECRET SAUCE

8 DLP ESSENTIALS

aCHAPTER 1

DLP: IT’S NOT JUST FOR BIG

FIRMS ANYMORE

aCHAPTER 2

PROTECTING YOUR SECRET

SAUCE

aCHAPTER 3

WHERE DATA LIVES

aCHAPTER 4

MANDATING ENCRYPTION

NINE TRADE SECRET TIPS

1. Identify a champion within the C-suite who can provide the credibility andsupport you will need in implementing an enterprise-wide program.

2. Create an inventory of your company’s trade secrets and the form theytake (paper-based, electronic, undocumented employee knowledge).

3. Prioritize the trade secrets according to their value to your organizationbased on the risk of loss, compromise or theft. To keep things simple, con-sider using a scale of high, medium or low to rank likelihood and impact.

4. Analyze how your company’s trade secrets map to organizational businessprocesses throughout their entire lifecycle.

5. Perform a risk assessment against the mapped trade secrets to determinewhich ones are exposed to vulnerabilities that have a high likelihood ofhappening, and the impact their exposure would have on your organiza-tion.

6. Based on the risk assessment, establish a clearly documented enterprise-wide data protection framework supported by specific actions laid out inprocesses and procedures, roles and responsibilities, and monitoring andenforcement activities employees can easily follow.

7. Perform a “gap analysis” to determine how well your existing practicesprotect your trade secrets vs. the data protection framework.

8. Address gaps using a combination of security and data protection policiesand procedures, process-level controls, technology controls, physical con-trols and education and awareness.

9. Establish metrics to continually assess the effectiveness of your protectionprogram. —R.L.J. AND R.M.

Page 9: Dataloss data prevention loss - Bitpipeviewer.media.bitpipe.com/1240246133_118/...Data-Protection_final.pdfdata loss prevention Dataloss prevention ... All companies can improve their

biotechnologies and pharmaceuticalresearch, advanced materials, not-yet-classified weapons systems, com-munications and encryption tech-nologies, nanotechnology andquantum computing.

What companies hear about in themedia is “probably just the tip of theiceberg,” says Randy Sabett, a partnerat Sonnenschein Nath & RosenthalLLP in Washington, D.C., and a mem-ber of the firm’s information securityand intellectual property practicegroup. “There are probably a fairnumber of situations where peopledon’t even realize their trade secretshave been stolen.”

THE CROWN JEWELSIntellectual property (IP) is extremelyimportant to the U.S. economy. As of2003, IP accounted for approximately33% of the value of U.S. corporations,or more than $5 trillion, according toStephen Siwek, principal at Econo-mists Inc., a consulting firm based inWashington, D.C. Yet many compa-nies are ill-prepared to adequatelyprotect their IP in the face ofincreased attempts to steal it.

At least part of the problem is dueto economic pressure on U.S. firms tocontrol costs, says Abe MichaelSmith, chief security officer (CSO) atXilinx Inc., a digital programmablelogic device maker based in San Jose,Calif. As more enterprises outsourcepart or even all of their research and

development (R&D) and productdevelopment activities to overseaspartners, there is far greater risk thatimportant information can slipthrough the cracks. And establishing

overseas divisions that play a signifi-cant role in developing IP can be riskywhen strong IP laws do not existwithin those countries. “Balancing theneed for improving profit marginswith the kind of security required toadequately protect IP can be very dif-ficult,” Smith says.

Moreover, the unique characteris-tics of trade secrets make companiesparticularly vulnerable to their loss.

“Once a trade secret is out of thebag you can’t get it back in,” Sabettsays. “If you are talking about some-thing like source code, that representsthe crown jewels of the company.And when its status as a trade secretis gone, it’s gone.”

Worse, it can take years until atrade secret theft is detected, Smith

CHAPTER 2 » PROTECTING YOUR SECRET SAUCE

9 DLP ESSENTIALS

aCHAPTER 1

DLP: IT’S NOT JUST FOR BIG

FIRMS ANYMORE

aCHAPTER 2

PROTECTING YOUR SECRET

SAUCE

aCHAPTER 3

WHERE DATA LIVES

aCHAPTER 4

MANDATING ENCRYPTION

“Balancing the need for improving profit margins with the kind of security required toadequately protect IPcan be very difficult.” —ABE MICHAEL SMITHCSO, XILINX INC.

Page 10: Dataloss data prevention loss - Bitpipeviewer.media.bitpipe.com/1240246133_118/...Data-Protection_final.pdfdata loss prevention Dataloss prevention ... All companies can improve their

says. “You wouldn’t even know it[your IP] was missing for five years,when a competitor would suddenlyintroduce a product that sold for onethird to one fifth of the price of yours.”

And it is important to note thattrade secrets are vulnerable to notjust malicious theft, but also acciden-tal leakage in the normal course ofbusiness. For example, an engineerwho has not been properly trained inwhat constitutes trade secrets mightinclude some in a seemingly innocu-ous conference presentation.

PUTTING THE SECRETIN TRADE SECRETPart of the reason U.S. firms arestruggling to protect IP is a wide-spread misunderstanding of what atrade secret is, and what legal protec-tion it possesses.

A trade secret is a type of intellec-tual property that represents an orga-nization’s intangible assets. Unliketangible assets such as land, build-ings, office equipment or manufactur-ing equipment, intangible assets can-not be seen or touched and arecreated not by physical materials butby human labor or thought.

According to the Uniform TradeSecrets Act (UTSA), trade secretsinclude formulas, patterns, compila-tions, program devices, methods,techniques or processes. They alsocan be diagrams and flow charts, sup-plier data, pricing data and strategies,

source code, marketing plans andcustomer information. So varied arethe things that can be consideredtrade secrets that your employeesmay not even know when they arehandling them.

For organizations that dependheavily on commercializing the prod-uct of their R&D activities, tradesecrets are particularly important.Patents are equally important, buttrade secrets differ from patents in asignificant way. They are—as theirname implies—secret. Whereaspatents represent a set of exclusiverights granted by the government inexchange for the public disclosure ofan invention, a trade secret is internalinformation or knowledge that a com-pany claims it alone knows, andwhich is a valuable intangible asset.

While patent owners have certainlegal protections from anyone usingtheir patents without permission,companies are responsible for prov-

CHAPTER 2 » PROTECTING YOUR SECRET SAUCE

10 DLP ESSENTIALS

aCHAPTER 1

DLP: IT’S NOT JUST FOR BIG

FIRMS ANYMORE

aCHAPTER 2

PROTECTING YOUR SECRET

SAUCE

aCHAPTER 3

WHERE DATA LIVES

aCHAPTER 4

MANDATING ENCRYPTION

Part of the reason U.Sfirms are struggling toprotect IP is a wides-pread misunderstandingof what a trade secret is, and what legal protection it possesses.

Page 11: Dataloss data prevention loss - Bitpipeviewer.media.bitpipe.com/1240246133_118/...Data-Protection_final.pdfdata loss prevention Dataloss prevention ... All companies can improve their

ing they have the right to legal protec-tion of their trade secrets. Accordingto the UTSA, your company mustdemonstrate that the specific infor-mation or knowledge is not generallyknown to the public, therefore itderives independent economic value,

and that you have made reasonableefforts to make sure the knowledgeremains secret.

A trade secret’s validity can beproven only via litigation; there’s noautomatic protection just becauseyour company believes it possessesone. Ironically, a trade secret must bestolen or compromised before youcan attempt to demonstrate it islegally a trade secret. Once in litiga-tion, your company must convincethe court of three points: secrecy,value and security. Inevitably, themost difficult element to demonstrateis that your company had reasonablecontrols in place to protect the secre-

cy of the IP in question.“A successful prosecution requires

that you prove you took sufficientsteps to protect your trade secrets,”says Joseph Schadler, an FBI specialagent. “This includes everything fromputting banners on computers, tohaving secure logons, to requiringNDAs [nondisclosure agreements],to controlling physical access to aroom.”

UNSECURED SECRETSWhy are many companies not suffi-ciently protecting their trade secrets?Aside from not fully understandingwhat a trade secret is, many have notidentified their own trade secrets.Even if they have, a lot have not deter-mined where in the organization theirsecrets are, in what form they exist(such as digital or paper) and bywhom they are used.

“If your employees don’t know whatto protect, how can they protect it?”asks Christopher Burgess, seniorsecurity adviser to the CSO at SanJose, Calif.-based Cisco Systems Inc.

Additionally, some companies put apriority on innovation rather thansecurity. “The smaller tech compa-nies in particular need to be very nim-ble, so the focus in the executive suiteis on product development and cus-tomer service, rather than protectingIP,” says Parrella of the CHIP unit.

Even with the IP protections manyFortune 500 companies have in

CHAPTER 2 » PROTECTING YOUR SECRET SAUCE

11 DLP ESSENTIALS

aCHAPTER 1

DLP: IT’S NOT JUST FOR BIG

FIRMS ANYMORE

aCHAPTER 2

PROTECTING YOUR SECRET

SAUCE

aCHAPTER 3

WHERE DATA LIVES

aCHAPTER 4

MANDATING ENCRYPTION

A trade secret’s validitycan be proven only via litigation. Ironically, atrade secret must bestolen or compromisedbefore you can attempt to demonstrate it is legally a trade secret.

Page 12: Dataloss data prevention loss - Bitpipeviewer.media.bitpipe.com/1240246133_118/...Data-Protection_final.pdfdata loss prevention Dataloss prevention ... All companies can improve their

place, trade secrets continue to leakout. Weaknesses in security proce-dures, inherent vulnerabilities withinbusiness processes, disjointed riskmanagement programs and ineffec-

tive education and awareness pro-grams all contribute to this problem.

All too often, senior managementteams, boards of directors and seniorexecutives are lulled into a false sense

CHAPTER 2 » PROTECTING YOUR SECRET SAUCE

12 DLP ESSENTIALS

aCHAPTER 1

DLP: IT’S NOT JUST FOR BIG

FIRMS ANYMORE

aCHAPTER 2

PROTECTING YOUR SECRET

SAUCE

aCHAPTER 3

WHERE DATA LIVES

aCHAPTER 4

MANDATING ENCRYPTION

HOW YOUR DATA CAN LEAK� An executive of an Ohio hydraulic pump maker was convicted of stealinghis company’s trade secrets by handing over financial and confidential mar-keting materials to a South African-based competitor.

� A Kentucky man was convicted in 2006 of conspiring to steal and sell tradesecrets belonging to Corning. While an employee, the man stole drawingsof Corning’s thin filter translator liquid crystal display glass and sold themto an offshore-based business.

� A Duracell employee downloaded sensitive data about a top-selling prod-uct from company computers onto his home PC and sent it to two Duracellcompetitors; he was convicted earlier this year.

� A magazine publisher kept its entire pricing strategy, competitive intelli-gence, financing information and marketing plans for a new, unreleasedmagazine stored within a hidden file share on its public Web server. Due toa misconfiguration on its website, these trade secrets were exposed to thepublic through Google hacking.

� A large technology company, as a normal part of its request for proposalprocess, sent detailed specifications, drawings and subassembly informa-tion to potential suppliers without obtaining signed NDAs or confidentialityagreements in advance.

� Engineers working for a global technology organization moved betweenemployee and contractor status as individual projects required. Althoughbased out of offshore locations in countries without strong IP laws, theywere not required to re-sign the NDA/confidentiality agreements at theonset of each new project. —R.L.J. AND R.M.

Page 13: Dataloss data prevention loss - Bitpipeviewer.media.bitpipe.com/1240246133_118/...Data-Protection_final.pdfdata loss prevention Dataloss prevention ... All companies can improve their

of security about trade secrets. This islargely due to misunderstanding thelegal protection for trade secrets,coupled with being organizationallybuffered from the daily operationssecurity managers face.

“When we speak to victims, we arefinding out that the people responsi-ble for security on R&D projects arenot at the C-suite level, so that mag-nitude of the risk is filtered out by thetime it gets to the top of the organiza-tion,” Parrella says.

Furthermore, many organizationsbelieve they mitigate the risk of tradesecret theft via contractual agree-ments such as NDAs and confiden-tiality agreements, but this simplyisn’t the case. Although important tohave in place from a prosecutionstandpoint, these agreements are notparticularly effective at preventingtheft, Schadler says: “The sort of peo-ple who want to steal the trade

secrets are not going to feel bound byan NDA.”

And while a company might have astrong IP protection program onpaper, it can get in the way of employ-ees doing their jobs effectively. Arelated problem is that the corporateculture may be at odds with IP securi-ty directives and employees simplyignore them. Intellectual propertyprotection done wrong creates a bar-rier to creativity, which is what makesU.S. companies such great innova-tors.

TECHNLOGICAL SOLUTIONSEssentially, a trade secret is justanother piece of corporate informa-tion. Like all information, it has a life-cycle—it is created, used, shared,stored and eventually destroyed.

What makes protecting a tradesecret challenging is how it changesform and proliferates through theorganization during its lifecycle. Itmay start as a chemical process writ-ten in a lab notebook, at some pointbe recorded in an electronic docu-ment, become a set of discrete tasksin a manufacturing process and even-tually be combined with other IP toform a product. Each of these forms—manual, digital, process, product—may have a different lifecycle. At eachpoint, the IP may face different risksthat must be examined and, whereappropriate, mitigated.

Various products can help protect

CHAPTER 2 » PROTECTING YOUR SECRET SAUCE

13 DLP ESSENTIALS

aCHAPTER 1

DLP: IT’S NOT JUST FOR BIG

FIRMS ANYMORE

aCHAPTER 2

PROTECTING YOUR SECRET

SAUCE

aCHAPTER 3

WHERE DATA LIVES

aCHAPTER 4

MANDATING ENCRYPTION

Many organizationsbelieve they mitigate the risk of a trade secretvia a contractual agree-ment such as NDAs and confidentiality agreements, but this simply isn't the case.

Page 14: Dataloss data prevention loss - Bitpipeviewer.media.bitpipe.com/1240246133_118/...Data-Protection_final.pdfdata loss prevention Dataloss prevention ... All companies can improve their

trade secrets and IP data that exist indigital form, during certain points inthe data’s lifecycle. There are emerg-ing technologies that monitor themovement of structured and unstruc-tured data and enforce actions on thedata based on custom policies. Theseproducts work at the network anddesktop levels and can monitormovement, prevent data from beingcopied from the originating applica-tion to external sources—for exam-ple, USB drives—and help classifydata as requiring more or less protec-tion.

EMC Corp.’s Infoscape can helpinventory unstructured data, such asMicrosoft Word documents, Adobe.pdf files and various spreadsheets,and also classify it based on a compa-ny’s data classification scheme. Com-plementary EMC products offersecure storage and archiving of data.Sun Microsystems Inc.’s IdentityManager can provide a foundation forcontrolling what systems people aregiven access to and what roles theyare given within an application basedon company-defined policy. Sun alsooffers integrated solutions for securedata storage.

In addition, there are products fromcompanies such as PGP Corp. andEntrust Inc. to protect mobile datawith combinations of file-levelencryption and access controls onphysical interfaces to the mobiledevice. Finally, vendors such asAdobe Systems Inc. have developed

enterprise rights management prod-ucts designed to provide data protec-tion—specifically IP—across businessprocesses and organizational bound-aries.

Adobe offers products that securelycapture, process, transfer and archiveinformation, both online and offline.John Landwehr, Adobe’s director ofsecurity solutions and strategy, sayshe believes the best protection ofsensitive data happens at the docu-ment level: “Given the range ofdevices that IP can live on—fromdesktops to laptops to PDAs andmobile phones—we think that theonly viable way to persistently pro-tect that information is if the protec-tion travels with the document.”

However, a word of caution aboutsome of these products designed toprotect confidential data: Because thevast majority are based on rule set-driven engines, the number of falsepositives they generate can be signifi-cant.

PROTECTIVE STEPSDespite the increasing sophisticationof technology, there’s no magic bulletfor protecting IP. “There is noabsolute, 100 percent, foolproof wayto protect trade secrets,” Sabett says.“You could spend all your time andmoney on technological protections,and yet your trade secrets could beflowing out of the organization in allsorts of other ways.”

CHAPTER 2 » PROTECTING YOUR SECRET SAUCE

14 DLP ESSENTIALS

aCHAPTER 1

DLP: IT’S NOT JUST FOR BIG

FIRMS ANYMORE

aCHAPTER 2

PROTECTING YOUR SECRET

SAUCE

aCHAPTER 3

WHERE DATA LIVES

aCHAPTER 4

MANDATING ENCRYPTION

Page 15: Dataloss data prevention loss - Bitpipeviewer.media.bitpipe.com/1240246133_118/...Data-Protection_final.pdfdata loss prevention Dataloss prevention ... All companies can improve their

An effective protection programmust include a number of strategies,such as educating employees, con-tractors and partners about whatconstitutes trade secrets; establishingthe right governance model (policies,roles and responsibilities, enforce-ment); and setting process-level, pro-cedural, physical and technical con-trols to minimize risk to a levelacceptable by management.

The first step to protecting yourtrade secrets is to identify themthrough interviews with the businessprocess owners and then documentthem. Next, estimate how muchthese trade secrets are worth.Although this is just a snapshot thatwill change over time, it’s essential forbuilding a business case to obtain thefunding to put protections in place.Having this valuation is also impor-tant should a theft actually occur. “It’sa complicated process to do this, buta critical element for prosecutors,”Schadler says. Then, rank the tradesecrets according to their value aswell as the threats, vulnerabilities andresulting risk.

A comprehensive education andawareness program is a critical step;some experts argue that it’s the mostimportant one. “Education andawareness is your first and foremostpractical solution for protecting tradesecrets,” says Cisco’s Burgess.Adobe’s Landwehr agrees: “Whatevertechnology you decide to implement,it won’t be effective unless you also

have a plan to educate users.”Finally, your company should define

programmatic, compliance and oper-ational metrics to measure the per-formance of your trade secret protec-tions against key indicators. Without

the metrics, you will not knowwhether you are effectively protectingyour trade secrets.

Everyone agrees: Not doing any-thing to protect your company’s tradesecrets is simply not an option any-more. The U.S. Department of Justiceis making it a first order of business.

“The prosecution of IP theftcases—specifically trade secret theftand economic espionage—is a priori-ty for the CHIP unit and is critical tothe economy of Silicon Valley and,indeed, to the nation’s security,” Par-rella says. �

Russell L. Jones and Rena Mears are partners in the security and privacy services at Deloitte &Touche LLP.

CHAPTER 2 » PROTECTING YOUR SECRET SAUCE

15 DLP ESSENTIALS

aCHAPTER 1

DLP: IT’S NOT JUST FOR BIG

FIRMS ANYMORE

aCHAPTER 2

PROTECTING YOUR SECRET

SAUCE

aCHAPTER 3

WHERE DATA LIVES

aCHAPTER 4

MANDATING ENCRYPTION

“Education and awareness is your firstand foremost practicalsolution for protectingtrade secrets.” —CHRISTOPHER BURGESSSENIOR SECURITY ADVISOR TO THE CSO, CISCO SYSTEMS INC.

Page 16: Dataloss data prevention loss - Bitpipeviewer.media.bitpipe.com/1240246133_118/...Data-Protection_final.pdfdata loss prevention Dataloss prevention ... All companies can improve their

Could you use a little direction whenchoosing aDLP solution?

One company is ready to guide you.Visit www.rsa.com/SelectingDLP and download

“Five Considerations for Selecting a Data Loss Prevention Solution.”

Page 17: Dataloss data prevention loss - Bitpipeviewer.media.bitpipe.com/1240246133_118/...Data-Protection_final.pdfdata loss prevention Dataloss prevention ... All companies can improve their

IT’S THE CALL you’ve feared. The phonerings at 9 a.m. on a Sunday. You’re thechief information security officer of amedium-sized retailer, and weekendcalls aren’t all that unusual. But within30 seconds of picking up the phone,you know your weekend, if not yourjob, is over. One of the customer serv-ice managers accidentally emailed anExcel file of all the clients acquiredlast quarter to an external distributionlist while trying to send it to his per-sonal Gmail account to work on overthe weekend. Worse yet, the file con-tains full credit card and verificationnumbers.

The really bad news? You recentlysigned off on your self-assessmentfor your Payment Card Industry DataSecurity Standard audit and affirmedthat you don’t keep card numbers inan unencrypted format. No one toldyou about the nightly databaseextract the customer relations teamruns with the credit card number asthe primary key. Your external audit is

scheduled for next month, makingthis about the worst time possible foran accidental disclosure. It’s not likeyou can blame this one on evil hack-ers.

This situation is hypothetical, but itillustrates the pressures companiesare under. Data protection growsmore critical every day as our sensi-tive information faces increasingscrutiny from regulators and businesspartners. It’s no longer just a matterof keeping the bad guys away fromdata. Businesses now are expected tohandle it responsibly, often in accor-dance with contractual or legalrequirements. Yet the average organi-zation typically has little idea ofwhere its sensitive data is, never mindhow it’s really being used.

During the past five years, a newcategory of tools emerged to addressthis problem. Data loss prevention(DLP) products help companiesunderstand where their sensitive datais located, where it’s going and how

CHAPTER 3 » WHERE DATA LIVES

17 DLP ESSENTIALS

aCHAPTER 1

DLP: IT’S NOT JUST FOR BIG

FIRMS ANYMORE

aCHAPTER 2

PROTECTING YOUR SECRET

SAUCE

aCHAPTER 3

WHERE DATA LIVES

aCHAPTER 4

MANDATING ENCRYPTION

Where Data Lives Your brand’s reputation could be at risk when

sensitive information leaks outside your organization. Data loss prevention tools can mitigate incidents

and offer clarity on where this data resides.BB YY RR II CC HH MM OO GG UU LL LL

Page 18: Dataloss data prevention loss - Bitpipeviewer.media.bitpipe.com/1240246133_118/...Data-Protection_final.pdfdata loss prevention Dataloss prevention ... All companies can improve their

it’s being used, and they can some-times enforce protective policies. Thetechnology may not always stop evilhackers, but it offers considerablehelp in protecting a business frominternal mistakes and in cost-effec-tively managing compliance.

Knowing where sensitive content islocated protects the organization andmay reduce the time and cost ofaudits; a company can prove that itsdata is appropriately secured andshow real-time controls to detect vio-lations. By gaining considerableinsight into how data is communicat-ed internally and externally, odds arethat an organization will identify anumber of risky business processes—like the above nightly database dumpand use of personal email accounts. Italso gains the ability to prevent acci-dents and eliminate bad habits, likeimproper use of USB drives. DLPwon’t make you compliant, but itscombination of risk reduction, insightand potential audit cost reduction iscompelling.

Yet, while DLP tools have signifi-cant potential to reduce an organiza-tion’s risk of unapproved disclosuresof sensitive information, they areamong the least understood andmost overhyped security technolo-gies on the market. Organizationsthat take the time to understand thetechnology, define their processesand set appropriate expectations willsee significant value from their DLPinvestments, while those that make

snap purchases or set their expecta-tions inappropriately high will strug-gle with this powerful collection oftools.

DEFINING DLPDLP is one of a dozen or so names forthis market; others are informationleak prevention and content monitoringand filtering. To further complicatematters, data loss prevention is sogeneric a term it could easily apply toany data protection technology;everything from encryption to port-blocking tools is hopping on the DLPbandwagon. While early tools weretightly focused on preventing dataleaks on the network, the market israpidly evolving toward robust solu-tions that protect data in motion onthe network, at rest in storage and inuse on the desktop, all based on deepcontent inspection and analysis.

So DLP is a class of products that,based on central policies, identify,monitor and protect data at rest, inmotion and in use, through deep con-tent analysis. Other defining charac-teristics are:

� Broad content coverage acrossmultiple platforms and locations.

� Central policy management.� Robust workflow for incidenthandling.

It’s important to recognize that DLPsolutions are very effective at reduc-

CHAPTER 3 » WHERE DATA LIVES

18 DLP ESSENTIALS

aCHAPTER 1

DLP: IT’S NOT JUST FOR BIG

FIRMS ANYMORE

aCHAPTER 2

PROTECTING YOUR SECRET

SAUCE

aCHAPTER 3

WHERE DATA LIVES

aCHAPTER 4

MANDATING ENCRYPTION

Page 19: Dataloss data prevention loss - Bitpipeviewer.media.bitpipe.com/1240246133_118/...Data-Protection_final.pdfdata loss prevention Dataloss prevention ... All companies can improve their

ing the risk of accidental disclosuresor data leakage through a bad busi-ness process, but they offer minimalprotection against malicious attacks.A smart internal or external attackercan easily circumvent most DLP tools,but the risk of inadvertent exposure isusually greater than that of a targetedattack.

GETTING STARTEDLong before contacting DLP vendors,set expectations and decide whatcontent needs protection and how to protect it. Pull together a projectteam with representatives from majorstakeholders including security, mes-saging, desktop management, net-working, human resources (HR) andlegal, and define protection goals,including content and enforcementactions. This is when you set expecta-tions; educating project members onwhat’s realistic with DLP can helpavoid pitfalls that derail deployment.

These protection goals help deter-mine required features. They’ll estab-lish needs for content analysis tech-niques, breadth of coverage(network/storage/endpoint), infra-structure integration, workflow andenforcement requirements. You candecide if you need a full suite, a dedi-cated DLP solution or just the DLPfeatures of an existing product. Then,translate these requirements into arequest for information or draft arequest for proposal and start con-

tacting vendors.Most organizations find that con-

tent analysis techniques, architecture,infrastructure integration and work-flow are the top priorities in selectinga product.

CONTENT ANALYSISThe most important characteristic of DLP solutions is content analysis.This allows the tools to dig into net-work traffic and files, unwrap layers(like a spreadsheet embedded in a.pdf in a .zip file) and identify contentbased on policies. While DLP prod-ucts use different content analysistechniques, they tend to fall into a fewcategories that also use contextualinformation, such as sender/recipient,location and destination.

Content description techniques useregular expressions, keywords, lexi-cons and other patterns to identifycontent. They include rules/regularexpressions for pattern matching,conceptual analysis involving presetcombinations of words and rules tomatch a specific concept like insidertrading, and preset categories such aspersonally identifiable information (PII),HIPAA and PCI.

Content registration techniques relyon content you provide the systemthat then becomes a policy. They in-clude full or partial document match-ing using hashes of files to identifycontent; database fingerprinting byhashing live database content in com-

CHAPTER 3 » WHERE DATA LIVES

19 DLP ESSENTIALS

aCHAPTER 1

DLP: IT’S NOT JUST FOR BIG

FIRMS ANYMORE

aCHAPTER 2

PROTECTING YOUR SECRET

SAUCE

aCHAPTER 3

WHERE DATA LIVES

aCHAPTER 4

MANDATING ENCRYPTION

Page 20: Dataloss data prevention loss - Bitpipeviewer.media.bitpipe.com/1240246133_118/...Data-Protection_final.pdfdata loss prevention Dataloss prevention ... All companies can improve their

binations to identify matches; andstatistical techniques that use a largerepository of related content to iden-tify consistencies and create policies.

All the leading products can com-bine different analysis techniques intoa single policy to improve accuracy.

The content analysis technique willdirectly determine what productsmake the short list, but companiesshould make sure to account forfuture needs. Although most of themarket—90%, by some estimates—isfocused on protecting PII, about 30%to 40% of those organizations arealso interested in protecting unstruc-tured data. They start by using DLP toprotect PII to reduce their compliance

risk, and then slowly add other con-tent—generally trade secrets andintellectual property—once they getcomfortable with their tools.

The last major component of DLPsolutions is an endpoint agent tomonitor use of data on the user’sdesktop. A “complete” agent theoreti-cally monitors network, file and useractivity such as cut and paste, butfew real-world tools provide full cov-erage. Most products start with filemonitoring for endpoint content dis-covery and to detect (and block) sen-sitive data transfers to portable stor-age. Rather than completely blockingUSB thumb drives to protect data, anorganization can use these tools to

CHAPTER 3 » WHERE DATA LIVES

20 DLP ESSENTIALS

aCHAPTER 1

DLP: IT’S NOT JUST FOR BIG

FIRMS ANYMORE

aCHAPTER 2

PROTECTING YOUR SECRET

SAUCE

aCHAPTER 3

WHERE DATA LIVES

aCHAPTER 4

MANDATING ENCRYPTION

CONTENT DISCOVERY HELPS CREDIT UNION WITH PCITHE MAJORITY OF organizations first deploy DLP for network data loss preven-tion, since it’s the quickest way to identify their risk exposure. But from acompliance standpoint, DLP for data at rest—or content discovery—is oftenmore valuable since it helps quickly identify stored data in violation of policy,which is especially useful for PCI DSS.For example, a medium-sized credit union started with network monitoring

and user education to reduce its risk of an inadvertent breach. It then movedinto content discovery to ensure that no PCI data was stored unencrypted,followed by basic email filtering. The company’s vendor recently started betatesting an endpoint agent, which the client plans to use for endpoint discov-ery and blocking PII transfer to portable storage.Executives at the credit union estimate it will take two to three years for

full deployment of all DLP components, based largely on internal political is-sues and budget. —R.M.

Page 21: Dataloss data prevention loss - Bitpipeviewer.media.bitpipe.com/1240246133_118/...Data-Protection_final.pdfdata loss prevention Dataloss prevention ... All companies can improve their

restrict file transfers based on con-tent.

Endpoint DLP tools are starting toadd more advanced protection, suchas limiting cut and paste, detectingsensitive content in unapprovedapplications such as certain encryp-tion tools, and automatically encrypt-ing items based on content. Overtime, they will increase the type andnumber of policies they can enforceand integrate more deeply into com-mon endpoint applications.

ARCHITECTURE AND INTEGRATIONDLP architectures are defined bywhere they protect the content: data-in-motion network monitoring, data-at-rest file storage scanning and data-in-use monitoring of the endpoint.Full-suite solutions include compo-nents for each of these areas, whilepartial suite tools cover only a por-tion, such as an endpoint DLP toolwith an email-only gateway. There arealso single-channel products andnon-DLP tools that bundle some DLPfeatures, like an email gateway thatcan block messages with credit cardnumbers. In the long run, most organ-izations—especially large enterpris-es—will prefer full-suite solutions, butpartial-suite and DLP-as-a-featuretools often meet tactical needs wherecomplete coverage isn’t necessary.

The DLP market started with pas-sive network monitoring toolsfocused on detecting information

leakage over communications chan-nels such as email, instant messaging(IM), FTP and HTTP. These simplemonitoring and alerting tools evolvedinto more comprehensive solutions,adding email integration and gate-way/proxy integration for Web, FTPand IM. This allows organizations toblock traffic before the data escapes,rather than just being alerted whenit’s already gone. (See “NetworkMonitoring Tips”).

For email, DLP vendors embed amail transport agent, which is thenadded as another hop in the emailpath to block, quarantine, encrypt oreven bounce messages back to theuser. Since email is a store-and-for-ward protocol, integration is fairlystraightforward. A few tools supportsimilar actions on internal mail byintegrating with Exchange and othermail servers.

Other channels, such as Web, FTPand IM, are more difficult to blocksince that traffic uses synchronousprotocols. By integrating with proxies,a session analysis can be performedto reconstruct and evaluate contentbefore it’s released. Few DLP toolsprovide proxies and instead partnerwith major gateway/proxy vendors, oruse the Internet Content AdaptationProtocol. When integrated with a toolthat proxies Secure Sockets Layertraffic, you gain the ability to sniffencrypted traffic.

DLP for data at rest is often equallyif not more valuable than network

CHAPTER 3 » WHERE DATA LIVES

21 DLP ESSENTIALS

aCHAPTER 1

DLP: IT’S NOT JUST FOR BIG

FIRMS ANYMORE

aCHAPTER 2

PROTECTING YOUR SECRET

SAUCE

aCHAPTER 3

WHERE DATA LIVES

aCHAPTER 4

MANDATING ENCRYPTION

Page 22: Dataloss data prevention loss - Bitpipeviewer.media.bitpipe.com/1240246133_118/...Data-Protection_final.pdfdata loss prevention Dataloss prevention ... All companies can improve their

monitoring. This is called content dis-covery; these tools scan enterpriserepositories and file shares for sensi-tive content. Imagine knowing theidentity of every server storing creditcard information, and being alerted tounapproved ones.

Content discovery falls into threecategories: network scanning, localagents and application integration.With network scanning, the DLP toolconnects to file shares for analysis,which provides wide coverage butlimited performance. A local agentmay be available on major platformsto scan directly on the server ratherthan across the network, which ismore effective for large repositoriesbut requires more management.Some tools integrate directly withdocument management systems andother repositories to leverage native

features.Enforcing this kind of policy

requires integration with enterprisedirectories and dynamic host configu-ration protocol servers to identify theuser’s location (system and IPaddress)—a critical feature to look forin the evaluation process. Role-basedadministration and hierarchical man-agement ease management overheadand are particularly important in largedeployments.

DLP policy violations are extremelysensitive and usually require dedicat-ed workflow. Unlike virus infections or intrusion detection system alerts,these incidents lead to employee dis-missal or legal actions. The heart ofthe DLP management system is theincident handling queue, where inci-dent handlers see open violationsassigned to them, take action and

CHAPTER 3 » WHERE DATA LIVES

22 DLP ESSENTIALS

aCHAPTER 1

DLP: IT’S NOT JUST FOR BIG

FIRMS ANYMORE

aCHAPTER 2

PROTECTING YOUR SECRET

SAUCE

aCHAPTER 3

WHERE DATA LIVES

aCHAPTER 4

MANDATING ENCRYPTION

NETWORK MONITORING TIPSWHEN SHOPPING FOR network monitoring tools for data loss prevention, don’tget hung up on high performance. Since outbound communications traffic isthe only concern, even if a company is running gigabit Ethernet, it will likelymonitor only a fraction of that traffic. Large enterprises typically need to monitor about 300 Mbps to 500 Mbps

at most, while midsized enterprises fall below the 100 Mbps range, and smallenterprises as low as 5 Mbps.Also, make sure to determine if a product monitors all protocols, or just a

subset, and if it requires hard-code port and protocol combinations or candetect traffic on nonstandard ports. The stronger tools also detect tunneledtraffic, like IM over HTTP. —R.M.

Page 23: Dataloss data prevention loss - Bitpipeviewer.media.bitpipe.com/1240246133_118/...Data-Protection_final.pdfdata loss prevention Dataloss prevention ... All companies can improve their

manage workflow for investigations.A good workflow interface easesidentification of critical incidents andreduces incident handling time, man-agement overhead and total cost ofownership.

Recently, a DLP customer chose itsproduct ultimately on workflow. Afternarrowing the field to two vendors itconsidered equal in terms of technicalfeatures, the company selected theproduct with the workflow and inter-face its nontechnical users (legal, HRand compliance) preferred.

Beyond policy management andincident handling, look for a tool thatintegrates well with existing infra-structure and includes robust man-agement tools like incident archiving,backup and performance monitoring.Since senior management and audi-tors might be interested in DLP activi-ties, robust reports are needed forthis nontechnical audience and com-pliance support.

TESTING, DEVELOPMENT AND THE FUTUREAfter bringing in vendors for salespitches and demonstrations, narrowthe field to three or four and start aproof-of-concept trial. Preferably,place the tools side by side in passivemonitoring mode on the network andtest them with representative poli-cies. This allows a user to directlycompare results for false positivesand negatives, but it’s tougher to do

with endpoint tools. Also testenforcement actions and integrationinto the infrastructure, especiallydirectory integration. Finally, run theworkflow past the business unitsinvolved with enforcement to ensureit meets their needs.

Organizations report that DLP de-ployments tend to go more smoothlythan other security installations froma technical level, but it may take up tosix months to tune policies and adjustworkflow, depending on the complex-ity. Many find they need only part-time resources to manage incidents,but this varies based on the intricacyand granularity of policies. A 5,000-person organization, on average, needsonly a half-time incident handler andadministrator to manage incidentsand keep the system running.

DLP tools are still fairly adolescent,which means they provide good valuebut are not as polished as moremature product categories. Thisshouldn’t slow down deployments ifyou have data protection needs, butyou should understand that the toolswill evolve rapidly. Already, the mar-ket is transitioning from data loss pre-vention, focused on plugging leaks, tomore robust content monitoring andprotection (CMP), designed to pro-tect data throughout its lifecycle.CMP will eventually become one ofthe most important tools in the secu-rity arsenal. �

Rich Mogull is CEO of Securosis LLC.

CHAPTER 3 » WHERE DATA LIVES

23 DLP ESSENTIALS

aCHAPTER 1

DLP: IT’S NOT JUST FOR BIG

FIRMS ANYMORE

aCHAPTER 2

PROTECTING YOUR SECRET

SAUCE

aCHAPTER 3

WHERE DATA LIVES

aCHAPTER 4

MANDATING ENCRYPTION

Page 24: Dataloss data prevention loss - Bitpipeviewer.media.bitpipe.com/1240246133_118/...Data-Protection_final.pdfdata loss prevention Dataloss prevention ... All companies can improve their

Free Guide: Register for the Essential Series “The Role of Database Activity Monitoring in Database Security”. This guide outlines the best practices for database activity monitoring and describes how to implement this increasingly important technology.

Divided into three articles:

» Article 1: Data Discovery and Classification in Database Security

» Article 2: Database Assessment and Management in Database Security

» Article 3: Mitigating Risks and Monitoring Activity for Database Security

Download your copy today: www.imperva.com/go/DAM

Toll Free (U.S. only): 1-866-926-4678 or +1-650-345-9000www.imperva.com

© Copyright 2009, Imperva All rights reserved. Imperva and SecureSphere are registered trademarks of Imperva.

Co m p l e t e A p p l i c at i o n a n d D at a b a s e S e c u r i t y L i fe c yc l e

Data is under attack from multiple points of vulnerability. Without the ability to track the databases, applications, and users accessing data, organizations will never solve their data security and audit requirements. Imperva delivers a complete lifecycle for organizations to secure their data in an automated and repeatable process, thus providing full visibility and control of the data driving their business.

Imperva, the Data Security leader, enables a complete security lifecycle to provide

visibility and control for business databases and the applications that use them.

Page 25: Dataloss data prevention loss - Bitpipeviewer.media.bitpipe.com/1240246133_118/...Data-Protection_final.pdfdata loss prevention Dataloss prevention ... All companies can improve their

FOR YEARS, ENCRYPTION was somethingcompanies could choose to use ifthey wanted an extra degree of secu-rity for their data. However, the daysof optional encryption are gone forev-er. Today, companies in a variety ofindustries are subject to regulationsthat mandate encryption and othersecurity measures, and they face stiffpenalties for failure to adequatelyprotect their data. Even if a companyis not subject to these types of regu-lations, many states have laws requir-ing companies to disclose securitybreaches in which unencrypted cus-tomer data has been compromised.

Consequently, it is no longer aquestion of whether a companyshould use encryption, but rather how a company should encrypt data.The first step in planning an encryp-tion strategy is to understand the pri-mary types of encryption solutions:storage, network and application-level. While each offers benefits,there are also drawbacks to take into account.

STORAGE ENCRYPTIONStorage encryption is simply a mech-anism that encrypts files stored on ahard drive or other media such asbackup tapes. This type of encryptionis used primarily as a contingencyagainst a physical security breachsuch as a stolen laptop containingsensitive data. In such a situation, theWindows operating system will pro-vide at least some protection. Assum-ing that the hard drive is using the NTfile system and the appropriate filesystem permissions are being used,the thief shouldn’t be able to accessthe user’s data unless he knows theuser’s password.

However, a computer-savvy thiefcould use one of the many utilitiesavailable to reset the local adminis-trator’s password as a means ofaccessing the data, or he could justremove the hard drive, install it intoanother computer and bypass Win-dows altogether. Unless the data onthe drive is encrypted, both of thesemethods will allow the thief to quickly

CHAPTER 4 » MANDATING ENCRYPTION

25 DLP ESSENTIALS

aCHAPTER 1

DLP: IT’S NOT JUST FOR BIG

FIRMS ANYMORE

aCHAPTER 2

PROTECTING YOUR SECRET

SAUCE

aCHAPTER 3

WHERE DATA LIVES

aCHAPTER 4

MANDATING ENCRYPTION

Mandating EncryptionState laws and industry standards are forcing organizations to encrypt or face penalties.

Here are the options they can use. BBYY BB RR II EE NN PP OO SS EE YY

Page 26: Dataloss data prevention loss - Bitpipeviewer.media.bitpipe.com/1240246133_118/...Data-Protection_final.pdfdata loss prevention Dataloss prevention ... All companies can improve their

access the user’s data. Storage-level encryption is

designed to protect data in thesetypes of situations, but some encryp-tion technologies work better thanothers. For example, the WindowsEncrypting File System (EFS) canencrypt a volume containing data, butit cannot encrypt the system vol-ume—the disk volume that containsthe hardware-specific files needed tostart Windows. This means EFS-encrypted data can remain protectedonly if physical security is guaranteed.

If a computer is stolen, EFS encryp-tion will prevent data from beingcompromised if an encrypted harddrive is removed and then installedinto another machine. However, sincethe system volume is unprotectedthere is nothing stopping a thief fromusing a utility to reset the administra-tive password, booting Windows, log-ging in with the new password andgaining access to the data.

Windows Vista and Windows Serv-er 2008 solve this problem by offer-ing BitLocker, which uses the TrustedPlatform Module to encrypt the sys-tem volume. Since this is a BIOS-levelencryption mechanism, it will protectagainst password reset attacks(assuming the system volume isencrypted).

If you are considering using stor-age-level encryption, it is importantto carefully plan for key managementand to have a mechanism in place forkey recovery. Encryption key loss is an

extremely common problem. Whenthe key is lost, the encrypted databecomes unreadable unless a backupkey is available. The result is perma-nent data loss.

Most third-party storage encryp-tion products on the market worksimilarly to EFS but offer better man-ageability. One important differencebetween EFS and some of the otherproducts (besides the varyingencryption algorithms they use) ishow they store the encryption keys.

Windows stores the EFS encryptionkeys on the system drive, which canlead to a couple of problematic situa-tions. First, if the system drive fails,the encryption keys are lost, whichresults in permanent data loss unlessa backup key is available (Windowsworkstations that are a part of adomain always designate the domainadministrator as a key recoveryagent). Second, if a laptop is stolen, askilled hacker may be able to extractthe encryption keys from the system

CHAPTER 4 » MANDATING ENCRYPTION

26 DLP ESSENTIALS

aCHAPTER 1

DLP: IT’S NOT JUST FOR BIG

FIRMS ANYMORE

aCHAPTER 2

PROTECTING YOUR SECRET

SAUCE

aCHAPTER 3

WHERE DATA LIVES

aCHAPTER 4

MANDATING ENCRYPTION

If you are consideringusing storage-levelencryption, it is impor-tant to carefully plan forkey management andhave a mechanism inplace for key recovery.

Page 27: Dataloss data prevention loss - Bitpipeviewer.media.bitpipe.com/1240246133_118/...Data-Protection_final.pdfdata loss prevention Dataloss prevention ... All companies can improve their

drive and use them to unlock theencrypted data. Many third-partyencryption products protect againstthis by storing the encryption keys onUSB flash drives or on networkservers.

NETWORK ENCRYPTIONEncryption at the storage level does agood job of protecting files residingon storage media, but it does nothingto protect data in transit. Data flow-ing across a network or the Internet isunprotected unless the session isencrypted. A hacker can easily use apacket sniffer to capture a copy ofindividual packets as they flow acrossthe network, a technique used inrecent high-profile credit card theftsfrom retailers. These packets canthen be reassembled and the datawithin them extracted. At one timethis was considered a fairly advancedtype of attack. Today, though, utilitiesexist that take all the work out of anetwork sniffing attack. Even anunskilled hacker can use such a utilityto steal data.

There are countless mechanismsavailable for protecting data as itflows across a network. WindowsServer provides IPSec encryption.Mobile users accessing a Windowsnetwork through a Windows-basedvirtual private network can be pro-tected by Point-to-Point TunnelingProtocol, Layer 2 Tunneling Protocolor Secure Sockets Layer encryption.

Of course, these are just software-based encryption solutions native toWindows. There are also third-partyencryption solutions that work at thehardware and software levels.

There are two major drawbacks toencrypting network traffic. First, net-work encryption has traditionallybeen difficult to implement. Forexample, using IPSec encryption usu-ally requires an organization to installan enterprise certificate authority. Anadministrator will also have to under-stand the key management processand know how to set group policiesthat require network computers touse IPSec encryption. Additionally,IPSec encryption will fail unless net-work clients are using operating sys-tems that support IPSec.

The other major drawback to net-work traffic encryption is that it candegrade performance. Every time aclient needs to communicate over thenetwork, the client must establish asession and encrypt the data that isto be transmitted. The recipient must

CHAPTER 4 » MANDATING ENCRYPTION

27 DLP ESSENTIALS

aCHAPTER 1

DLP: IT’S NOT JUST FOR BIG

FIRMS ANYMORE

aCHAPTER 2

PROTECTING YOUR SECRET

SAUCE

aCHAPTER 3

WHERE DATA LIVES

aCHAPTER 4

MANDATING ENCRYPTION

Network encryption has traditionally been difficult to implement.The other major drawback is it candegrade performance.

Page 28: Dataloss data prevention loss - Bitpipeviewer.media.bitpipe.com/1240246133_118/...Data-Protection_final.pdfdata loss prevention Dataloss prevention ... All companies can improve their

then decrypt the data. This processincreases the amount of traffic flow-ing across the network, and forcesnetwork client machines to spendadditional time and CPU resourcesencrypting and decrypting data.

Network cards exist that canoffload the encryption and decryptionprocess from the CPU. This doesn’tdecrease the traffic flowing across thenetwork, but it prevents networkclients from suffering from decreasedperformance.

APPLICATION-LEVEL ENCRYPTIONApplication-level encryption is essen-tially a hybrid method. The basic ideais that the developers assume thattheir applications will be used in inse-cure environments, and thereforebuild proprietary encryption capabili-ties into their tools.

Many products on the marketinclude application-level encryptioncapabilities. Some of the best knownare file compression utilities such asWinZip, which allows a user to createan encrypted archive file. This fileremains encrypted whether or not itis stored on a hard drive that hasencryption enabled. Likewise, the fileremains encrypted even if transmit-ted across the Internet using a non-encrypted session. This is becausethe encryption algorithm is applieddirectly to the data within the file andis independent of the storage mediumor network connection being used.

Application-level encryption workswell for augmenting your existingsecurity but tends to be difficult tomanage. Every application with built-in encryption capabilities works dif-ferently, but generally most requirethe user who creates a file to enter apassword to access it. This passwordis treated as an encryption key. Theproblem is there is usually no way tocentrally manage these passwords. Ifa user forgets the password heassigned to a file, he loses access tothe data in the file.

Furthermore, many encryption-enabled applications are not multi-user-aware. This means a user whowants to share a file with anotheruser typically must also share thepassword.

Whatever solution you chooseneeds to be “end-user proof.” In mostcases, applications that offer built-inencryption capabilities require usersto choose to encrypt the data. Given achoice, they will often take the easyway out and not encrypt.

RIGHTS MANAGEMENTRights management is a more ad-vanced form of application-levelencryption that’s starting to gain pop-ularity. Rights management is a tech-nology that allows permissions to beassigned to an encrypted file. Forexample, such a policy might preventusers from copying data out of the fileor from printing a protected document.

CHAPTER 4 » MANDATING ENCRYPTION

28 DLP ESSENTIALS

aCHAPTER 1

DLP: IT’S NOT JUST FOR BIG

FIRMS ANYMORE

aCHAPTER 2

PROTECTING YOUR SECRET

SAUCE

aCHAPTER 3

WHERE DATA LIVES

aCHAPTER 4

MANDATING ENCRYPTION

Page 29: Dataloss data prevention loss - Bitpipeviewer.media.bitpipe.com/1240246133_118/...Data-Protection_final.pdfdata loss prevention Dataloss prevention ... All companies can improve their

The nice thing about rights man-agement is that permissions are typi-cally linked to a back-end server. Thismeans that if a user were to copy arights-managed file onto removablemedia and then leave the company,the administrator could prevent thedata in that file from being accessedby the former employee by simplyremoving the rights.

Windows natively supports rightsmanagement, but third-party prod-ucts offer similar capabilities. For themost part, rights management worksvery well, but the initial setup can becomplicated, depending on the prod-uct. Also, depending on how rightsmanagement is set up, mobile usersmay not be able to open rights-man-aged documents unless they haveconnectivity to the company’s rightsmanagement server. Another poten-tial downside is that not all types ofdata can be rights managed. On theupside, rights management doessolve the management headachestypically associated with application-level encryption.

HOW TO CHOOSEWith so many types of encryptionavailable, it can be tough for a com-pany to figure out which one is bestsuited to its needs. The first step is todetermine whether your organizationis subject to any federal or industryregulations that mandate how data isto be secured. If so, these regulations

often provide guidance on the typesof encryption solutions that must beused.

Most organizations will want totake a layered approach. When it

comes to encryption, the general ruleis that data needs to be protected atrest and in motion. If data is encrypt-ed at only the storage level, or onlywhile in transit, then the data is notfully protected against potentialexposure. Although application-levelencryption fulfills both of these crite-ria, it should be used only to augmentyour network’s security, not as thesole encryption method. The reasonis that not every application offersbuilt-in encryption, and those that dohave varying encryption strengths.

If a company is not subject to regu-lations requiring encryption, it’s criti-cal to consider the total cost and staffrequirements associated with deploy-ing and maintaining the technology.Encryption can cost a significantamount in terms of hardware, soft-ware and support, and it is importantto make sure the benefits justify the

CHAPTER 4 » MANDATING ENCRYPTION

29 DLP ESSENTIALS

aCHAPTER 1

DLP: IT’S NOT JUST FOR BIG

FIRMS ANYMORE

aCHAPTER 2

PROTECTING YOUR SECRET

SAUCE

aCHAPTER 3

WHERE DATA LIVES

aCHAPTER 4

MANDATING ENCRYPTION

The nice thing aboutrights management is the permissions aretypically linked to a back-end server.

Page 30: Dataloss data prevention loss - Bitpipeviewer.media.bitpipe.com/1240246133_118/...Data-Protection_final.pdfdata loss prevention Dataloss prevention ... All companies can improve their

expenditures.Whatever encryption solution a

company chooses, it should be trans-parent to end users and compatiblewith your network infrastructure.Some encryption solutions causecomplications with backing up dataor with accessing or encrypting dataon a storage area network. Make surethe solutions you are considering willnot cause a significant administrativeburden once the initial setup is com-plete.

While encryption definitely has itsplace in an enterprise security strate-gy, a company can’t rely on encryp-tion to solve its security problems.Most security experts agree thatthere is no such thing as a foolproofsecurity solution. Any security mech-anism can be circumvented withenough time and effort, includingstrong encryption. The key to goodsecurity is to make a breach moretrouble than it’s worth. This is bestachieved by taking a layeredapproach to security that involvescomprehensive policies and multipletechnologies. �

Brien Posey is a freelance technical writer who hasreceived Microsoft’s MVP award six times for hiswork with Exchange Server, Windows Server, IIS and File Systems Storage. Posey has written or con-tributed to about three dozen books, and has writtenwell over 4,000 technical articles and white papersfor a variety of printed publications and websites.Previously, Posey was CIO for a national chain ofhospitals and health care companies. He has alsoserved as a network administrator for the Depart-ment of Defense at Fort Knox, and for some of thenation’s largest insurance companies.

CHAPTER 4 » MANDATING ENCRYPTION

30 DLP ESSENTIALS

aCHAPTER 1

DLP: IT’S NOT JUST FOR BIG

FIRMS ANYMORE

aCHAPTER 2

PROTECTING YOUR SECRET

SAUCE

aCHAPTER 3

WHERE DATA LIVES

aCHAPTER 4

MANDATING ENCRYPTION

DLP Essentials is produced by Security Media Group and CIO Decisions/

IT Strategy Media Group, © 2009 TechTarget.

MANAGING EDITORCIO/IT STRATEGY MEDIA GROUP

Jacqueline Biscobing

ART DIRECTOR OF DIGITAL CONTENT

Linda Koury

CONTRIBUTING WRITERS

Richard E. Mackey, Russell L. Jones, Rena Mears, Rich Mogull, Brien Posey

EDITORIAL DIRECTOR SECURITY MEDIA GROUP

Kelley Damore

EXECUTIVE EDITORCIO/IT STRATEGY MEDIA GROUP

Scot Petersen

FOR SALES INQUIRIES:

Stephanie Corby, Senior Director of Product Management

CIO/IT Strategy Media [email protected]

(781) 657-1589

Zemira DelVecchio,Director of Sales, Security Media Group

[email protected](781) 657-1448

Page 31: Dataloss data prevention loss - Bitpipeviewer.media.bitpipe.com/1240246133_118/...Data-Protection_final.pdfdata loss prevention Dataloss prevention ... All companies can improve their

RESOURCES FROM OUR SPONSORS

31 DLP ESSENTIALS

qWhitepaper: Managing Risk to Sensitive Data

q Insider Threats – Interview with Former DeputyDirector of the NSA

qWhitepaper: Protecting Databases fromUnauthorized Activities

qMcAfee Buyer's Guide to Data Protection

q Total Protection for Secure Business

q Secure in 15: An at-a-glance Calendar

q The Cost-Based Business Case for Data LossPrevention

q 5 Considerations for Selecting a Data LossPrevention Solution

qDiagnose your security posture via ourcomplimentary assessment now!

q The business impact of data security regulations:Featuring Massachusetts

q Closing the gaps in enterprise data security:A model for 360° protection

q Is your data at risk? : Why physical security isinsufficient for laptop computers


Recommended