Protecting Data

Email Security

Subscription Options

Over the course of the last three to four years a number of laws have passed, each one impacting how data is handled. Taken individually each might have minor impacts to the way businesses look at its data, but taken collectively it has made data protection so white-hot that IDC estimates the market growth to go from US$750 million in 2006 to over US$3 billion by 2011. “It is so easy to get caught up in the hype of the moment, but there is a reason for the hype. It is an important area for people to be worried about,” says Bob Hansmann, senior product marketing manager of Enterprise Security Solutions for Trend Micro. “Prior to this, we had botnet concerns, prior to that it was spam, and prior to that it was spyware. Industries like data leakage tend to grow out of previous industries. An example would be spyware. By the time that spyware was being used as a common term on the street, we in the anti-virus industries had been dealing with it for a long time. Except, we just called it viruses, Trojans, or worms. The term spyware was applied to indicate a virus, Trojan or worm whose purpose was to steal or access information. So when we first came out with our spyware product, it included much of what we were already doing. With data leakage, one of the things that people are concerned with is email.” He notes that a management worry is that employees are sending out information from the organization that a) they may not be authorized to send, or b) they may be authorized, but it is being sent in an unencrypted format. “Trend Micro has for years offered content filtering in our email. Our content filtering solution allowed you to define policies of numerical patterns, to identify social security numbers, credit card numbers, or for a hospital a file number, etc, in order to keep those from going out. We have been doing this for a while. Now we have this new thing called data leakage.”

Not long ago messaging security focused on inbound problems, things like spam and anti-virus were plaguing organizations’ networks. In an effort to better manage these threats, solutions had to focus on the content of inbound communications. “This new focus in security began to center on the content, since looking at packets solely for security does not mitigate a virus threat. The whole content of the email was required to be scanned thoroughly,” observes Andrew Graydon, chief technology officer of BorderWare. “This paradigm shift became more apparent in recent years with the full bloom of Web usage. As we see today, threats and attacks have taken advantage of this and we see malicious scripts, drive-by downloads and other Web-based security threats trying to enter the organization.” Graydon notes that to combat the wide variety of inbound threats, complex and effective products came to market that could now perform a ‘deep content inspection’ and provide security from attacks that were embedded in messages and communications.

At about the time of this inbound threat evolution came a variety of highly-publicized data loss instances that made headlines. What has happened to make data loss and data loss prevention so prevalent? “We are increasingly hearing about Data Leak Prevention in response to a number of factors,” responds John Dasher, director of product management for PGP Corporation. He lists the following as having significant impact:

Increasing data mobility facilitated by laptop computers, remotely accessible networks, small and inexpensive data storage devices, etc. Protecting the device is necessary and important, though protecting the data itself is equally important as data has a habit of finding its way off one device onto another.
Compliance and regulatory requirements acting as a forcing function requiring corporations to demonstrate appropriate han-dling and storage of sensitive information.
Data breech notification laws. The majority of the United States is now subject to these laws, and they will likely materialize in the European Union soon.

“The point is data protection isn’t just a concern for heavily regulated industries or those corporations doing business on a global scale,” says Dasher. Simply put, if you’re a company who has customers or employees, you should have a strategy in place to protect your data assets. The resultant publicity of a data breach means that it’s not just the CIO or CSO who’s paying attention to data loss. Litigation is a real possibility. Customers and business partners also have visibility to the problem, and are voting with their feet and wallets.”

Donald Massaro, president and CEO of Sendmail offers another perspective is offered by. While he too acknowledges the regulatory influence, he also notes that we are more and more an information society. “We do not really make anything anymore, that is why data protection has become so important. For example, when a company like Nike comes out with a shoe, where they charge US$150, they make all their money in the first three to four months. That is about how long it takes for a knock-off to be available for less than a third of the price. So for every day that Nike does not keep that design confidential, they lose profit on that shoe. Keeping your intellectual property safe is about keeping your competitiveness safe. All we really have is a timing advantage.”

Adding to the warm reception is the notion that data can be kept safe in an ever-increasing threatening world. “The promise of data loss prevention (DLP) is enticing to every company in the world,” believes Tom Gillis, VP of marketing for IronPort Systems, a Cisco Business Unit. “It is the abstract notion of protect your intellectual assets. But I liken it to anti-aging cream—the promise is great, but many of the products have trouble living up to that promise.” Gillis is quick to point out, however, that a partial solution is still valuable. “The need to protect data has always been there, but the solutions were so cumbersome, it did not make much sense. But as the solutions have matured, we have seen an increase in overall efficacy and at the same time they have become easier and easier to deploy.” Gillis points to regulations that offered clear guidelines and clear deadlines by which companies had to be compliant as primary drivers that forced some level of data protection activity, which in turn spurred the vendor community to build solutions to more easily address those issues.

Threats to Data

Study after study reveals that the biggest threat to data is from the inside of an organization, rather than a malicious act from the outside. “There is a host of solutions for protecting the perimeter of the network from bad people. But what happens if the bad people are inside the network? There is no protection at all. When I say bad people, I mean, good employees doing bad things. Companies are letting confidential or proprietary information out of the network and do not even know it,” says Massaro. He notes that 99.9 percent of the time it is good people doing bad things that lead to data leakage.

“Data theft is often the result of accidental data handling or poor security policy enforcement,” agrees Dasher. “More often than not, IT is more concerned with accidental security breaches rather than malicious intent. So, corporations need to consider the broader threat model - which also includes accidental data loss by authorized users. Certainly there exist people with criminal intent looking to take advantage of the unprotected target. But more often than not, the common threat is a member of your well-intentioned employee population simply trying to do their job. People make mistakes, accidentally send an email to the wrong recipient, leave a laptop in a taxi, misplace a USB thumb drive, etc.”

How much data is estimated to be lost? “People have no idea what is leaving their networks,” responds Massaro. “It is really scary what goes out. It is like football, you can guarantee that there is a foul every play, but a penalty does not necessarily get called. There is not a network in the U.S. that does not have a problem with data leakage of confidential information.”

We hear so much about the high-profile cases of data loss, like last year, when 45.7 million TJX customers had their data stolen. A majority of the time the data loss is not that spectacular, but it is no less troubling. “From a regulatory standpoint, be it 10 records or 50,000 records, the company is still in trouble,” says Hansmann. “It is the tens and ones that are very frequent. It is often a staffer who thinks they are doing the right thing, and are unaware of the policy, or maybe it is a partner vendor, needing some credit information. On the malicious side, I would say that having people intentionally take data and try to find someone who will buy it, is probably a bigger problem than we currently know. There are a lot of people that are doing it.”

Is it possible to bulletproof data? Gillis thinks not. “It is very difficult to seriously protect against someone who is intent on stealing content.” He gives an example of locking a car. If a car thief really wants the car, the lock might slow them down, but the car will still be taken. “DLP solutions are the locks on the car. It keeps out the amateur, the accidental leakage, which is the vast-majority of the issues. If someone wants to steal the data and they have access over the course of business, they will take data on thumb drives, or screen grabs—it is almost impossible to control that. Our response to customers is to be sure to understand your business processes, how you control access, how you determine who has access and to what data, because if they have access and want to steal it, they can.” It is easy to forget how much businesses rely on the integrity of its employees.

Data Protection Policies

If accidental mishandling is the primary threat to data, then it makes sense for an organization to ensure that employees understand its policies surrounding data. Of course, to do that an organization has to have policies in the first place. “The threats around data theft are multiple given the variety of ways an attack may be mounted to try to take information from your organization,” advises Graydon. “However, the best practice is to analyze your risk profile and create policies and practices, which mitigate those specific risks. A secure government facility will have a much broader risk profile than a typical organization and the risk mitigation implementation plan will be much more complex. In another case, the risk profile of an organization, which deals in consumer financial or health information will have a risk profile greater than a manufacturing plant. In each case the risk profile and business practice must be fully understood before any risk mitigation plans are developed or implemented to include data theft.”

Developing policies to protect data has offered a niche for consultants to fill. “A lot of companies have hired risk management consulting firms, that help them define what is confidential, how to handle confidential data and basically put all the policies in place to do that,” says Massaro. “Many times we replicate those policies on our messaging processing engine such that, what the company has in place for their employees to follow, we are monitoring, creating exception reports, electronically notifying the employee that was in violation and or stopping it from going out. It is all about the policy. It is where the real value-add is.”

Gillis agrees that policy is absolutely critical to data protection success. “You cannot achieve the right results if you do not know what you are trying to accomplish,” he says. Gillis points out that IronPort has put a great deal of effort into policy management as part of its DLP solution. Dasher also agrees that policy plays an important role in protecting data. “Compliance audits tend not to result in a letter grade, but rather are a “pass/fail” exercise, so the concept of policy enforcement is critical,” emphasizes Dasher. “Simply having a corporate security policy and communicating it to your employees is not sufficient. That policy needs to be demonstrably enforced in a uniform and consistent fashion.”

Coming Next: Evolution of DLP

Given DLP’s projected growth into 2011 by IDC, outbound content protection will remain a big topic for IT security. “It is turning out that the messaging processor is becoming a major component in the whole security infrastructure and probably the most important one,” observes Massaro. “If we go back 10 years ago, the hot item was firewall and proxies. Now it is message gateways. With businesses depending on messaging more and more, it is probably the most important security device you have in your network. The messaging IT people are moving center stage in terms of security.”

Data protection has become important component to overall messaging security. Dasher notes that appropriate protection measures are needed to defend against differing threat models. “You wouldn’t want unauthorized personnel roaming your network any more than you want employees carrying sensitive information on USB thumb drives without being encrypted. Defense in depth applies—protect the data itself and protect the device. Products like PGP NetShare, PGP Virtual Disk, or PGP Zip will protect your files, and products like PGP Whole Disk Encryption and PGP Endpoint will take care of the devices that are used.”

With data leakage prevention being relatively new, the expectation is that the technology will continue to evolve. “The vast majority of what our customers are looking to accomplish is to identify structured data, meaning things that you know are sensitive, like patient healthcare numbers, bank routing numbers, credit card numbers, social security, etc. That is a majority of what people are actually deploying today. There is a lot of interest, however, around unstructured data.” This type of data might look for a combination of words, especially when paired with confidential or proprietary. “That is definitely of interest to customers, though a lot less of that is actually being deployed. We as a community have a lot of maturing to do around unstructured data analysis. It is a hard problem to solve.”

With so much noise about messaging security, organizations need to be diligent about investigating the right solution. “There are many vendors flooding the market with information,” acknowledges Graydon. “This deluge can confuse and muddy the implementation plans of many organizations. Dealing with the risk mitigation and addressing data in motion and data at rest as two separate and distinct issues will clarify the proposed implementations for many organizations and help simplify a solution for what seems to be a complex issue.”