Protecting data in dynamic and diverse environments is a formidable challenge. You need to focus on categorized data inventory, sharing mechanisms, and leak detection. Here's how.
The challenges of securing data in modern organizations are vast. Sure, we may employ controls, such as access management systems, system hardening procedures, network intrusion detection systems, and so on. Yet, each department may have separate data stores and applications that need to integrate with each other. Business users often store and share sensitive data in a way that allows them to get work done, yet makes it difficult to track and control its distribution. Protective measures cannot be too limiting, the individuals require access to data to perform the tasks that constitute their jobs.
How to tackle this challenge? To protect data more effectively, I recommend a three-step plan that stipulates the following: 1) Identify and categorize data to define protective measures; 2) develop and document practical mechanisms for sharing data; and 3) implement processes and technologies for detecting data leaks.
First: Find and Understand Data
To determine how to secure your data, first identify which records warrant protection, and where they reside. Finding the data typically involves interviews and the review of existing documentation. Expand your findings by scanning file servers within your organization for potentially sensitive records. Budget-strapped? Free data discovery tools that can get you started with this task include:
You may find that free discovery tools are prone to producing false positives. If so, consider commercial products such as Identity Finder and Proventsure. And keep in mind that your employees may use third-party services, such as SalesForce, for holding sensitive information. Understand which data are located in such environments, and what security precautions you should take to protect them.
Since attempting to apply the same rigor to protecting all data within the organization is overly expensive, classify the data according to sensitivity using nomenclature that makes sense within your environment, such as "public," "protected," and "proprietary." Then, decide the extent to which the data will need to be protected for each category.
Consider defining templates that explain what security mechanisms you will employ, depending on data sensitivity. For instance, "proprietary" may require multiple firewalls, hardened operating system, detailed logging, encrypted transfers, and regular vulnerability scanning. You would apply fewer controls to "protected" data, making it easier for people to share the data, and lowering security costs. And yes: A more formal risk management approach would define security requirements more accurately. Yet, such an approach is often impractical for organizations without strong process and risk discipline. Don't wait and hope for that kind of discipline to set in!
Whenever possible, minimize the number of locations where sensitive data are stored. At the same time, realize that the users of data need to have a convenient way of accessing the data to get work done. This may mean acknowledging that people will export and store sensitive records locally, and providing a secure and practical way of doing that.
Second: Help Users Share and Store Data
How will people exchange and store data securely? Don't expend your efforts on security controls without defining how people will share the sensitive data to get work done. According to recent Open Security Foundation figures, 14 percent of data breaches in the last year were the result of the accidental actions of an individual within a given organization. This suggests that data users do not know how to properly share sensitive data.
Too often, IT departments define well-meaning security requirements, such as "encrypt sensitive attachments when e-mailing them," without explaining how to do that, or confirming that the users know how to use the corresponding security tools. Don't assume that the users know how and when to use the tools! Offer training, make the policies and procedures easily accessible, and validate that the right people understand the instructions.
Then too, consider how employees will exchange data not only among themselves, but also with parties outside of your organization. Protecting data's confidentiality may involve encrypting the messages or traffic flows via VPN links, encrypted FTP (SFTP or FTP over SSL), or e-mail encryption. Encrypting e-mailed data may involve tools such as GnuPG, or enterprise-class products such as PGP, IronPort, and Tumbleweed.
Don't forget to protect data "at rest": data that is being stored, not in the process of being transferred. In recent years, full-disk encryption software has gained popularity for laptops and, in some cases, for desktops. Product choices include the freely available TrueCrypt, and commercial tools such as PGP WholeDisk, Utimaco SafeGuard Easy, and many others. Vendors of such solutions usually offer products for encrypting mobile USB drives, as well. They also may allow you to create virtual encrypted volumes that, residing on your servers, could house sensitive data in a highly controlled manner.
Further, make sure the users understand which data locations can be considered private, and which are publicly accessible. Too many people underestimate the power of modern search engines to find and index information in locations that many assume to be unknown or inaccessible outside the organization.
Third: Detect the Data Leaks, to React Quickly
Despite your best efforts, sensitive data may get exposed, often because of an oversight in storing, sharing, or securing them. Consider how you will detect the leak quickly to minimize the incident's scope and severity.
The data discovery process, as well as a security assessment, can help discover data where they don't belong. In addition, make use of web search engines to identify potentially sensitive records accessible to the public over the internet. For example, use "site:website.sample.com" to limit a Google query to sites in a particular website. To look for pages with Adobe Acrobat and Microsoft Excel documents, add "filetype:xls OR filetype:pdf" to the query. Google lets you set up e-mail or RS alerts, so you will be notified whenever the search produces a new result.
You also can use the data discovery tools mentioned earlier to identify unexpected data stores. In addition, one specialized tool for finding sensitive data among public data sets is Paterva's Maltego.
Another class of tools you may find useful are data leakage prevention (DLP) tools. These products are designed to monitor data leaving your environment via the network and USB keys, in order to detect and, sometimes, block transfer of sensitive records. When implemented properly, they can offer excellent visibility into the way data are being shared within your organization and with external entities. DLP tools' detective capabilities are particularly useful in environments where it's difficult to implement preventive security controls that restrict the flow of data. Products in the DLP space vary in price and capabilities, and are sold by companies such as Symantec (offering products formerly by Vontu), Code Green Networks, and McAfee (offering products formerly by Onigma and Reconnex).
One More Thing...
Keep an eye on public data breaches. Knowing what data breaches have occurred can help you understand the leading causes of the incidents, so you can adjust your security controls appropriately. Further, referring to specific, real-world events during management discussions can help you justify the budget you require to safeguard data at your organization. Several projects track this information, including:
In the end, if you understand the threats, keep tabs on your data, and define realistic and secure ways of using the data, you'll stand a chance of preventing your organization from appearing on the breach lists.