anewdomain.net — There was a time when configuring a firewall was the extent of your data security. Of course, there was also a time when Excite was the most popular search engine, AOL was going to rule the world, and alleged Nigerian princes-in-exile were the pinnacle of Internet fraud.
Image credit: Wikimedia Commons
Times have changed and your approach to data security needs to keep up with new and unexpected issues. As hackers, spoofers, and malware have become more sophisticated, it’s no longer sufficient to hide your critical and sensitive data behind a firewall. Data security, sometimes referred to as Data Leakage Prevention (also called Data Loss Prevention or DLP), is an active and ongoing charge for IT professionals.
Where is all of this data that we will be protecting? To get beyond the obvious answers (e.g., “the databases”), you’ll need to take a decidedly untechnical approach: it’s called sleuthing. Channeling your inner Sherlock, you may uncover unexpected data sources, such as:
- CSV uploads from partners that sit on a company FTP store, waiting for import.
- Prospective client contact info in a Microsoft Access database, built by someone in sales, so they can perform mail merges.
- An output of all affiliate orders for each month, which has to be cleaned up before it can be imported into the G/L system. The person in charge stores them in Dropbox so she can work on it from home, unaware of the security breach it creates.
SOURCE: Wikimedia Commons
Pull Back the Curtain
Now that you have a handle on where all of your data comes from, examine how it gets accessed. Pore through your network security and data access logs to ensure all the “data in use” and “data in motion” points are documented, and identify any unknown or inappropriate elements. For example,
- Scan access logs for system use by a privileged user
- Review network traffic to identify sensitive data transfers
These steps will help you identify areas that need a quick fix, before moving on to the more involved steps.
SOURCE: Public Domain
The last piece of the puzzle is implementing intelligent safeguards which enforce your written policies on sensitive data usage (your company has them, right?). These measures are much more involved and thorough, and will take more time to implement.
- Endpoint (users’ devices) security and physical media control to ensure sensitive data is always stored on encrypted media.
- Content-aware DLP, which implements policy restrictions on-the-fly, based on the type of data being requested or transmitted.
- Export/Save controls to limit how sensitive data can be moved to other media, including through the Copy/Paste function.
- Data redaction and sanitization routines to automatically remove sensitive data from outputs.
DLP products are available from most respected security vendors, including Trend Micro, Symantec, Sophos, McAfee, and Palo Alto. In addition, Stanford University has a thorough list of DLP tools, both commercial and open-source.
Based in Charlotte, North Carolina, Carey Head is a senior contributor at aNewDomain.net covering the biztech beat. Email him at Carey@aNewDomain.net.