Protecting confidential data is becoming more and more important in today's business world. Companies store all sorts of sensitive information on their computers and send it across their networks, so it's important for businesses of all sizes to have a strategy for protecting this type of data from prying eyes. And if you're in a regulated industry, such as healthcare or financial services, you don't really have a choice; the government mandates that certain types of information be protected.
Let's look at how you can create a scalable plan for protecting your confidential information.
Beginning at the beginning
A data protection plan starts with restricting access to data via access controls. In a Windows domain, that means implementing file level permissions as well as share permissions. This is especially important if you're running Windows 2000, because by default the Everyone group has full control of each newly created share. If you don't also have file level (NTFS) permissions set, the data in those shares is wide open to both authenticated and anonymous users until you change the default permissions.
Permissions can be set on individual files, but that can get tedious as the business and the number of data files grows. A more scalable solution is to set permissions on folders and then put files into the appropriate folders in order to restrict access.
Access should be granted strictly on the basis of need; that is, only those individuals who need to access the information in order to do their jobs should have access. There are two basic philosophies when it comes to security:
- Start from the point of open access for everyone to everything, and then restrict what needs to be restricted, or
- Start from the point of no access for anyone to anything, and then open up what needs to be opened.
The second option is obviously the most secure, and is really the only logical option when you're in a regulated industry or your company otherwise has a lot to lose if confidential data is divulged.
The importance of authentication
Access controls based on network user accounts and group memberships are worthless unless you can ensure that unauthorized persons don't log on to others' accounts. That means a strong authentication scheme. Password-based authentication is popular because it's easy to implement, convenient for users and very scalable. You can have tens of thousands of user accounts in a single Windows domain, and it's easy to add new accounts and have users set their passwords as the company grows.
Password authentication can be fairly secure if you have the proper password policies in place. All passwords should meet minimum length and complexity requirements, and users should be required to change their passwords on a regular basis (for example, every 30 days) and should not be allowed to reuse recently used passwords (for example, switching back and forth between the same two passwords every time a change is required). Enforcing such requirements in a large network would be next to impossible without technological enforcement mechanisms. Luckily, Windows provides for password policy enforcement through Group Policy, which makes enforcement scalable.
Even strong passwords, however, are not as secure as multi-factor authentication. When users are required to create complex passwords that change frequently, they may resort to writing them down (even if you have a policy against it, that's one policy that can't be enforced technologically). Intruders may discover these written passwords, or they may use social engineering techniques to persuade users to reveal their passwords — and then the intruder has a "free pass" into your network with a valid account.
The solution is to require not just something the user knows in order to log on to the network, but also something that the user has in his/her possession. That can be a smart card or token, or it can be a biometric characteristic such as the user's fingerprint. But how scalable are multi-factor solutions?
Before you invest in a multi-factor authentication solution, determine that the database can grow to fit your needs as your company adds more employees. With card or token solutions, you'll also want to check out how time consuming it is for administrators to enroll new cards/tokens; the system that makes it quickest and easiest will scale better. Check out companies such as Saflink for scalable multi-factor systems.
Even with an excellent authentication scheme to back up your permissions-based access controls, if you have particularly sensitive data, that's not enough. It's a good idea to add an extra layer of protection by encrypting those files. You can use the built-in file encryption in Windows 2000, XP and 2003, EFS (Encrypting File System). EFS is based on public key technology and digital certificates, but you don't have to have a Public Key Infrastructure set up in order to use it. This makes it particularly scalable, since you can use EFS without a PKI when your business is small, and then when the company grows and you implement a PKI, your certification authorities can issue EFS certificates.
You can encrypt folders and place files in them to encrypt the files instead of encrypting individual files one at a time. As with setting permissions, this is the more scalable solution.
There are third party encryption solutions available, too, such as SafeBoot Content Encryption, which provides for persistent encryption (the files stay encrypted even if they're copied, moved or attached to email messages, and can be stored on removable media such as CDs or USB flash memory drives.
Make messages self destruct
One big problem with securing confidential information, whether it's in a document or an email message, is that sometimes you have to share the information with others — and once it leaves your control, you don't know whether the recipient will exercise the same care in keeping it confidential. What if they copy it or forward it to someone else? And even if they don't intentionally violate your security, it may not be safe to have that message or document sitting on the recipient's hard disk for days, weeks or months. You could request that they destroy it after they read it, but how can you ensure that they comply?
One solution is to use Microsoft's Rights Management Services (RMS), which lets you send a document or message to someone with restrictions on what they can do with it. For example, copying can be disabled in Word or forwarding can be disabled in Outlook. And if they try to open it with a different client, it won't open at all. You can even set your message to expire after a certain period of time, and it will become inaccessible. Other companies offer even more scalable rights managements solutions. An example is Authentica's ARM or Active Rights Management.
No matter how big or small your company is now, it's time to start thinking about a strategic data protection plan if you don't already have one. More and more industries are falling under the regulatory umbrella, and even if you escape a government mandate to secure your data, it's likely that you have personnel records, financial information and other data that needs to be protected. Developing a scalable plan now will save you a lot of headaches on down the road.
Debra Littlejohn Shinder, MCSE, MVP is a technology consultant, trainer, and writer who has authored a number of books on computer operating systems, networking, and security. Deb is a tech editor, developmental editor, and contributor to over 20 additional books on subjects such as the Windows 2000 and Windows 2003 MCSE exams, CompTIA Security+ exam, and TruSecure's ICSA certification.