One of the most debilitating IT headaches strikes when confidential data leaks out of the company's network and trickles into the hands of malicious users. No matter how robust your technology is, or how intuitive your detection systems are, restricted data somehow manages to seep through the least guarded nooks and crannies of the enterprise.
Our experts said that the usual and most overlooked sources of data leakage are slapdash database privileges, plain ol' e-mail, and slipshod security policies. Here are some recommended strategies and brand-name solutions.
Stop "broad-brush" database privileges
According to Chris Johnson, senior manager of product management at BMC Software, Inc., misuse by "authorized but unethical" employees can lead to data leakage in the database environment.
Johnson provided three scenarios and recommendations for keeping data protected:
- Scenario: An end user who has more
database privileges than is really needed, because it can be difficult and/or
time consuming to give each person the exact permissions needed. This is
typically not done for average users, but non-IT "super users." Senior
personnel may be able to demand this kind of privilege.
Recommendation: "For end users, there really is no excuse for using broad-brush privileges. If I were an IT director today (I have been one before), I would insist on a frequent review of who has what privileges and why. Companies need to decide if they are more interested in security or convenience...Security should win this race in nine out of 10 enterprises."
- Scenario: DBAs and network admins who
need very powerful privileges to do their job. Although you may be able to
limit this privilege to a very small number of people, there is always a
DBA who could potentially look at all of your data, and a storage
administrator who has copies of your database backups and so on. If an
individual isn't trustworthy, there is no limit to potential leakage.
Recommendation: "For privileged users like DBAs and sys admins, you can use the above approach to a point—there is no reason to give DBAs access to every database in your enterprise, just the ones they personally work on. When I was an IT director, my policy was to have the 'primary' DBA for each system define and keep the user IDs and passwords private to themselves, but provide copies to me and the data center manager to keep in a 'lock box' in case the primary DBA isn't available. This is a low-tech way to prevent over-distribution of very powerful user IDs and passwords."
- Scenario: IT users who don't
personally need powerful privileges, but by the nature of their job have
the potential to use someone else's privileges. A typical case would be a
lower-level data center operations employee who manages the production
scheduling environment. Many scheduled jobs will include DBA or sys admin
user IDs and passwords. This is a significant threat because a less
experienced, possibly less trusted person has the potential to use all the
privileges of a more experienced, more trusted person.
Recommendation: "For both end users and privileged users, put controls in place that help honest people to stay honest. If you implement products that monitor who does what, and make sure everyone knows they are in use, you will discourage a lot of leakage."
Johnson added that identity and access management products such as BMC's CONTROL-SA make it much easier to administer and manage user access across the enterprise. BMC's Database Security Management by IPLocks helps companies keep complete records of who has what privileges and who has changed or queried what data. "[They're] great if you ever need to investigate the cause of a data theft or data integrity problem. And if you let people know this control is in place, it will discourage misbehavior," Johnson said.
Stop mass-mailing your confidential info
"The number-one channel for both malicious and inadvertent leaks of valuable, confidential information is plain old e-mail," said Gary Steele, CEO of Proofpoint, Inc.
A recent survey that Proofpoint conducted with Forrester Consulting found that IT directors and managers are most concerned about outbound e-mail threats, especially leakage of confidential memos, valuable intellectual property, and trade secrets.
Steele said that leaks are not always malicious. "Recently, in California, employees of Contra Costa County were inadvertently sending all sorts of confidential information to an e-mail address in Sweden," he said. "Similarly, a court reporter transcribing hearings in the Kobe Bryant rape case accidentally leaked confidential court transcripts when they were e-mailed to the wrong distribution list."
Steele added that certainly there are also malicious leaks. "A quick scan of sites such as internalmemos.com will show dozens of sensitive internal memos from Fortune 500 companies—typically sent by insiders to the site's publisher. There are also cases such as the recent AOL insider theft of screen names / e-mail addresses."
For companies looking for technology solutions to this problem, Steele recommended the Proofpoint Protection Server software and Proofpoint P-Series Appliance, which provide a complete message-protection platform that guards against inbound e-mail threats (such as spam and viruses) and helps ensure that outbound messages comply with company policies and external regulations.
Stop careless security practices
Jeff Bowling, founder and CEO of TELXAR, stressed that the best way to plug data leakage is to implement a good security plan, which should not only include the dos and don'ts for the internal network, but also serve as a guidebook for the network administrators. The plan should include the following basic, often overlooked, policies:
- Indicate access hours.
- Specify login credentials and rights.
- Disable outside software.
- Consider internal auditing / intrusion monitoring applications.
- Lock down internal hardware components.
- Perform regular audits on security and resource.
- Disable USB or Firewire ports.
- Restrict mail size and / or block all attachments.
- Disallow use of camera devices within restricted / sensitive areas.
- Define a tight policy on acceptable devices and their usage.
- Define a Point of Contact policy for questions about the network and its contents.
- Execute nondisclosure and confidentiality agreements.
- Define chain of command and escalation procedures.
- Ensure that managers as well as users understand the security plans and policies.
Consider a nontechnical approach
Johnson proposed another tactic. "I'm surprised more companies don't use nontechnical approaches to security." He said that it's possible to perform real background investigations on employees in sensitive positions to see if they have any red flags indicating poor trustworthiness. "I used to work in the defense industry, and this was an absolute rule," he said.
"We also had a rule that secure systems could never be used by a single person in isolation—there were machine rooms where you had to go in with a 'buddy,' sign in and sign out, and keep an eye on each other."
Johnson added that there is probably a business opportunity for someone to apply the defense-type approach to the commercial environment. "Imagine if a specific outsource provider ran civilian systems with the same security standards used by defense. Expensive, and not desirable for every system, but could be very attractive for the most important / regulated data."