Protecting confidential data is becoming more and more
important in today’s business world. Companies store all sorts of sensitive
information on their computers and send it across their networks, so it’s
important for businesses of all sizes to have a strategy for protecting this
type of data from prying eyes. And if you’re in a regulated industry, such as
healthcare or financial services, you don’t really have a choice; the
government mandates that certain types of information be protected.

Let’s look at how you can create a scalable plan for
protecting your confidential information.

Beginning at the beginning

A data protection plan starts with restricting access to data
via access controls. In a Windows domain, that means implementing file level
permissions as well as share permissions. This is especially important if
you’re running Windows 2000, because by default the Everyone
group has full control of each newly created share. If you don’t also have file
level (NTFS) permissions set, the data in those shares is wide open to both
authenticated and anonymous users until you change the default permissions.

Permissions can be set on individual files, but that can get
tedious as the business and the number of data files grows. A more scalable
solution is to set permissions on folders and then put files into the
appropriate folders in order to restrict access.

Access should be granted strictly on the basis of need; that
is, only those individuals who need to access the information in order to do
their jobs should have access. There are two basic philosophies when it comes
to security:

  • Start
    from the point of open access for everyone to everything, and then
    restrict what needs to be restricted, or
  • Start
    from the point of no access for anyone to anything, and then open up what
    needs to be opened.

The
second option is obviously the most secure, and is really the only logical
option when you’re in a regulated industry or your company otherwise has a
lot to lose if confidential data is divulged.

The importance of authentication

Access controls based on network user accounts and group
memberships are worthless unless you can ensure that unauthorized persons don’t
log on to others’ accounts. That means a strong authentication scheme.
Password-based authentication is popular because it’s easy to implement,
convenient for users and very scalable. You can have tens of thousands of user
accounts in a single Windows domain, and it’s easy to add new accounts and have
users set their passwords as the company grows.

Password authentication can be fairly secure if you have the
proper password policies in place. All passwords should meet minimum length and
complexity requirements, and users should be required to change their passwords
on a regular basis (for example, every 30 days) and should not be allowed to
reuse recently used passwords (for example, switching back and forth between
the same two passwords every time a change is required). Enforcing such
requirements in a large network would be next to impossible without
technological enforcement mechanisms. Luckily, Windows provides for password
policy enforcement through Group Policy, which makes enforcement scalable.

Even strong passwords, however, are not as secure as
multi-factor authentication. When users are required to create complex
passwords that change frequently, they may resort to writing them down (even if
you have a policy against it, that’s one policy that can’t be enforced
technologically). Intruders may discover these written passwords, or they may
use social engineering techniques to persuade users to reveal their passwords —
and then the intruder has a “free pass” into your network with a valid account.

The solution is to require not just something the user knows
in order to log on to the network, but also something that the user has in
his/her possession. That can be a smart card or token, or it can be a biometric
characteristic such as the user’s fingerprint. But how scalable are
multi-factor solutions?

Before you invest in a multi-factor authentication solution,
determine that the database can grow to fit your needs as your company adds
more employees. With card or token solutions, you’ll also want to check out how
time consuming it is for administrators to enroll new cards/tokens; the system
that makes it quickest and easiest will scale better. Check out companies such
as Saflink for
scalable multi-factor systems.

Add encryption

Even with an excellent authentication scheme to back up your
permissions-based access controls, if you have particularly sensitive data,
that’s not enough. It’s a good idea to add an extra layer of protection by
encrypting those files. You can use the built-in file encryption in Windows
2000, XP and 2003, EFS (Encrypting File System). EFS is
based on public key technology and digital certificates, but you don’t have to
have a Public Key Infrastructure set up in order to use it. This makes it
particularly scalable, since you can use EFS without a PKI when your business
is small, and then when the company grows and you implement a PKI, your
certification authorities can issue EFS certificates.

You can encrypt folders and place files in them to encrypt
the files instead of encrypting individual files one at a time. As with setting
permissions, this is the more scalable solution.

There are third party encryption solutions available, too,
such as SafeBoot Content Encryption,
which provides for persistent encryption (the files stay encrypted even if
they’re copied, moved or attached to email messages, and can be stored on
removable media such as CDs or USB flash memory drives.

Make messages self destruct

One big problem with securing confidential information,
whether it’s in a document or an email message, is that sometimes you have to
share the information with others — and once it leaves your control, you don’t
know whether the recipient will exercise the same care in keeping it
confidential. What if they copy it or forward it to someone else? And even if
they don’t intentionally violate your security, it may not be safe to have that
message or document sitting on the recipient’s hard disk for days, weeks or
months. You could request that they destroy it after they read it, but how can
you ensure that they comply?

One solution is to use Microsoft’s Rights Management Services
(RMS), which lets you send a document or message to someone with restrictions
on what they can do with it. For example, copying can be disabled in Word or
forwarding can be disabled in Outlook. And if they try to open it with a
different client, it won’t open at all. You can even set your message to expire
after a certain period of time, and it will become inaccessible. Other
companies offer even more scalable rights managements
solutions. An example is Authentica’s ARM or
Active Rights Management.

Summary

No matter how big or small your company is now, it’s time to
start thinking about a strategic data protection plan if you don’t already have
one. More and more industries are falling under the regulatory umbrella, and
even if you escape a government mandate to secure your data, it’s likely that
you have personnel records, financial information and other data that needs to
be protected. Developing a scalable plan now will save you a lot of headaches
on down the road.