How much is your data worth? Obviously, that isn’t the easiest question in the world to answer. The value of your data could be measured by what your company would pay to get it back if it were lost, how much money the company would lose, how much a competitor would pay to get their hands on a copy, or any number of potentially unpleasant circumstances. Whatever method you use to quantify the value of your data, one thing is undeniable: your data is a valuable asset that’s worth protecting. In fact, Microsoft lists data defenses among its top five priorities for securing networks. I’ll take a look at some of the most common threats to data, and how to counter these threats.
Before I discuss data defenses, let’s clarify some objectives. Normally, the object of data defense is to avoid corruption, loss, and unauthorized disclosure of the data. Naturally, this covers a lot of ground, from simple hard disk failures all the way up to viruses and hack attempts. For the purposes of this Daily Feature, I’ll focus primarily on security-related threats to your data.
A secure location?
Ask anyone who’s new to networking where data should be stored, and they'll probably tell you that data belongs on a file server. If all of the data is stored on a file server, you can back up the file server on a regular basis. Furthermore, you can place the server behind a locked door, physically preventing the data from walking away. However, in the real world, data security is seldom this simple.
Data isn’t always stored exclusively on file servers. Mobile users typically store data on their laptops. While it’s true that laptop users can access data from the network just like anyone else, it's sometimes difficult or impossible to do. For example, if a mobile user goes to a client’s office for a meeting, there may not be a readily available connection to your network. Even if your network offers dial-up capabilities, there may not be access to a phone line. It's a cumbersome setup at best, and it doesn't help the mobile user make a good presentation.
Situations like this make it difficult to prevent mobile users from carrying the data they need on their laptops, so it’s important to develop a strict policy for mobile users that offers the most protection possible for the data they're carrying. Keep in mind, though, that a policy won't do anyone any good if the users don’t understand it or it isn’t enforced.
I recommend encouraging mobile users to carry only as much data as is absolutely necessary to get the job done. The less data that mobile users have in their possession, the less likely it is to fall into the wrong hands. When I’ve talked to people about this philosophy in the past, two common myths always seem to surface.
The first of these myths is that the data on the mobile device is safe because it's password protected. People often assume that if a thief was to steal a mobile device, the password would prevent the thief from seeing the data. However, there are dozens of techniques for gaining access to the data on a hard drive. There are utilities that can reset the administrative password, and remote recovery techniques that can back up the data and then restore it to another machine without ever having to log in to the operating system. The fact is, these days even NTFS partitions shouldn’t be considered secure.
The other myth I hear pretty often is that there isn’t any important data on the device anyway. If you honestly believe that there's nothing important on your users' mobile devices, then think about this. My cell phone doesn’t contain any “real” data. There are no word processing files, spreadsheets, or databases. However, it does have the names, phone numbers, and e-mail addresses of all of my clients. Likewise, my phone contains a calendar. Within that calendar are references to the various appointments I’ve booked, and what those appointments are for. If this data were to fall into the wrong hands, it could cause me trouble.
Defending mobile data
So you’ve minimized the amount of data on the mobile devices in the field. What can you do to further enhance security? Some of the more common techniques involve implementing power-on passwords, encrypting the data, and storing the data on removable hard disks or flash memory and then storing the mobile device and the removable storage mediums separately.
The idea is that if someone was to steal the laptop or PDA, you'd still have all the data because you stored it on a removable storage device and you were smart enough not to keep the removable storage device in the same bag as your laptop.
More on mobile data security
There are many different techniques that you can use to defend your mobile data; more than can be covered in one Daily Feature. Some good starting points are Microsoft’s Security & Privacy Web site and Mobile Devices Web site.
Defending local data
I’ve spent the bulk of my space discussing mobile users because mobile data is far more vulnerable than local data. However, you must still take steps to defend the data at home. There are several different things that you can do to minimize the chances that your primary data will be lost, stolen, or corrupted.
First, evaluate everyone’s data access needs, and make sure that no one has rights that they don’t need or shouldn't have. The less data that users have access to, the less chance that they could accidentally erase or disclose something.
Next, make sure that your physical security is up to par. Earlier I mentioned techniques that can copy data off a stolen device without ever having to log in. Most of these techniques also work for desktop machines and servers. You can greatly reduce the chances of such a security breach by limiting who has physical access to your file servers.
You should also consider encrypting the data on your servers. This will make it much more difficult for someone to copy the data directly from a server should they gain physical access to the server room.
Another step you should take is to ensure that you have adequate antivirus protection. I recommend using two different antivirus platforms—one platform on all of the desktop machines and a different one on the servers. The idea is that if a virus slips past one antivirus program, the other one will usually catch it. I personally recommend using Norton Antivirus from Symantec on the workstations and Panda Antivirus on the servers. If you have Exchange Servers in your organization, you’ll need to make sure that your antivirus software includes native Exchange Server support. Otherwise, viruses arriving through e-mail may not be caught until a user opens them.
Finally, take all of the usual data precautions, such as backing the data up on a regular basis and using RAID arrays to protect the data against hard disk failures. In a way, RAID arrays also add a level of security. Many of the utilities that allow someone full access to the data as long as they can get physical access to the machine won't recognize partitions that exist on RAID arrays. This is because Windows 2000 loads a driver that allows it to recognize the disk array. If the utility doesn’t also have such a driver, it won’t be able to access the array because the utility functions outside of the operating system.