By Ruby Bayan

One of the most debilitating IT headaches strikes when
confidential data leaks out of the company’s network and trickles into the
hands of malicious users. No matter how robust your technology is, or how
intuitive your detection systems are, restricted data somehow manages to seep
through the least guarded nooks and crannies of the enterprise.

Our experts said that the usual and most overlooked sources
of data leakage are slapdash database privileges, plain ol’ e-mail, and slipshod
security policies. Here are some recommended strategies and brand-name

Stop “broad-brush” database privileges

According to Chris Johnson, senior manager of product
management at BMC Software, Inc., misuse by
“authorized but unethical” employees can lead to data leakage in the
database environment.

Johnson provided three scenarios and recommendations for
keeping data protected:

  1. Scenario: An end user who has more
    database privileges than is really needed, because it can be difficult and/or
    time consuming to give each person the exact permissions needed. This is
    typically not done for average users, but non-IT “super users.” Senior
    personnel may be able to demand this kind of privilege.
    Recommendation: “For end
    users, there really is no excuse for using broad-brush privileges. If I
    were an IT director today (I have been one before), I would insist on a
    frequent review of who has what privileges and why. Companies need to
    decide if they are more interested in security or convenience…Security
    should win this race in nine out of 10 enterprises.”
  2. Scenario: DBAs and network admins who
    need very powerful privileges to do their job. Although you may be able to
    limit this privilege to a very small number of people, there is always a
    DBA who could potentially look at all of your data, and a storage
    administrator who has copies of your database backups and so on. If an
    individual isn’t trustworthy, there is no limit to potential leakage.
    Recommendation: “For
    privileged users like DBAs and sys admins, you can use the above approach
    to a point—there is no reason to give DBAs access to every database in
    your enterprise, just the ones they personally work on. When I was an IT
    director, my policy was to have the ‘primary’ DBA for each
    system define and keep the user IDs and passwords private to themselves,
    but provide copies to me and the data center manager to keep in a
    ‘lock box’ in case the primary DBA isn’t available. This is a
    low-tech way to prevent over-distribution of very powerful user IDs and
  3. Scenario: IT users who don’t
    personally need powerful privileges, but by the nature of their job have
    the potential to use someone else’s privileges. A typical case would be a
    lower-level data center operations employee who manages the production
    scheduling environment. Many scheduled jobs will include DBA or sys admin
    user IDs and passwords. This is a significant threat because a less
    experienced, possibly less trusted person has the potential to use all the
    privileges of a more experienced, more trusted person.
    Recommendation: “For both
    end users and privileged users, put controls in place that help honest
    people to stay honest. If you implement products that monitor who does what,
    and make sure everyone knows they are in use, you will discourage a lot of

Johnson added that identity and access management products such
as BMC’s
make it much easier to administer and manage user access across
the enterprise. BMC’s Database Security Management by IPLocks helps companies keep complete
records of who has what privileges and who has changed or queried what data.
“[They’re] great if you ever need to investigate the cause of a data theft
or data integrity problem. And if you let people know this control is in place,
it will discourage misbehavior,” Johnson said.

Stop mass-mailing your confidential info

“The number-one channel for both malicious and
inadvertent leaks of valuable, confidential information is plain old e-mail,”
said Gary Steele, CEO of Proofpoint, Inc.

A recent survey
that Proofpoint conducted with Forrester
found that IT directors and managers are most concerned about
outbound e-mail threats, especially leakage of confidential memos, valuable
intellectual property, and trade secrets.

Steele said that leaks are not always malicious. “Recently,
in California, employees of Contra Costa County were inadvertently sending all
sorts of confidential information to an e-mail address in Sweden,” he said. “Similarly,
a court reporter transcribing hearings in the Kobe Bryant rape case
accidentally leaked confidential court transcripts when they were e-mailed to
the wrong distribution list.”

Steele added that certainly there are also malicious leaks.
“A quick scan of sites such as will show
dozens of sensitive internal memos from Fortune 500 companies—typically sent by
insiders to the site’s publisher. There are also cases such as the recent AOL
insider theft of screen names / e-mail addresses.”

For companies looking for technology solutions to this
problem, Steele recommended the Proofpoint Protection
software and Proofpoint
P-Series Appliance
, which provide a complete message-protection platform
that guards against inbound e-mail threats (such as spam and viruses) and helps
ensure that outbound messages comply with company policies and external

Stop careless security practices

Jeff Bowling, founder and CEO of TELXAR, stressed that the best way to plug
data leakage is to implement a good security plan, which should not only
include the dos and don’ts for the internal network, but also serve as a
guidebook for the network administrators. The plan should include the following
basic, often overlooked, policies:

  1. Indicate
    access hours.
  2. Specify
    login credentials and rights.
  3. Disable
    outside software.
  4. Consider
    internal auditing / intrusion monitoring applications.
  5. Lock
    down internal hardware components.
  6. Perform
    regular audits on security and resource.
  7. Disable
    USB or Firewire ports.
  8. Restrict
    mail size and / or block all attachments.
  9. Disallow
    use of camera devices within restricted / sensitive areas.
  10. Define
    a tight policy on acceptable devices and their usage.
  11. Define
    a Point of Contact policy for questions about the network and its
  12. Execute
    nondisclosure and confidentiality agreements.
  13. Define
    chain of command and escalation procedures.
  14. Ensure
    that managers as well as users understand the security plans and policies.

Consider a nontechnical approach

Johnson proposed another tactic. “I’m surprised more
companies don’t use nontechnical approaches to security.” He said that
it’s possible to perform real background investigations on employees in
sensitive positions to see if they have any red flags indicating poor
trustworthiness. “I used to work in the defense industry, and this was an
absolute rule,” he said.

“We also had a rule that secure systems could never be
used by a single person in isolation—there were machine rooms where you had to
go in with a ‘buddy,’ sign in and sign out, and keep an eye on each

Johnson added that there is probably a business opportunity
for someone to apply the defense-type approach to the commercial environment.
“Imagine if a specific outsource provider ran civilian systems with the
same security standards used by defense. Expensive, and not desirable for every
system, but could be very attractive for the most important / regulated