Security managers, working closely with other members of IT management teams, have become pretty good at protecting information assets from external threats. Even in this era of deperimeterization, IT teams are beginning to effectively tighten security around systems in addition to the enterprise overall. But what about the movement of data initiated by employees?
Numerous articles and papers have appeared over the last two or three years addressing the need to control the use of USB storage devices, email, instant messaging, CD-RW, etc. But applying controls to prohibit or severely curtail their use often means negatively affecting operational efficiency.
Preventing the use of thumb drives, for example, hinders the transfer of information for authorized business purposes. Many laptop users rely on writable CD technology to backup critical information, especially when they only occasionally connect to the company network. Prohibiting these and other common uses of mobile storage might significantly affect the necessary flow and safety of information. So how can a security manager continue to allow the convenience of mobile storage while addressing compliance constraints?
In a recent article (“Content Monitoring Tags Questionable Email Activity”, SearchCIO.com, 12/13/2006) Shamus McGillicuddy describes the value of content monitoring technology in managing the movement of information. Instead of applying overly restrictive controls, organizations can implement business rules to monitor for keywords or other patterns indicative of sensitive business information. Monitoring can include looking at the movement of all information within your environment, including email, data written to mobile storage devices, and sensitive data moved to less than secure locations.
Alerts sent to Security or other relevant teams can help target abusive activities. In most cases, abuse is the unintentional result of low employee awareness of company policies about handling sensitive or critical information. Once management is aware of a problem area, focused training helps lower instances of abuse. In those cases in which abuse is intentional, steps can be taken to immediately deal with the issue.
Content monitoring does not replace well designed access controls and acceptable use policies; rather it supplements them. The complete elimination of risk is not a realistic goal. The balance between operational efficiency and information assurance is the objective of a good security program. Content monitoring is an effective tool to assist managers in reaching that balance.
Tom is a security researcher for the InfoSec Institute and an IT professional with over 30 years of experience. He has written three books, Just Enough Security, Microsoft Virtualization, and Enterprise Security: A Practitioner's Guide (to be published in Q1/2013). Before joining the private sector, he served 10 years in the United States Army Military Police with four years as a military police investigator. He has an MBA and CISSP certification. He is also an online instructor for the University of Phoenix.