Restrict Access to Information and Administrative Control

By Gregory Shapiro  |  Posted 2009-06-02 Print this article Print

Step No. 4: Restrict access to information and administrative control

Restrict access to information and administrative control as much as possible, but not to the point of impacting employees' ability to get their job done. While it may be convenient for employees to be able to log in to servers, it may not be necessary.

For example, a software engineering group doesn't need shell access to the source code control repository server; rather, they can simply use tools to check out code and check in changes (thereby maintaining an audit log). In the event that access to the backend files is needed (such as for searches over the entire repository), consider using other means such as a read-only file system export. Restricting access limits the amount of disclosure and damage that can be done by a disgruntled or exiting employee.

Step No. 5: Employ some form of endpoint protection

If necessary, employ some form of endpoint protection for employee computers and mobile devices. There are varying levels of endpoint protection available, from the ability to turn a fully-functional laptop into little more than a dumb terminal, to the ability to perform a remote data erase if a device is lost. This is another area where a balance must be struck between security and convenience. These technologies can help assure your ability to collect and audit the locations where data has been stored and copied.

Step No. 6: Identify and protect important electronic documents

Identify and protect important electronic documents for tracking, data integrity and disclosure. Depending on the sensitivity of the documents, the technologies that come into play include watermarking, digital rights management (DRM), document fingerprinting, digital signatures and encryption. These can help track the source of leaked information, prevent accidental leakage of (or intentional damage to) data, and protect the contents of a document if storage media or a portable device is lost or stolen. Depending on the sophistication of the technology used, it may also be helpful to render any data held by a departing employee useless.

Gregory Shapiro is Vice President and Chief Technology Officer at Sendmail. In his tenure at Sendmail, Gregory has held prominent roles in the engineering, IT and business development departments. After four years of leading Sendmail's products in production, Gregory returned to improving those solutions, first in the business development group researching and evaluating partner products and most recently as the engineering group's chief architect. Prior to Sendmail, Gregory began his professional career as a systems administrator for Worcester Polytechnic Institute (WPI) after graduating from WPI with a degree in Computer Science in 1992. Gregory is a FreeBSD committer, has served as program committee member for BSDCon 2002 and program chairman for BSDCon 2003. In addition, he has contributed to the past three editions of the O'Reilly Sendmail book. He can be reached at

Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel