How to Keep Corporate Secrets a Secret
There is nothing like a data breach to bring a CIO unwanted publicity. We read all the time about these costly spills of precious corporate data, from the British government exposing the records of 25 million citizens, to the TJX Companies' loss of 45.6 million credit card and debit card records. The PRC (Privacy Rights Clearinghouse) documented roughly 234 million data records were involved in security breaches since 2005.
The cases involve everything-from the University of Iowa putting a few hundred students' data on the Internet-to the supermarket chain Hannaford Bros.' breach, in which 4.2 million credit card numbers were compromised and more than 1,800 cases of identity theft resulted. Tapes lost, laptops stolen, Wi-Fi and network snooping, malware and virus intrusions, and plain old theft are just a few of the threats that keep CIOs up at night.
The problem of data leaks goes far beyond the breaches that make the news. Potentially more catastrophic than the exposure of personal data is the risk to corporations when trade secrets, customer lists, pricing data and other critical assets leak out the door. Keeping corporate secrets a secret requires careful thought, effective processes and sophisticated technology.
Most of the efforts at data leak prevention focus on making systems and networks secure. These steps are essential. However, as the volume of digital data grows, protecting systems may not be enough. Intelligence services have always known to protect the message, not just the medium. A courier can be kidnapped even if he is surrounded by spear carriers, but his message will be safe if the enemy can't read it.
Fire walls, anti-virus software and password-controlled access are all forms of "perimeter protection." With so many places for data to be stored and so many ways for it to move off the premises (for example, laptops with 200GB disk drives, iPods and cell phones capable of carrying tens of gigabytes of data-not to mention the Internet), perimeter protection may not suffice to meet every threat.
Companies maintain rigorous perimeter protection in a number of ways: by disabling USB ports to prevent the use of memory sticks, by blocking access to Web-based e-mail, and even by monitoring data flows. But, no matter how diligently applied, these approaches leave the data itself unprotected. Once secret data slips out the door, all the fire walls in the world can't get it back-protecting the data is key.
A complete solution combines process and people with advanced technologies. Here are five steps to consider:
Step No. 1: Identify the data that needs protecting.
If you try to protect everything, life will be too difficult. Users will be annoyed and they will undermine the process. Be reasonable and employees will participate. The classification process needs to be thorough, comprehensive and participatory. Segregating valuable data is an important first step and there are tools that can help.
Step No. 2: Secure the message as well as the medium.
Even with SSL (Secure Sockets Layer) and VPN, strong passwords, fire walls and a flood of security patches, the medium (the network and the attached servers) should be considered inherently insecure. The greatest security comes from protecting the data itself. Even a gargantuan data breach will be of no real consequence if the data is undecipherable.
Sensitive data should be encrypted, and a business process surrounding key management should be in place to restrict access in a manner consistent with corporate data access policies.
Encryption has been around ever since Julius Caesar coded his messages by shifting the alphabet. Data encryption tools are now integrated well with standard office software. Yet, many organizations don't bother with even the most basic data protection practices, such as applying passwords to Word and Excel files, or using the native Windows hard disk encryption capabilities for laptops that leave the office.
The widespread use of encryption and digital rights management has greatly complicated corporate key management practices. If you are not familiar with the Enterprise Key Management Infrastructure initiative, now would be a good time to check it out at www.oasis-open.org/committees/tc_home.php?wg_abbrev=ekmi.
Step No. 3: Address issues for all three data states, and implement processes and technologies for each: data at rest, data in motion and data in use.
It's easy to focus too much attention in one or two areas. For example, to manage data at rest, find all the critical data sources, identify how they are stored and protected and consider encrypted databases and files. To manage data in motion, use signed and encrypted e-mail, SSL connections, VPN and other forms of network protection. Remember, the bulk of data breaches are unintentional. They have become more common because increasing numbers of workers carry more and more data with them.
Step No. 4: Consider signing documents and files.
Digital signatures not only make it possible to protect data through strong encryption, but they also provide a means to validate the source, and ensure that nothing has been changed. Like key management, digital signatures require that certificates be issued and identities verified. Microsoft Outlook, for example, supports signing and encrypting with digital certificates. It even provides links to certificate authorities (the folks who issue digital certificates) that will sell you personal and corporate certificates.
Step No. 5: Investigate the latest generation of data leak prevention (DLP) tools.
There are many companies that provide DLP tools to discover, classify and protect your data. Among them are companies such as Iron Mountain, Websense, Reconnex, RSA Security, Trend Micro and Essential Security Software.
The rate of data breaches is unlikely to slow, and its seriousness will not diminish. This is the case for the simple reason that the data driving modern enterprises is becoming increasingly accessible and transportable. However, the right tools and technologies do exist to help keep corporate secrets secret-and CIOs out of the headlines.
Harry Lewis (on the left) is professor of computer science at Harvard and fellow of the Berkman Center for Internet & Society. He can be reached at firstname.lastname@example.org . Ken Ledeen (in the middle) is chairman and CEO of Nevo Technologies. He can be reached at email@example.com. Hal Abelson (on the right) is professor of computer science and engineering at MIT. He can be reached at firstname.lastname@example.org.