Keep Data on Tight Leash

Tech Analysis: New tools help prevent loss of data, but we're only human.

The first "Star Wars" movie started with a chase scene in which Darth Vader was out to recover some stolen Death Star plans. Think of it as an effort to recover intellectual property. Today, a fleet of vendors offers data protection products to help IT departments prevent the loss of electronically stored trade secrets, confidential customer data and sensitive employee information.

So why do we keep hearing stories like the one that broke in late May, when it was reported that the personal information of 26.5 million (and counting) U.S. veterans was exposed when a laptop containing the information on a CD was stolen?

Well, for one thing, many of the data breaches weve seen in the last couple of years have been physical in nature. Many of the problems occurred because data on a disk or laptop or piece of paper was lost or stolen, not as a result of an electronic system being hacked. Also (and further), were dealing with people—people who make mistakes, who arent always properly trained and who sometimes act maliciously.

/zimages/4/28571.gifClick here to read a review of data protection tool Vontu 6.0.

People (thankfully) cannot be taken out of the equation, but new products are coming to market that will prevent people from doing things—whether knowingly or not—that will put sensitive data at risk.

Traditional data protection products monitor data while it is in motion, such as being transmitted in an e-mail or transferred via FTP. When an unauthorized transmission is attempted, data protection tools log the event and even stop the message or file transfer. But data protection tools are also evolving to more effectively protect data "at rest," such as data stored on disks or in file shares.

Using search tools, data protection systems can scour data sources, looking for protected data that is stored where it shouldnt be. When protected data—a collection of which is sometimes called a corpus—is located in a vulnerable repository, an alert is issued, and action can be taken based on policies set up by the IT manager.

Regardless of whether the data is in motion or at rest, organizations can use data protection tools to enforce regulatory requirements for data control.

For example, if Social Security numbers are collected from insurance beneficiaries but company policy requires that an SSN never be used in e-mailed correspondence, data protection tools can help ensure that e-mail messages containing SSNs arent transmitted.

This is a simple example, but eWeek Labs tests of Vontus Vontu 6.0 suite show that much more complex policies can be created and enforced (see review, Page 42). Other companies that make data protection tools along these lines include Vericept and Tablus.

Goal of Data Protection

Authorization is the name of the game when it comes to data protection. Data protection tools are told what constitutes the corpus of protected data, where the corpus is stored, where it can be transmitted, who can access it and at what times, and even how much of the corpus can be moved.

There are various methods of providing these guidelines to data protection tools. But, much like intrusion detection and prevention systems or anti-spam tools, data protection products must keep the number of false-positive blocks low, positive identification of protected data very high and administration as convenient as possible—a tall order, indeed.

Common to nearly all data protection tools is the ability to describe data and look for similar information to protect. For example, in the rule "Look for nine-digit numbers in the form of xxx-xx-xxxx," you can easily see how removing the dashes defeats the rule. It is in discovering protected data outside the bounds of simple description that data protection tools start to differentiate themselves.

More sophisticated methods to positively identify protected data use copies of data against which all outgoing data transmissions are compared. Still others use a hashed value of the protected data for a similar result. These products also use rules such as the time of day, day of week, and user name and other directory information to determine if messages containing protected data should be blocked or allowed.

After defining the corpus of protected data and establishing blocking rules, there remains the challenge for many IT managers of defining acceptable use of the protected data. Here, other business managers must be brought into the process.

It is also at this stage that data protection tools can be distinguished from one another. How helpful was the tool at facilitating the creation of acceptable use policies? Does the data protection product interact with established user provisioning systems so that the authorization and de-authorization of users can be streamlined? How open is the data protection product to being understood by nonsecurity professionals so they can assist in the creation of effective policy?

Its worth noting that data protection tools currently focus on what users cannot do, as opposed to what they are allowed to do. Therefore, data protection tools are configured to block protected data under one or more circumstances. For example, a configuration statement might look like, "Block data if x and y and z are true, else allow transmission."

The "else" part of this statement could be regarded as too generous for regulatory purposes. However, because data protection tools are still very much in the "prove it" stage of market acceptance, its not too surprising that they are focused on narrow blocking rules that reduce the chance of false positives. The thinking is likely that even a small number of false-positive blocks would create a high barrier to acceptance of the product in the workplace.

Next Page: Cost of protection