The first “Star Wars” movie started with a chase scene in which Darth Vader was out to recover some stolen Death Star plans. Think of it as an effort to recover intellectual property. Today, a fleet of vendors offers data protection products to help IT departments prevent the loss of electronically stored trade secrets, confidential customer data and sensitive employee information.
So why do we keep hearing stories like the one that broke in late May, when it was reported that the personal information of 26.5 million (and counting) U.S. veterans was exposed when a laptop containing the information on a CD was stolen?
Well, for one thing, many of the data breaches weve seen in the last couple of years have been physical in nature. Many of the problems occurred because data on a disk or laptop or piece of paper was lost or stolen, not as a result of an electronic system being hacked. Also (and further), were dealing with people—people who make mistakes, who arent always properly trained and who sometimes act maliciously.
People (thankfully) cannot be taken out of the equation, but new products are coming to market that will prevent people from doing things—whether knowingly or not—that will put sensitive data at risk.
Traditional data protection products monitor data while it is in motion, such as being transmitted in an e-mail or transferred via FTP. When an unauthorized transmission is attempted, data protection tools log the event and even stop the message or file transfer. But data protection tools are also evolving to more effectively protect data “at rest,” such as data stored on disks or in file shares.
Using search tools, data protection systems can scour data sources, looking for protected data that is stored where it shouldnt be. When protected data—a collection of which is sometimes called a corpus—is located in a vulnerable repository, an alert is issued, and action can be taken based on policies set up by the IT manager.
Regardless of whether the data is in motion or at rest, organizations can use data protection tools to enforce regulatory requirements for data control.
For example, if Social Security numbers are collected from insurance beneficiaries but company policy requires that an SSN never be used in e-mailed correspondence, data protection tools can help ensure that e-mail messages containing SSNs arent transmitted.
This is a simple example, but eWeek Labs tests of Vontus Vontu 6.0 suite show that much more complex policies can be created and enforced (see review, Page 42). Other companies that make data protection tools along these lines include Vericept and Tablus.
Goal of Data Protection
Authorization is the name of the game when it comes to data protection. Data protection tools are told what constitutes the corpus of protected data, where the corpus is stored, where it can be transmitted, who can access it and at what times, and even how much of the corpus can be moved.
There are various methods of providing these guidelines to data protection tools. But, much like intrusion detection and prevention systems or anti-spam tools, data protection products must keep the number of false-positive blocks low, positive identification of protected data very high and administration as convenient as possible—a tall order, indeed.
Common to nearly all data protection tools is the ability to describe data and look for similar information to protect. For example, in the rule “Look for nine-digit numbers in the form of xxx-xx-xxxx,” you can easily see how removing the dashes defeats the rule. It is in discovering protected data outside the bounds of simple description that data protection tools start to differentiate themselves.
More sophisticated methods to positively identify protected data use copies of data against which all outgoing data transmissions are compared. Still others use a hashed value of the protected data for a similar result. These products also use rules such as the time of day, day of week, and user name and other directory information to determine if messages containing protected data should be blocked or allowed.
After defining the corpus of protected data and establishing blocking rules, there remains the challenge for many IT managers of defining acceptable use of the protected data. Here, other business managers must be brought into the process.
It is also at this stage that data protection tools can be distinguished from one another. How helpful was the tool at facilitating the creation of acceptable use policies? Does the data protection product interact with established user provisioning systems so that the authorization and de-authorization of users can be streamlined? How open is the data protection product to being understood by nonsecurity professionals so they can assist in the creation of effective policy?
Its worth noting that data protection tools currently focus on what users cannot do, as opposed to what they are allowed to do. Therefore, data protection tools are configured to block protected data under one or more circumstances. For example, a configuration statement might look like, “Block data if x and y and z are true, else allow transmission.”
The “else” part of this statement could be regarded as too generous for regulatory purposes. However, because data protection tools are still very much in the “prove it” stage of market acceptance, its not too surprising that they are focused on narrow blocking rules that reduce the chance of false positives. The thinking is likely that even a small number of false-positive blocks would create a high barrier to acceptance of the product in the workplace.
How many touch points?
Some of the many touch points on the pathways through which protected data must sometimes travel include Message Transfer Agents (or MTAs, such as Sendmail or Microsoft Exchange); Web proxies; FTP servers; file shares; and data repositories on data center servers and laptops, memory keys, and other media.
Some of these pathways, including the movement of data onto physical media, require policy—often in the form of group policy or physical controls to block data from being placed on unauthorized storage locations. IT managers must consider all possible touch points when evaluating a data security tool to see how well it can interpret and block commonly used network protocols to protect data.
Cost of Protection
Figuring the cost of security is almost always a speculative act of balancing the cost of the barricades against the potential destruction that could be averted by them. In the still highly competitive emerging market for data protection tools, we advise IT managers to bargain with vendors for price breaks, extra training and extensive proof-of-concept installations.
However, there are other ways to derive value from a data protection system.
Data protection tools can be used as a competitive differentiator. If the organization depends on customer trust, one way to stand out from a crowd is to do a better job of protecting private data than the competitors.
Data protection tools also may reduce what we call “audit friction.” The effort to comply with an audit can be reduced by automating controls and reports that show the organization is meeting its obligations under the law. IT administrators who effectively assist business-line managers in surviving an audit are indirectly contributing to the bottom line.
Data protection tools also can help IT and business-line managers more easily make what are traditionally thought of as tough choices about IT infrastructure. For example, data protection tools usually need an authoritative source of data. To be authoritative, a data source should be unassailable in the face of questions regarding the freshness, correctness and completeness of the collected data. This usually means consolidating databases, directories and file shares.
Also keep in mind that these tools should be integrated with help desk or other workflows to ensure that any corrective action that requires human intervention is carried out. For example, a data protection tool can block sensitive information from being sent through company e-mail.
A data protection tool can even display a warning message, log a note that an inappropriate use of data was blocked and display a report that documents all these actions. However, at the end of the day, a person is going to be involved in making sure that the end user who initiated the problematic transmission is corrected.
This is likely one of the reasons that the data protection arena will remain a quickly changing and ever-challenging field: At the heart of nearly every anomalous data use—whether for good or bad—is a human being.
Technical Director Cameron Sturdevant can be reached at [email protected].