How to enforce an enterprise data leak prevention policy

Stopping sensitive information from escaping from an organisation has always been a problem, but the proliferation of these new mobile and other communication channels means it's easier than ever for data loss to occur, either accidentally or maliciously.

As part of any data leak prevention plan, employees need to be informed of the risks of using various communication channels and how to guard against the psychological triggers used in social engineering-based attacks. This should be part of their information handling training. Every employee should know how to identify confidential information and appreciate his or her own role in keeping it secure.

Before you launch a round of security awareness training, though...

RELATED CONTENT Risk management strategies Are you too small for an email retention and archiving policy? Enterprise data management: Prevent data loss and insider threats Improving software with the Building Security in Maturity Model (BSIMM) Preventing password fatigue with single sign-on (SSO) authentication Increasing information security awareness in the enterprise How to develop a culture of security in the enterprise Creating and enforcing a clear-desk policy Physical security threats: Don't gift your data away Using unique device identification for bank website security Benefits of ISO 27001 and ISO 27002 certification for your enterprise Data Protection Solutions and Strategy Enterprise data management: Prevent data loss and insider threats NSA, cryptoexperts jab at RSA Conference 2010 Cryptographers' Panel Make PCI DSS compliance easier by reducing scope, outsourcing data Data Protection Act fines likely limited, audit powers may expand Websense integrated security system aims to simplify security management Full disk encryption: Safer and easier than file and folder encryption No major PCI DSS revision expected in 2010 Data breach costs continue to rise in 2009, Ponemon study finds Chinese hacker attacks target Google Gmail accounts, top tech firms Annual security reports offer some hope Enterprise Data Storage Safend expands data leakage prevention product to plug more gaps TrueCrypt: How to get started with open source disk encryption Report: Firms avoid encrypting backup tapes, databases Encryption tips: How to secure a laptop The real reason behind backup recovery disk failures Infosec pros wake up to Excel spreadsheet security risks 3ami allows employers to track use of USB storage devices How to create a data classification policy EMC adds configuration management with Configuresoft acquisition What are USB flash drive security best practices?

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary UK Identity Cards Act  (SearchSecurityUK.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary

, check that your security policies are indeed up-to-date, particularly sections covering the acceptable use of blogs, Skype and smartphones; do you really want to allow phones with cameras in restricted or sensitive areas? Maybe you need to disable USB and FireWire ports or set strict access times for certain data. You certainly need to state the only methods by which sensitive information can be transmitted.

Also be aware of possible side effects when making changes to IT policies. For example, if you limit the size of email attachments to reduce bandwidth usage, everyone's likely to look for alternative ways of sending large files. These will typically be non-compliant and insecure workarounds.

Neither should your security policies prevent employees from doing their jobs. If certain staff regularly need to work weekends at home, give them a secure VPN connection to access files at work so they're not tempted to email them to their home email address. Make it easy for them to follow best security practices.

Data loss prevention (DLP) technology
But policies and staff training alone will not solve the data leakage problem; you need technology to help you manage and protect intellectual property throughout its lifecycle, and figure out where it is and where it's going. This is where data loss prevention (DLP) technology comes in. Unfortunately, there's a lot of confusion in the market place about what constitutes a DLP product. The term has been applied to everything from full suites to basic encryption and USB port blocking technologies.

Before you start looking at what's on offer, you need to classify your organisation's data to understand what data needs protecting and what the level of risk is. (Read my previous article: How to create a data classification policy.) This will help you decide on the appropriate level of protection you need.

Data classification undertakings have led some organisations to opt for content discovery tools instead of network monitoring tools. Content discovery products scan stored data looking for sensitive and classified information that is not protected or is located on inappropriate machines. It's vital to know where your data is before trying to protect it!

Network data loss prevention devices such as Symantec Corp.'s Data Loss Prevention and McAfee Inc.'s Network DLP Prevent monitor when and where data is moving. Using a profile of an organisation's intellectual property, based on its data classification scheme, the tools analyse each outgoing packet, preferably on all ports and protocols, responding in various ways depending on the profile matched. Rules can be implemented to ensure certain classifications of information are encrypted to prevent them from exiting the perimeter in an unauthorized state – great for meeting compliance requirements.

Web security gateways could be a possible alternative to DLP devices here. Not only do they protect your users from malicious sites and malware, they also monitor the types of files going through the network perimeter and scan documents for phrases and terms that could potentially cause data leakage. Coordination of content policy across all communication channels can be a lot more efficient when they are all passing through one box. This also means that they can produce an evidence chain of consolidated data to help challenge risky user behaviour.

Network monitoring can certainly catch many types of leaks, but it won't stop a determined thief or an authorized user from copying files from a workstation to a USB drive. This is why disk encryption and thumb drive controls are currently the most common data protection devices, as there's always the possibility of a dishonest employee. Products such as McAfee's Host Data Loss Prevention and Utimaco Inc.'s SafeGuard PortProtector monitor endpoints and devices and block or log files that are written to or read from devices connected to the network.

For any employees in sensitive positions, HR should carry out thorough background checks, and job descriptions should include nondisclosure and confidentiality agreements. Also there should be a defined chain of command for escalation procedures should someone become suspicious of a colleague's behaviour. One way to help people stay honest is to make sure that everyone knows what security controls are in use; someone's far less likely to try to copy 1,000 customer records if they know it will set alarm bells ringing. Access to sensitive data should, of course, be controlled with strong authentication and minimum privileges.

This is something I want to discuss in my next article as data leakage often occurs because of poor business processes or system design. I'll also be looking at ensuring that database design and data inference don't put a hole in your data loss prevention strategy.

About the author:
Michael Cobb, CISSP-ISSAP is the founder and managing director of Cobweb Applications Ltd., a consultancy that offers IT training and support in data security and analysis. He co-authored the book IIS Security and has written numerous technical articles for leading IT publications.

Rate this Tip To rate tips, you must be a member of SearchSecurity.co.UK. Register now to start rating these tips. Log in if you are already a member. DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.