Data leakage is a big problem for enterprises
but there are no clear-cut solutions, McAfee's chief security
architect admitted at the Burton Group Catalyst
Conference.
Sensitive customer information and confidential corporate data
can slip out of an organisation via email, lost laptops, USB drives
and a host of other ways, said John Viega, who also is vice
president of engineering at
McAfee. Under pressure from
breach disclosure laws and regulations like
Sarbanes-Oxley, enterprises are exploring a range of solutions:
policies, data leakage gateways, endpoint device protection, and
disk encryption.
But there are drawbacks to all of the options and no one
technology fully addresses the problem, Viega said.
He said it's tough getting employees to follow data handling
policies and training doesn't stick. Data leakage gateways can help
enforce policies on the network but can't stop an employee from
copying confidential data onto a USB storage device or from taking
a laptop home and sending confidential data via Web mail.
Classifying sensitive documents on the network can require
investment in professional services, Viega said.
Endpoint device protection technologies that track operating
system and application operations to enforce policies at the
desktop can block someone from copying data to a USB drive, but it
won't be on all devices in an organisation and it can become too
costly to block people from doing what they want to do, he said.
Companies tend to deploy such technologies in "advise" mode rather
than "block" mode so that IT isn't inundated by requests for policy
exceptions.
Hard-disk encryption is "by far the most commonly" deployed
technology for data leak prevention, Viega said. The price tag is
lower than other options but it doesn't address some leakage
scenarios and can be a hassle when passwords are lost, he
added.
Digital rights management can extend data handling policies to
hosts without monitoring protection but there's no clear technology
leader in the space, Viega said.
After the session, an architect at a manufacturing company who
declined to give his name said Viega "basically stated the obvious
-- there's no silver bullet." With any of the technologies "you
still can't guarantee there won't be any leaks," he said.
Another attendee -- a security engineer at a pharmaceutical
company who also declined to give his name -- said the session
presented more problems than solutions. He would have liked to hear
more about enterprise rights management.
"Going after the USB fobs, the iPods -- whatever you can connect
to a computer -- is just a losing game … You need to protect [data]
at the source," he said.