Data leakage is a big problem for enterprises but there are no clear-cut solutions, McAfee's chief security architect admitted at the Burton Group Catalyst Conference.
Sensitive customer information and confidential corporate data can slip out of an organisation via email, lost laptops, USB drives and a host of other ways, said John Viega, who also is vice president of engineering at McAfee. Under pressure from breach disclosure laws and regulations like Sarbanes-Oxley, enterprises are exploring a range of solutions: policies, data leakage gateways, endpoint device protection, and disk encryption.
But there are drawbacks to all of the options and no one technology fully addresses the problem, Viega said.
He said it's tough getting employees to follow data handling policies and training doesn't stick. Data leakage gateways can help enforce policies on the network but can't stop an employee from copying confidential data onto a USB storage device or from taking a laptop home and sending confidential data via Web mail. Classifying sensitive documents on the network can require investment in professional services, Viega said.
Endpoint device protection technologies that track operating system and application operations to enforce policies at the desktop can block someone from copying data to a USB drive, but it won't be on all devices in an organisation and it can become too costly to block people from doing what they want to do, he said. Companies tend to deploy such technologies in "advise" mode rather than "block" mode so that IT isn't inundated by requests for policy exceptions.
Hard-disk encryption is "by far the most commonly" deployed technology for data leak prevention, Viega said. The price tag is lower than other options but it doesn't address some leakage scenarios and can be a hassle when passwords are lost, he added.
Digital rights management can extend data handling policies to hosts without monitoring protection but there's no clear technology leader in the space, Viega said.
After the session, an architect at a manufacturing company who declined to give his name said Viega "basically stated the obvious -- there's no silver bullet." With any of the technologies "you still can't guarantee there won't be any leaks," he said.
Another attendee -- a security engineer at a pharmaceutical company who also declined to give his name -- said the session presented more problems than solutions. He would have liked to hear more about enterprise rights management.
"Going after the USB fobs, the iPods -- whatever you can connect to a computer -- is just a losing game … You need to protect [data] at the source," he said.