How to enforce an enterprise data leak prevention policy

These days, there are more ways than ever for confidential data and intellectual property to leak out of an enterprise: Skype, Twitter and smartphones, just to name a few. Michael Cobb explains how to protect enterprise data in an environment where communication is becoming easier than ever.

The ways in which modern businesses exchange and communicate information have evolved very fast in the last few years. We used to be limited to phone, fax, or hard copy, but now there's instant messaging, Skype, blogs, Twitter, smartphones and, of course, email.

Stopping sensitive information from escaping from an organisation has always been a problem, but the proliferation of these new mobile and other communication channels means it's easier than ever for data loss to occur, either accidentally or maliciously.

As part of any data leak prevention plan, employees need to be informed of the risks of using various communication channels and how to guard against the psychological triggers used in social engineering-based attacks. This should be part of their information handling training. Every employee should know how to identify confidential information and appreciate his or her own role in keeping it secure.

Before you launch a round of security awareness training, though, check that your security policies are indeed up-to-date, particularly sections covering the acceptable use of blogs, Skype and smartphones; do you really want to allow phones with cameras in restricted or sensitive areas? Maybe you need to disable USB and FireWire ports or set strict access times for certain data. You certainly need to state the only methods by which sensitive information can be transmitted.

Also be aware of possible side effects when making changes to IT policies. For example, if you limit the size of email attachments to reduce bandwidth usage, everyone's likely to look for alternative ways of sending large files. These will typically be non-compliant and insecure workarounds.

Neither should your security policies prevent employees from doing their jobs. If certain staff regularly need to work weekends at home, give them a secure VPN connection to access files at work so they're not tempted to email them to their home email address. Make it easy for them to follow data leak prevention best security practices.

Data loss prevention technology

But policies and staff training alone will not solve the data leakage problem; you need technology to help you manage and protect intellectual property throughout its lifecycle, and figure out where it is and where it's going. This is where data loss prevention (DLP) technology comes in. Unfortunately, there's a lot of confusion in the market place about what constitutes a data loss prevention product. The term has been applied to everything from full suites to basic encryption and USB port blocking technologies.

For more on data classification

Michael Cobb explains how the Security Policy Framework (SPF), which contains security guidance for HMG agencies, can be a useful data classification guide for other enterprises

Before you start looking at what's on offer, you need to classify your organisation's data to understand what data needs protecting and what the level of risk is. (Read my previous article: How to create a data classification policy.) This will help you decide on the appropriate level of data loss prevention you need.

Data classification undertakings have led some organisations to opt for content discovery tools instead of network monitoring tools. Content discovery products scan stored data looking for sensitive and classified information that is not protected or is located on inappropriate machines. It's vital to know where your data is before trying to protect it!

Network data loss prevention devices such as Symantec Corp.'s Data Loss Prevention and McAfee Inc.'s Network DLP Prevent monitor when and where data is moving. Using a profile of an organisation's intellectual property, based on its data classification scheme, the tools analyse each outgoing packet, preferably on all ports and protocols, responding in various ways depending on the profile matched. Rules can be implemented to ensure certain classifications of information are encrypted to prevent them from exiting the perimeter in an unauthorized state – great for meeting compliance requirements.

Web security gateways could be a possible alternative to DLP devices here. Not only do they protect your users from malicious sites and malware, they also monitor the types of files going through the network perimeter and scan documents for phrases and terms that could potentially cause data leakage. Coordination of content policy across all communication channels can be a lot more efficient when they are all passing through one box. This also means that they can produce an evidence chain of consolidated data to help challenge risky user behaviour.

Network monitoring can certainly catch many types of leaks, but it won't stop a determined thief or an authorized user from copying files from a workstation to a USB drive. This is why disk encryption and thumb drive controls are currently the most common data protection devices, as there's always the possibility of a dishonest employee. Products such as McAfee's Host Data Loss Prevention and Utimaco Inc.'s SafeGuard PortProtector monitor endpoints and devices and block or log files that are written to or read from devices connected to the network.

More resources on data leak prevention and protection

Security pros can't afford to be the last to know. Sign up for email updates from SearchSecurity.co.uk and you'll never be behind the curve. 

Read more about data protection topics on SearchSecurity.com 

Connect with your peers to ask and answer data protection questions on ITKnowledge Exchange 

Take a look at a book suggestion for: BS 10012:2009 - Data Protection: Specification for a Personal Information Management System 

ISO 27001 SoA: Creating an information security policy document

For any employees in sensitive positions, HR should carry out thorough background checks, and job descriptions should include nondisclosure and confidentiality agreements. Also there should be a defined chain of command for escalation procedures should someone become suspicious of a colleague's behaviour. One way to help people stay honest is to make sure that everyone knows what security controls are in use; someone's far less likely to try to copy 1,000 customer records if they know it will set alarm bells ringing. Access to sensitive data should, of course, be controlled with strong authentication and minimum privileges.

This is something I want to discuss in my next article as data leakage often occurs because of poor business processes or system design. I'll also be looking at ensuring that database design and data inference don't put a hole in your data loss prevention strategy.

About the author:
Michael Cobb, CISSP-ISSAP is the founder and managing director of Cobweb Applications Ltd., a consultancy that offers IT training and support in data security and analysis. He co-authored the book IIS Security and has written numerous technical articles for leading IT publications.

More information and resources about data leak prevention

Read more on Privacy and data protection