Staying Afloat by Plugging up Data Leakage

Companies spend big money keeping intruders out of their networks. But what are you doing to keep your vital corporate information from leaking out?
Posted January 25, 2005

Lynn Haber

Miss the boat on the next wave in information security and you're likely to sink the corporate ship.

Reducing the business risk that results when data leaves the enterprise network should be on the radar screen of every administrator, according to industry watchers.

''Information security, or the lack thereof, affects the reputation, reliability and trustworthiness of every company. And, once you lose it, you lose it forever,'' says Larry Ponemon, founder of the Ponemon Institute, a think tank that studies privacy data protection and information security policy.

Industry participants predict that increasing numbers of companies will be poised to address data leakage in 2005, followed by product implementations through 2007. Why? Because the problem is growing exponentially and no one wants to be tomorrow's headline news because of it.

The time is now

To grasp the scope of a problem, a recent study by the Ponemon Institute looked at 163 Fortune 1,000 companies. The study revealed that 75 percent of them reported a security breach in the prior 12 months. The leaks may have involved personal information about customers, personal information about employees, involved confidential business information, and intellectual property, including software source code.

''What we're seeing is that many companies have poor access controls over who gets data and no way of controlling the outflow of data,'' says Ponemon.

According to Gartner Inc., more than 80 percent of high-cost security incidents occur when data from inside the organization gets out. Most data leakage occurs by accident or because of poor business processes, says Rich Mogull, a research director at Gartner. Whether accidental or malicious, security breaches from inside the company aren't addressed by the bulk of security dollars spent on technology that addresses the perimeter of the network.

While the problem of information exiting the company has always been around, the depth and breadth of the problem has changed dramatically in the past few years.

First off, information is more valuable and there's more of it in electronic form. For instance, there is more electronic communication, such as email, and instant messaging. More people work remotely. Hackers are evolving into professional criminals, and outsourcing is reaching a fevered pitch.

Up until recently, most corporate security policy focused on keeping the bad guys out. But now, says Jim Nisbet, chief technology officer at Tablus Inc., ''The danger in what leaves the organization exceeds the damage of what comes in.''

It's the law

What's really turned up the heat on stopping data leakage is a relatively new patchwork of laws that make businesses liable for privacy and data protection, and governance: California SB 1386 and A.D.1950, Gramm-Leach-Bliley, Health Insurance Portability and Accountability Act (HIPAA), The Patriot Act, and Sarbanes Oxley Act (SOX), to name several.

The DeKalb Medical Center is a Decatur, Ga.-based hospital with multiple facilities and a variety of network traffic that includes standard business data, and local and Internet communications, as well as private patient health information. Up until January 2004, it had no network monitoring tools to prevent data leakage.

''Being a hospital, HIPAA put the issue on the forefront,'' says Sharon Finney, information security administrator at DeKalb, adding that with regulation in place, noncompliance becomes actionable and public. The deadline for HIPAA compliance is April, 2005. The hospital began addressing HIPAA requirements three years ago.

With a clear-cut path for what it needed to do, the hospital conducted a risk analysis, identified problem areas, established policies and searched for a technology solution. ''We knew from the start, that we needed a tool that could identify protected health care information out of the box,'' says Finney.

With only three monitoring products available, at the time, only Vericept Corp. was able to meet the medical center's turnkey requirements. DeKalb uses the vendor's Healthcare Compliance Solution, and Filter for HIPAA.

Not only are business being forced to comply with compliance regulations or risk paying fines, they're also aware of the cost of damage to the company's reputation. ''For DeKalb, or any organization that handles confidential information, the damage to our reputation could be staggering,'' says Finney.

In addition to implementing a security solution to prevent data from leaving the organization and establishing policy, education was key to a successful outcome. DeKalb's user population includes employees, vendors, contractors, temporary workers, and off-site physicians and their staff. ''We had to bring users to a level where everyone was reading off of the same page when it came to security policy and procedures,'' she says.

DeKalb is currently upping the ante on data security, and is looking at implementing a second layer of protection via an email encryption tool.

Sorting through solutions

While some tools, such as encryption or PKI, have been available for a number of years, they tended to be difficult to manage.

''Most companies opted to focus on higher priority projects and wrote off the cost of data loss as part of doing business,'' says Paul Proctor, vice president of security and risk strategies at Meta Group.

Currently, there are more than a dozen vendors offering solutions that address data leakage. A fractured market, products use a variety of techniques to identify whether data should be stopped or let through the network. Some content monitoring and filtering solutions are application specific, or, for example, watch email traffic, IM, or FTP. Other products are more general and work below the application layer and look at multiple channels.

An early Reconnex Inc,.customer, Extreme Networks, a worldwide vendor of network infrastructure solutions, is concerned about insider threats or the loss of high-value intellectual property.

''Depending on the size of the company and the data lost, the ramifications can be crippling,'' says Paul Hooper, CIO at Extreme. For the high-tech company, the Reconnex inSight platform for data protection security is viewed as an insurance policy.

In addition to help meeting regulatory compliance requirements, security solutions that help companies protect data from leaving the corporate network, also can help protect brand loss and a company's competitive stance in the market.

Like most security solutions, this next layer of security protection is not going to help companies make money. ''What we're selling is risk reduction,'' says Joseph Ansanelli, CEO and cofounder of Vontu Inc. He says it's also about saving money by preventing future events.

According to Gartner's Mogull, limited product deployments begin at between $20,000-$50,000 and can immediately cut down on data leakage.

''Limited product deployments may not protect everything, but if a company has data stores that are more important than others, begin there,'' he says. Mogull suggests that companies start with small implementations and grow from there, prioritizing where it's important to spend money.

Industry participants are quick to point out that preventing data leakage is not about technology alone -- it's about people, processes and technology. ''Companies must have a written policy and there must be consequences for not adhering to that policy,'' says Ponemon.

0 Comments (click to add your comment)
Comment and Contribute


(Maximum characters: 1200). You have characters left.