Saturday, September 18, 2021

Staying Afloat by Plugging up Data Leakage

Miss the boat on the next wave in information security and you’re likely

to sink the corporate ship.

Reducing the business risk that results when data leaves the enterprise

network should be on the radar screen of every administrator, according

to industry watchers.

”Information security, or the lack thereof, affects the reputation,

reliability and trustworthiness of every company. And, once you lose it,

you lose it forever,” says Larry Ponemon, founder of the Ponemon

Institute, a think tank that studies privacy data protection and

information security policy.

Industry participants predict that increasing numbers of companies will

be poised to address data leakage in 2005, followed by product

implementations through 2007. Why? Because the problem is growing

exponentially and no one wants to be tomorrow’s headline news because of

it.

The time is now

To grasp the scope of a problem, a recent study by the Ponemon Institute

looked at 163 Fortune 1,000 companies. The study revealed that 75 percent

of them reported a security breach in the prior 12 months. The leaks may

have involved personal information about customers, personal information

about employees, involved confidential business information, and

intellectual property, including software source code.

”What we’re seeing is that many companies have poor access controls over

who gets data and no way of controlling the outflow of data,” says

Ponemon.

According to Gartner Inc., more than 80 percent of high-cost security

incidents occur when data from inside the organization gets out. Most

data leakage occurs by accident or because of poor business processes,

says Rich Mogull, a research director at Gartner. Whether accidental or

malicious, security breaches from inside the company aren’t addressed by

the bulk of security dollars spent on technology that addresses the

perimeter of the network.

While the problem of information exiting the company has always been

around, the depth and breadth of the problem has changed dramatically in

the past few years.

First off, information is more valuable and there’s more of it in

electronic form. For instance, there is more electronic communication,

such as email, and instant messaging. More people work remotely. Hackers

are evolving into professional criminals, and outsourcing is reaching a

fevered pitch.

Up until recently, most corporate security policy focused on keeping the

bad guys out. But now, says Jim Nisbet, chief technology officer at

Tablus Inc., ”The danger in what leaves the organization exceeds the

damage of what comes in.”

It’s the law

What’s really turned up the heat on stopping data leakage is a relatively

new patchwork of laws that make businesses liable for privacy and data

protection, and governance: California SB 1386 and A.D.1950,

Gramm-Leach-Bliley, Health Insurance Portability and Accountability Act

(HIPAA), The Patriot Act, and Sarbanes Oxley Act (SOX), to name several.

The DeKalb Medical Center is a Decatur, Ga.-based hospital with multiple

facilities and a variety of network traffic that includes standard

business data, and local and Internet communications, as well as private

patient health information. Up until January 2004, it had no network

monitoring tools to prevent data leakage.

”Being a hospital, HIPAA put the issue on the forefront,” says Sharon

Finney, information security administrator at DeKalb, adding that with

regulation in place, noncompliance becomes actionable and public. The

deadline for HIPAA compliance is April, 2005. The hospital began

addressing HIPAA requirements three years ago.

With a clear-cut path for what it needed to do, the hospital conducted a

risk analysis, identified problem areas, established policies and

searched for a technology solution. ”We knew from the start, that we

needed a tool that could identify protected health care information out

of the box,” says Finney.

With only three monitoring products available, at the time, only Vericept

Corp. was able to meet the medical center’s turnkey requirements. DeKalb

uses the vendor’s Healthcare Compliance Solution, and Filter for HIPAA.

Not only are business being forced to comply with compliance regulations

or risk paying fines, they’re also aware of the cost of damage to the

company’s reputation. ”For DeKalb, or any organization that handles

confidential information, the damage to our reputation could be

staggering,” says Finney.

In addition to implementing a security solution to prevent data from

leaving the organization and establishing policy, education was key to a

successful outcome. DeKalb’s user population includes employees, vendors,

contractors, temporary workers, and off-site physicians and their staff.

”We had to bring users to a level where everyone was reading off of the

same page when it came to security policy and procedures,” she says.

DeKalb is currently upping the ante on data security, and is looking at

implementing a second layer of protection via an email encryption tool.

Sorting through solutions

While some tools, such as encryption or PKI, have been available for a

number of years, they tended to be difficult to manage.

”Most companies opted to focus on higher priority projects and wrote off

the cost of data loss as part of doing business,” says Paul Proctor,

vice president of security and risk strategies at Meta Group.

Currently, there are more than a dozen vendors offering solutions that

address data leakage. A fractured market, products use a variety of

techniques to identify whether data should be stopped or let through the

network. Some content monitoring and filtering solutions are application

specific, or, for example, watch email traffic, IM, or FTP. Other

products are more general and work below the application layer and look

at multiple channels.

An early Reconnex Inc,.customer, Extreme Networks, a worldwide vendor of

network infrastructure solutions, is concerned about insider threats or

the loss of high-value intellectual property.

”Depending on the size of the company and the data lost, the

ramifications can be crippling,” says Paul Hooper, CIO at Extreme. For

the high-tech company, the Reconnex inSight platform for data protection

security is viewed as an insurance policy.

In addition to help meeting regulatory compliance requirements, security

solutions that help companies protect data from leaving the corporate

network, also can help protect brand loss and a company’s competitive

stance in the market.

Like most security solutions, this next layer of security protection is

not going to help companies make money. ”What we’re selling is risk

reduction,” says Joseph Ansanelli, CEO and cofounder of Vontu Inc. He

says it’s also about saving money by preventing future events.

According to Gartner’s Mogull, limited product deployments begin at

between $20,000-$50,000 and can immediately cut down on data leakage.

”Limited product deployments may not protect everything, but if a

company has data stores that are more important than others, begin

there,” he says. Mogull suggests that companies start with small

implementations and grow from there, prioritizing where it’s important to

spend money.

Industry participants are quick to point out that preventing data leakage

is not about technology alone — it’s about people, processes and

technology. ”Companies must have a written policy and there must be

consequences for not adhering to that policy,” says Ponemon.

Similar articles

Latest Articles