From Ryan Groom,
Your Guide to Business Security.
FREE Newsletter. Sign Up Now!

Those charged with protecting corporate data assets frequently lament the days when a corporate network was an interconnected system the had definitive boundaries, was not connected to the internet and only had to contend with a print copy or floppy disk containing sensitive data escaping the corporate boundaries.

There is frequently a trade off given for every advance in technology systems. The internet is a tremendous resource for research, email allows efficient communication, USB memory drives provide vast storage, and laptops/PDAs provide portability for the mobile workforce. The trade off for these technologies is that the convenience provided makes protecting corporate data assets very difficult as corporate data now can reside in many different places.

Security professionals commonly refer to this as protecting ‘Data at Rest’ and “Data in Motion”. How do you protect ‘Data at Rest’ when there are now so many places data can reside? This article will provide you with guidance on areas to consider when defining a security strategy for protecting corporate data as well as some examples on ways to mitigate the risk presented by these technologies.

Technologies to consider for a ‘Corporate Data Protection Policy’:

1. PDA

Risk - This is one of the most contentious issues in corporate data security today. The majority of these devices have the ability to send and receive email as well as store documents. Combine this capability with the small device size and the potential for data loss grows rapidly.

Mitigation – Enforce strong password protection on the device as this will force the user (or attacker) to successfully enter their password to use the device. Require device level encryption. While most devices do not offer device level encryption out of the box, there are a number of vendors that do and some offer the ability to centrally control and configure these settings. Use email encryption software for sending and receiving email to these devices. Use anti-virus and a personal firewall.

2. Email

Risk – Employees will (purposely or inadvertently) mail sensitive documents to unauthorized external addresses or sensitive emails will be read by unauthorized persons.

Mitigation – While these two mitigation strategies may seem to be diametrically opposed at first they can actually be configured to work in concert. Use email content inspection and policy engines to ensure that all email sent to and from your organization meet corporate data protection standards. Encrypt any sensitive email sent to and from your organization and require vendors and partners to do the same when communicating with you when sensitive information is transmitted

3. Portable Hard Drives

Risk – Large hard drive size can allow a large amount of corporate data to be lost.

Mitigation – In most corporations, there will be no need of using this type of device. In the instances that these devices are required and permitted, use disk encryption to prevent accidental data loss. To prevent intentional data loss audit these devices either manually or via software to ensure that corporate secrets remain secret.

4. Laptops

Risk – Imagine that you have now taken your file server, database server, and any other corporate server and place it in a public location connected to the internet without any protection. This is the risk of loss for a laptop. Typically laptops have VPN access to corporate resources, email cached for offline use, documents stored locally for working offline and a whole cadre of other corporate information stored on them.

Mitigation – This is almost an entire security plan in itself but here are the broad areas of focus; full disk encryption, VPN quarantine, multi-factor authentication, anti-virus, anti-spam, personal firewall, wireless connectivity, and software installation policies.

5. USB Memory Sticks

Risk – USB memory sticks have all but made the floppy extinct. These memory sticks are portable, fast, and have large storage capacities which translates to a quick and easy way to remove company confidential data (coke)

Mitigation – A usage policy might be in order prohibiting their use or one company I did work for actually filled the USB ports with epoxy. It is also possible to prevent users from writing to the USB drive via group policy, a registry setting or similar items in non-windows operating systems. If USB memory sticks have become common and useful to your organization a software solution such as Vontu or DRM that tracks sensitive data and its use can help prevent data leakage.

6. CD/DVD Burners

Risk - If a corporate machine is equipped with a CD or DVD burner, corporate data can be burned to disk and removed.

Mitigation - Do not order new machines with CD or DVD burners. If CD or DVD burning is necessary; it can be done from a centrally stationed, audited, and controlled machine

7. Home Computers

Risk – Allowing home computers to access the corporate network via VPN.

Mitigation – Incorporate a policy that does not allow non-corporate controlled and configured machines to access corporate resources. Enforce this policy with network quarantine and regular audits. Telecommuters present a unique issue in that it can be very beneficial to both the employee and the company to let employees telecommute; however it also can present a higher risk if left unattended.

Conclusion

A quick glance at the items to consider for your data protection policy clearly indicate that the world has changed and as IT professionals charged with data security, we face new and unique challenges every day.