It's All About the Data

By Ken Biery, Jr., CPP, CISSP, and Mike Hager, CISSP

Data Security

The most dynamic aspect of information security lies in protecting the data itself. Data security is one of the most effective layers in reducing sensitive information exposure to both internal and external sources. The focus of this layer is to put the protection around the data itself and keep it in place regardless of where the data travels. This approach is key, as data mobility increases every day.

Solutions for providing this final layer of protection are somewhat imperfect, because it is early in their product lifecycles. However, they are quickly getting better, and the growing threats necessitate giving them serious consideration. They include such technologies as data-specific encryption and digital rights management.

Security professionals can no longer afford to wait and see what happens in the industry. The time for action is here.

Encryption. Sensitive data can be encrypted while it is in databases, traveling across the network or Internet, or stored in other file types. It is best to have encryption that can travel with the sensitive information when it leaves the organization’s environment. This usually also involves leveraging other cryptographic approaches such as a public key infrastructure (PKI) and rights management.

If protecting the organization’s sensitive information is not enough motivation, there are numerous regulations and standards to force the issue. Many specify using encryption to protect information as it travels as well as making sure it is encrypted while at rest. The requirements apply equally to backup systems and data.

Mobile devices. Mobile devices are the most recent players in the data exposure game. The connectivity and the increasing capabilities of mobile devices have enhanced productivity, but they have also led to more sensitive information being scattered to more places. The vulnerability is exacerbated because workers think of phones and PDAs more as their own personal property than as a “pocketful of organizational assets.” A company must use both policies and technology to reduce this threat.

Laptops should, at least, have an encrypted directory or drive that is protected even after the system has fully booted up. Pretty Good Privacy (PGP) and other commercial vendors offer whole-disk encryption for the entire hard drive. TrueCrypt offers a free encryption product, but it does not offer a centrally managed solution. For Windows Vista and Server 2008, Microsoft has added drive and volume encryption capability called BitLocker Drive Encryption.

More security is being put into the latest mobile operating systems of phones and PDAs. Microsoft’s mobile phone platform allows some group policies to be extended to the handset, and it has some basic data encryption capabilities. Credant, Utimaco, and Trust Digital offer products that will encrypt data on mobile phones and devices. In addition, these devices typically now have power-on PINs or passwords along with inactivity-locking options.

Some mobile phones allow system administrators to remotely wipe data; that can be useful if the device is reported lost or stolen. Additionally, most carriers can reset the phone and potentially wipe out sensitive information.

Rights management. One way to control and protect sensitive information is to limit who can access it, what they can do with it, where the information can be sent, and the environment it can be used in. Digital rights management solutions do this by electronically setting and controlling user access rights. They can also determine whether data can be modified, copied, printed, e-mailed, or put on portable storage devices. The software can also provide an audit log of information activities.

There are a number of approaches to rights management. Some require public key infrastructure (PKI) while others do not. PKI provides users with two-factor authentication and enables the encryption of messages sent across public networks.

Microsoft Windows Rights Management Services (RMS) requires the use of digital certificates as its form of PKI. RMS is information protection technology that works with RMS-enabled applications to help safeguard digital information from unauthorized use. It applies to both online and offline environments as well as inside and outside of the firewall.

RMS can help protect information through what are called persistent-usage policies; that means that they remain with the information no matter where it goes. Organizations can use RMS to help prevent sensitive information—such as financial reports, product specifications, customer data, and confidential e-mail messages—from intentional or accidental exposure to unauthorized users.

RMS is appealing because it is integrated with the latest versions of Windows server, SharePoint server, and Office applications. However, it does require integration with other Microsoft components such as Active Directory® directory service, Microsoft SQL Server™, and Rights Management Add-on for Internet Explorer (RMA).

RMS licensing for the server component and 1,000 clients (at $37 per client) will cost around $55,000. It will also typically take a minimum of a month to integrate a solution of this size. The degree of difficulty really depends on an organization’s in-house Microsoft products expertise.

Several other companies, such as Encryptx and Liquid Machines, have offerings that do not rely on a Microsoft PKI, but can leverage some of the Microsoft components. Encryptx uses a “wrapper” around information to control access and track actions. Liquid Machines uses what they call a “droplet” to accomplish many of the same functions. Both approaches provide an audit log of activity involving the information. They also provide protections on a number of file formats other than Microsoft’s.

Rights management capabilities are becoming more mature and scalable. They will not be trivial to integrate into an organization’s environment, but when in place, they tend to be relatively simple for end-users to use. They rarely slow down the pace of business.

Leak prevention. Information leak prevention (ILP) is also a relatively new area of information protection. It is also called Data leak prevention (DLP). It is a variation of rights management but generally involves a broader organizational attempt to protect data. While rights management tends to be about wrapping certain documents and file types in protection, ILP focuses more on protecting and monitoring an organization’s gateways.

ILP solutions are focused on preventing sensitive information from leaking out via e-mail, file transfers, instant messaging, Web postings, and portable storage devices or media. This approach requires integration with the network infrastructure such as mail servers and Web servers. ILP sensors are placed at the points where data can leave the network so that they can alarm and/or block sensitive information from leaving the network.

Most ILP solutions have some default templates to recognize common types of sensitive information such as Social Security and credit card numbers. Custom templates can be developed to meet an organization’s specific needs.

The company must first have an information classification program. Classification typically begins by conducting an assessment of the business value of certain kinds of information and of the exposures. Authorization is also an important component. Organizations need to identify which employees should have access to which data, and they should have clear policies and protocols in place for data handling and access.

The price of most ILP/DLP protection solutions starts at around $25,000; and organizations can expect to pay from $30 to $60 per client agent. Tablus, Vontu, and Reconnex are several ILP providers that have received favorable reviews. Data identification scanners that search across an enterprise and inventory information may cost an additional $20,000. These products seek out data, such as Social Security or credit card numbers, or anything labeled secret or confidential.

Setting up such a system is time consuming and can be technically challenging. The company may, therefore, want to budget for some professional services to help with the project. Services should include assessment, design, implementation, and tuning the solution for the production environment.

Solutions such as ILP are designed to be just one component of a successful information security strategy. The others include, as discussed, protecting both the data and the applications, systems, and networks they pass through or reside on. Companies that adopt this defense-in-depth approach will be less likely to have proprietary information fall into the wrong hands.

Ken Biery, Jr., CPP, CISSP, is a senior security architect for Unisys Corporation’s Security Advisory Services practice in Kent, Washington. Biery has co-authored 10 books and numerous articles about information, operations, and physical security. He also holds CISM, G7799, and CWSP certifications. He is a member of ASIS International.

Mike Hager, CISSP, CISM, is a senior security architect for Unisys Corporation’s Security Advisory Services, and he resides in Denver. Like Biery, he has many years of experience in designing and managing business risk management programs. He holds numerous security certifications in addition to those listed and a number of U.S. government certifications.



The Magazine — Past Issues


Beyond Print

SM Online

See all the latest links and resources that supplement the current issue of Security Management magazine.