Businesses need defense-in-depth strategies for protecting their sensitive data. They should start at the network perimeter and go from there to the operating system and applications and finally to the data itself.
Companies face a dilemma. To maximize information’s value, they must make it available to employees, business partners, and customers. That availability makes it difficult for a company to control access and limit how many times information is copied. As a result, proprietary data gets scattered throughout the organization and other entities, increasing the chance that it will fall into the wrong hands. To avoid that problem, businesses need defense-in-depth strategies for protecting their sensitive data. They should start at the network perimeter and go from there to the operating system and applications. The final layer concerns the data itself.
The network is the first layer of protection for information. Although protection options have been around for a long time, this layer often remains porous because of misconfiguration and inadequate coverage of external connectivity.
Basic protection typically consists of an outer firewall; additional ones are added for more granular protection. Certain databases, for example, will likely need to be protected from all but a few applications. Having these layers can be expensive, however. Enterprise firewalls can range in price from a few thousand dollars to more than $100,000.
Installation is only the first step. The firewall will only be useful if it is properly configured to deny anything that is not specifically allowed. While configuring the network this way can sometimes be challenging, it’s considered an industry best practice, and this approach is, therefore, followed by most companies.
The person configuring the system must determine what legitimate network traffic consists of and shape the filtering parameters to match. The biggest challenge for system administrators typically lies in researching and identifying what type of Internet traffic the business allows and requires.
Once traffic is understood, anything that is not expected should be alarmed, blocked, or both. There should also be content filtering that helps reduce unwanted programs, malware, and information from entering the network, usually via Web browsing.
To ensure that the firewall is providing its intended protection, the perimeter should be constantly monitored for attacks and routinely tested for vulnerabilities.
In addition to blocking traffic not specifically expected, the company may establish a quarantined network segment to limit connectivity to unauthenticated and guest users.
Hybrid protection solutions, such as network access control (NAC), add another protective layer. They can ensure that systems wanting to get on the network meet a certain level of security criteria. This usually includes checking for updated antivirus software, current patches, restricted browser settings, and functioning personal firewalls. Cisco (Network Admission Control), Microsoft (Network Access Protection), and other single solution providers check systems for these requirements before granting them network access.
The implementation difficulty and cost for NAC can vary considerably depending on the network environment in which it is deployed. Older network infrastructures may have to be upgraded to accommodate NAC’s ability to inspect, quarantine, or deny a system access. Most NAC solutions depend on using network routing and services along with authentication resources.
The entry point cost of a basic NAC solution is around $20,000. However, it can range into the hundreds of thousands of dollars or more based on the size of the network environment. Most organizations require a minimum of three months to do the implementation and solution “tuning” required.
There is another cost beyond additional hardware and software. It is the time and effort required to define the policies that a system must meet to allow network access. While NAC is designed to protect the organization, it must not inhibit normal operations. The impact of NAC can be minimized and its protection maximized by well-researched and validated policies. NACs are used in conjunction with firewalls. While firewalls are used mainly for filtering traffic, they don’t assess how systems sending that traffic are configured.
It’s best to use hardened operating systems as an organization’s standard configuration. This hardening is done by disabling unnecessary features and changing default configurations. These are easier to support and troubleshoot, and they shrink the organization’s attack surface.
Locking systems down before they are deployed in the production environment leaves less opportunity for exploits. There is a free or low cost toolset from the Center for Internet Security that provides benchmarks for securing the major operating systems.
Despite the layer of protection at the network perimeter level, a company cannot be certain that it will prevent all attacks from getting through the network perimeter unless it wants to prevent all traffic. Since that’s not generally an option, each system should have its own firewall and IPS agents, as well as antivirus software.
Applications, which are the focus of many attacks, represent the third layer for protecting information. There are two ways to increase application security: source scans and vulnerability scans.
Source code scans occur during application development. They examine vulnerability-prone areas, such as buffers, or memory units, for aberrations. There are several commercial products from Ounce Labs, Fortify Software, and others for this task.
If the organization is not developing the software itself, it should ask the software vendor to validate that a scan has been performed. The Open Web Application Security Project (OWASP) and the SANS (SysAdmin, Audit, Network, Security) Institute have Web sites that are good application security resources.
Second is application scanning, which looks at how applications and their services are configured. It should be conducted during the testing phases along with postproduction deployment. While network vulnerability scanners can detect some application vulnerabilities, it is best to use an application security scanner like WebInspect from SPI Dynamics or WatchFire from IBM. The security of an application, like that of an operating system, directly affects the protection of the information flowing through it.
Application and database firewall solutions are starting to emerge as additional protection against application-focused attacks. The Payment Card Industry (PCI) security standard has strongly recommended that these firewalls be used for businesses doing credit card transactions. In fact, application firewalls will be one way to meet PCI’s application protection requirement in mid-2008. Many other non-PCI affected businesses also stand to benefit from this protection, especially to protect their Web applications.
The most dynamic aspect of information security lies in protecting the data itself. Data security is one of the most effective layers in reducing sensitive information exposure to both internal and external sources. The focus of this layer is to put the protection around the data itself and keep it in place regardless of where the data travels. This approach is key, as data mobility increases every day.
Solutions for providing this final layer of protection are somewhat imperfect, because it is early in their product lifecycles. However, they are quickly getting better, and the growing threats necessitate giving them serious consideration. They include such technologies as data-specific encryption and digital rights management.
Security professionals can no longer afford to wait and see what happens in the industry. The time for action is here.
Encryption. Sensitive data can be encrypted while it is in databases, traveling across the network or Internet, or stored in other file types. It is best to have encryption that can travel with the sensitive information when it leaves the organization’s environment. This usually also involves leveraging other cryptographic approaches such as a public key infrastructure (PKI) and rights management.
If protecting the organization’s sensitive information is not enough motivation, there are numerous regulations and standards to force the issue. Many specify using encryption to protect information as it travels as well as making sure it is encrypted while at rest. The requirements apply equally to backup systems and data.
Mobile devices. Mobile devices are the most recent players in the data exposure game. The connectivity and the increasing capabilities of mobile devices have enhanced productivity, but they have also led to more sensitive information being scattered to more places. The vulnerability is exacerbated because workers think of phones and PDAs more as their own personal property than as a “pocketful of organizational assets.” A company must use both policies and technology to reduce this threat.
Laptops should, at least, have an encrypted directory or drive that is protected even after the system has fully booted up. Pretty Good Privacy (PGP) and other commercial vendors offer whole-disk encryption for the entire hard drive. TrueCrypt offers a free encryption product, but it does not offer a centrally managed solution. For Windows Vista and Server 2008, Microsoft has added drive and volume encryption capability called BitLocker Drive Encryption.
More security is being put into the latest mobile operating systems of phones and PDAs. Microsoft’s mobile phone platform allows some group policies to be extended to the handset, and it has some basic data encryption capabilities. Credant, Utimaco, and Trust Digital offer products that will encrypt data on mobile phones and devices. In addition, these devices typically now have power-on PINs or passwords along with inactivity-locking options.
Some mobile phones allow system administrators to remotely wipe data; that can be useful if the device is reported lost or stolen. Additionally, most carriers can reset the phone and potentially wipe out sensitive information.
Rights management. One way to control and protect sensitive information is to limit who can access it, what they can do with it, where the information can be sent, and the environment it can be used in. Digital rights management solutions do this by electronically setting and controlling user access rights. They can also determine whether data can be modified, copied, printed, e-mailed, or put on portable storage devices. The software can also provide an audit log of information activities.
There are a number of approaches to rights management. Some require public key infrastructure (PKI) while others do not. PKI provides users with two-factor authentication and enables the encryption of messages sent across public networks.
Microsoft Windows Rights Management Services (RMS) requires the use of digital certificates as its form of PKI. RMS is information protection technology that works with RMS-enabled applications to help safeguard digital information from unauthorized use. It applies to both online and offline environments as well as inside and outside of the firewall.
RMS can help protect information through what are called persistent-usage policies; that means that they remain with the information no matter where it goes. Organizations can use RMS to help prevent sensitive information—such as financial reports, product specifications, customer data, and confidential e-mail messages—from intentional or accidental exposure to unauthorized users.
RMS is appealing because it is integrated with the latest versions of Windows server, SharePoint server, and Office applications. However, it does require integration with other Microsoft components such as Active Directory® directory service, Microsoft SQL Server™, and Rights Management Add-on for Internet Explorer (RMA).
RMS licensing for the server component and 1,000 clients (at $37 per client) will cost around $55,000. It will also typically take a minimum of a month to integrate a solution of this size. The degree of difficulty really depends on an organization’s in-house Microsoft products expertise.
Several other companies, such as Encryptx and Liquid Machines, have offerings that do not rely on a Microsoft PKI, but can leverage some of the Microsoft components. Encryptx uses a “wrapper” around information to control access and track actions. Liquid Machines uses what they call a “droplet” to accomplish many of the same functions. Both approaches provide an audit log of activity involving the information. They also provide protections on a number of file formats other than Microsoft’s.
Rights management capabilities are becoming more mature and scalable. They will not be trivial to integrate into an organization’s environment, but when in place, they tend to be relatively simple for end-users to use. They rarely slow down the pace of business.
Leak prevention. Information leak prevention (ILP) is also a relatively new area of information protection. It is also called Data leak prevention (DLP). It is a variation of rights management but generally involves a broader organizational attempt to protect data. While rights management tends to be about wrapping certain documents and file types in protection, ILP focuses more on protecting and monitoring an organization’s gateways.
ILP solutions are focused on preventing sensitive information from leaking out via e-mail, file transfers, instant messaging, Web postings, and portable storage devices or media. This approach requires integration with the network infrastructure such as mail servers and Web servers. ILP sensors are placed at the points where data can leave the network so that they can alarm and/or block sensitive information from leaving the network.
Most ILP solutions have some default templates to recognize common types of sensitive information such as Social Security and credit card numbers. Custom templates can be developed to meet an organization’s specific needs.
The company must first have an information classification program. Classification typically begins by conducting an assessment of the business value of certain kinds of information and of the exposures. Authorization is also an important component. Organizations need to identify which employees should have access to which data, and they should have clear policies and protocols in place for data handling and access.
The price of most ILP/DLP protection solutions starts at around $25,000; and organizations can expect to pay from $30 to $60 per client agent. Tablus, Vontu, and Reconnex are several ILP providers that have received favorable reviews. Data identification scanners that search across an enterprise and inventory information may cost an additional $20,000. These products seek out data, such as Social Security or credit card numbers, or anything labeled secret or confidential.
Setting up such a system is time consuming and can be technically challenging. The company may, therefore, want to budget for some professional services to help with the project. Services should include assessment, design, implementation, and tuning the solution for the production environment.
Solutions such as ILP are designed to be just one component of a successful information security strategy. The others include, as discussed, protecting both the data and the applications, systems, and networks they pass through or reside on. Companies that adopt this defense-in-depth approach will be less likely to have proprietary information fall into the wrong hands.
Ken Biery, Jr., CPP, CISSP, is a senior security architect for Unisys Corporation’s Security Advisory Services practice in Kent, Washington. Biery has co-authored 10 books and numerous articles about information, operations, and physical security. He also holds CISM, G7799, and CWSP certifications. He is a member of ASIS International.
Mike Hager, CISSP, CISM, is a senior security architect for Unisys Corporation’s Security Advisory Services, and he resides in Denver. Like Biery, he has many years of experience in designing and managing business risk management programs. He holds numerous security certifications in addition to those listed and a number of U.S. government certifications.