Improve Your Data Safeguards: 3 Steps
Protecting data in dynamic and diverse environments is a formidable challenge. You need to focus on categorized data inventory, sharing mechanisms, and leak detection. Here's how.
DID YOU KNOW that almost one-quarter of the data breaches reported in the US in 2008 occurred at educational institutions? (Data courtesy of Open Security Foundation's ongoing DataLossDB project) Lost data included Social Security numbers, financial and medical records, as well as date of birth and other personal details. On campuses especially, where standardization across organizations and departments is still a dream, most security and IT pros grapple daily with this dilemma: How do we balance the need to protect sensitive data with the requirement that it be accessible to the people and systems that use it?
The challenges of securing data in academic organizations are vast. Sure, we employ centralized data warehouses and student information systems such as Banner, Blackboard, and PeopleSoft. Yet, each department may have separate record stores and applications that need to integrate with each other. What's more, staff, faculty, and student assistants often export or collect sensitive data in spreadsheets, documents, and databases scattered throughout the IT infrastructure. Protective measures cannot be too limiting, as these groups need to share the data to conduct research, educate, learn, and perform administrative tasks.
What's the solution? To protect data more effectively, you'll need to put into place a three-step plan that stipulates the following: 1) Identify and categorize data to define protective measures; 2) develop and document practical mechanisms for sharing data; and 3) implement processes and technologies for detecting data leaks.
First: Find and Understand Data
To determine how to secure your data, first identify which records warrant protection, and where they reside. Finding the data typically involves interviews and the review of existing documentation. Expand your findings by scanning file servers within your organization for potentially sensitive records. Budget-strapped? Free data discovery tools that can assist with this task include:
Be aware that you may find that free discovery tools are prone to producing false positives. If so, consider commercial products such as Identity Finder and Proventsure. And keep in mind that staff and faculty may also employ external third-party systems such as Pearson Education's CourseCompass for holding sensitive information. Understand which data are located in such environments, and what security precautions you should take to protect them.
Since attempting to apply the same rigor to protecting all data within the organization is overly expensive, classify the data according to sensitivity using nomenclature that makes sense within your environment, such as "public," "protected," and "proprietary." Then, decide the extent to which the data will need to be protected for each category.
Consider defining templates that explain what security mechanisms you will employ, depending on data sensitivity. For instance, "proprietary" may require multiple firewalls, hardened operating system, detailed logging, encrypted transfers, and regular vulnerability scanning. You would apply fewer controls to "protected" data, making it easier for people to share the data, and lowering security costs. And yes: A more formal risk management approach would define security requirements more accurately. Yet, such an approach is often impractical for organizations without strong process and risk discipline. Don't wait and hope for that kind of discipline to set in!
Whenever possible, minimize the number of locations where sensitive data are stored. At the same time, realize that the users of data need to have a convenient way of accessing the data to get work done. This may mean acknowledging that people will export and store sensitive records locally, and providing a secure and practical way of doing that.
Second: Help Users Share and Store Data
How will people exchange and store data securely? Don't expend your efforts on security controls without defining how people will share the sensitive data to get work done. According to recent Open Security Foundation figures, 14 percent of data breaches in the last year were the result of the accidental actions of an individual within a given organization. This suggests that data users do not know how to properly share sensitive data.
Too often, IT departments define well-meaning security requirements, such as "encrypt sensitive attachments when e-mailing them," without explaining how to do that, or confirming that the users know how to use the corresponding security tools. Don't assume that the users know how and when to use the tools! Offer training, make the policies and procedures easily accessible, and validate that the right people understand the instructions.
Then too, consider how faculty and staff will exchange data not only among themselves, but also with parties outside of your organization. Protecting data's confidentiality may involve encrypting the messages or traffic flows via VPN links, encrypted FTP (SFTP or FTP over SSL), or e-mail encryption. Encrypting e-mailed data may involve tools such as GnuPG, or enterprise-class products such as PGP, IronPort, and Tumbleweed.
Applying the same rigor to protecting all data within the organization is costly; classify data according to sensitivity, using terms like 'public,' 'protected,' and 'proprietary.' Then, decide the extent to which the data will need to be secured for each category.
Don't forget to protect data "at rest": data that are being stored, not in the process of being transferred. In recent years, full-disk encryption software has gained popularity for laptops and, in some cases, for desktops. Product choices include the freely available TrueCrypt, and commercial tools such as PGP WholeDisk, Utimaco SafeGuard Easy, and many others. Vendors of such solutions usually offer products for encrypting mobile USB drives, as well. They also may allow you to create virtual encrypted volumes that, residing on your servers, could house sensitive data in a highly controlled manner.
Further, make sure staff, students, and faculty understand which data locations can be considered private, and which are publicly accessible. Too many people underestimate the power of modern search engines to find and index information in locations that many assume to be unknown or inaccessible outside the organization.
Third: Detect the Data Leaks, to React Quickly
Despite your best efforts, sensitive data may get exposed, often because of an oversight in storing, sharing, or securing them. Consider how you will detect the leak quickly to minimize the incident's scope and severity.
The data discovery process, as well as a security assessment (see "Where the Risks Are," CT October 2008), can help discover data where they don't belong. In addition, make use of web search engines to identify potentially sensitive records accessible to the public over the internet. For example, use "site:website.sample.edu" to limit a Google query to sites in a particular website. To look for pages with Adobe Acrobat and Microsoft Excel documents, add "filetype:xls OR filetype:pdf" to the query. Google lets you set up e-mail or RS alerts, so you will be notified whenever the search produces a new result.
You also can use the data discovery tools mentioned earlier to identify unexpected data stores. In addition, one specialized tool for finding sensitive data among public data sets is Paterva's Maltego.
Another class of tools you may find useful are data leakage prevention (DLP) tools. These products are designed to monitor data leaving your environment via the network and USB keys, in order to detect and, sometimes, block transfer of sensitive records. When implemented properly, they can offer excellent visibility into the way data are being shared within your organization and with external entities. DLP tools' detective capabilities are particularly useful in environments where it's difficult to implement preventive security controls that restrict the flow of data. Products in the DLP space vary in price and capabilities, and are sold by companies such as Symantec (offering products formerly by Vontu), Code Green Networks, and McAfee (offering products formerly by Onigma and Reconnex).
One More Thing…
Keep an eye on public data breaches. Knowing what data breaches have occurred can help you understand the leading causes of the incidents, so you can adjust your security controls appropriately. Further, referring to specific, real-world events during management discussions can help you justify the budget you require to safeguard data at your organization. Several projects track this information, including:
In the end, if you understand the threats, keep tabs on your data, and define realistic and secure ways of using the data, you'll stand a chance of preventing your organization from appearing on the breach lists.