How data leaks occur
Now that we have identified the "what" we can move on the "how." This "how" will be divided into two parts. The first "how" will focus on how information and data leaks from an organization. The second "how" will be concerned with how an organization can guard against this leakage and reduce the risks associated with that leakage.
There are many egress vectors for information and data leakage. While certainly not a complete list some examples of these egress vectors include personal e-mail, P2P, unauthorized encrypted transmissions, malware infections in endpoint devices, unauthorized PDAs, smart phones and MP3 players, social engineering both electronic and non-electronic, faxing to personal e-mail, unauthorized media (CD/DVD, USB Drive, Memory Stick, etc., and traditional postal and overnight services.
In any given organization there are no doubt additional egress vectors for information and data leakage that may be specific to the type of business being conducted. The important thing is to understand what these outward vectors are such that appropriate controls can be defined and instituted to provide the required level of security to the majority of the information in the environment. The previous statement was crafted using the word "majority" for a good reason. That reason is that like any other set of security controls nothing should be considered fool-proof. While it is essential that an organization takes every reasonable precaution to protect its restricted data, it is impossible to ensure that all data is secure all of the time, especially if you are in a business that by its very nature is a target for information leakage.
How to protect against data leaks
Now that we have briefly visited the "How" that describes some of the more common information and data leakage sources, we move to the second part of "How." This second part of "How" will be an attempt to describe how to institute a set of controls that will provide the optimal level of protection for an organization.
The best chance of accomplishing this will be to remember that it is vital to not depend on any one type of solution or process. There are a variety of tools and techniques, both technical and non-technical to assist the security professional achieve the appropriate and reasonable level of security for the various types of information and data that typically exist in an enterprise.
The defense-in-depth concept is alive and well when it comes to protecting against information and data leakage. The only difference here is that when applied to infrastructure we tend to start at the outside and work our way to the inside. Assuming that we have done a reasonably good job of securing that infrastructure, for the purposes of data leakage we need to shift our thinking a bit and look to work from the inside to the outside.
For those of you with technical backgrounds think of applying an access list on a device in a network or deploying an intrusion sensor. Ideally you want to deploy either as close to the source of what you are trying to monitor and protect as possible. The data is on the inside, therefore we should start at the inside and work our way outward. This concept is extremely important as we start to consider technology solutions to help us better manage the information and data leakage issue.
From an organizational perspective, there is one weapon that every security practitioner has at their disposal that in many instances is not optimally leveraged. This weapon is ultimately the first and last line of defense in the protection of corporate information and data, as well as being the most variable in its ability to perform. The weapon that I refer to is the people in an organization. The people in an organization are closest to the critical data, so when it comes to data leakage they can be security's best friend or its worst enemy.
Join the CIO Australia group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.