It's the Information, Stupid
- 04 June, 2009 03:23
Over the past several years there have been changes in the business environment, causing fundamental alterations in how security organizations operate to protect the enterprises for which they have responsibility.
An evolution in the nature, methods, and motivation behind the perpetration of security breaches [Timeline: 4 Years of Data Breaches] has had a profound impact on the importance of protecting data and information. This is a shift from the traditional approach of protecting the infrastructure on which the data resides.
The focus of this article is to identify ways that information in the enterprise can be inappropriately removed and a framework for how to mitigate these risks and protect your organization from the potential litigation, fines, and sheer embarrassment that can follow from such an event.
The unprecedented transformation in the nature and consequences of security breaches is causing a shift in the way security practitioners specifically and business leaders in general must think about the security of information within the enterprise.
The job of a security professional over the past few years has undergone a metamorphosis in response. This metamorphosis has taken the security practitioner from a completely interrupt-driven existence of a firefighter constantly on the alert for an attack, to more of a detective engaged in constant investigation to understand whether or not there has been significant data loss from a silent assailant, one whose biggest goal next to gaining that information is keeping anonymity intact.
Hackers in the early part of the decade were eager to show their skills by perpetrating blatant attacks such as the defacement of a website home page or by bringing a mail server to its knees through a constant bombardment of useless traffic, thereby preventing legitimate users from gaining access. Today hacking is governed by a whole new paradigm, that of profit. It's all about making money the old fashioned way -- by stealing it. Today hacking is a multi-billion dollar enterprise whose sole goal is to acquire any type of information that is believed to be of value to anyone who is willing to pay for it. Hackers today go out of their way to keep their existence a secret from their victims for as long as possible in order to farm the maximum amount of information before having to go to the expense of searching for and infiltrating another victim.
Given the reality of our changed world, we as security practitioners must change along with it. We must extend our focus from the security of the infrastructure that houses the information to the security of the information itself. The primary mission of the security practitioner must be reconsidered to be successful.
The need to protect data and information
As an industry we have done a very good job of defining a secure infrastructure. While there are challenges in each enterprise when it comes to implementing and maintaining it, there is an excellent framework that every organization can work toward.
Even though the game is changing, many in the industry have continued to embrace the concept of a secure infrastructure and have tried to evolve it to fit the new security paradigm facing the industry. This evolution has consisted of trying to emulate the secure perimeter in a world where that perimeter is increasingly fluid and can change very quickly. The introduction of numerous portable devices and access methods create what might be described as a variable perimeter. This variable perimeter has been extremely difficult to define and even more so to implement, maintain and adapt with constant change that is more the norm than the exception in today's business climate. Add to this the ever-changing mix of customers, business partners and suppliers and the fact that at any given time an organization can have all of these relationships with another organization, leaves us with the inescapable conclusion that it is the information that needs protection, not just the infrastructure that houses and transports the information throughout its lifecycle.
When those of us who have been in the industry for many years came to this realization, some earlier than others, it was an epiphany to be sure. Once over the initial shock, a natural question for a security practitioner might be to ask "How in the world do I do that?"
Before we can develop an intelligent answer to the "how," we need to have a better definition of the "what" and the "where" in this new reality. Information leakage has been happening for years and is not a new issue. What is different now is that there are a lot more people seeking to acquire information through illegitimate means. There are a lot more methods by which this can be accomplished and there are more regulations requiring organizations take the proper steps to keep this information leakage under control. Lastly, there are an ever increasing array of penalties and consequences for those organizations unable to or unwilling to comply. These trends will continue, so it is in everyone's best interest, except of course "the bad guys", for the industry to evolve with the times and get in front of this issue sooner than later.
Before an appropriate set of controls can be defined and deployed, we need to understand the value of what needs to be protected and, to the extent that we are able, where it is located. This is similar in nature to how we go about protecting the infrastructure. The information needs to be characterized in terms of its value to the organization and the impact of its disclosure to the public. This disclosure component is of critical importance to achieving compliance with many of the data protection and privacy regulations that currently exist, as well as those yet to come.
This characterization is typically expressed as a data classification policy. A typical data classification policy defines four levels of data within the enterprise: Public, Internal, Confidential, and Restricted. The headings may differ from one organization to another, but for our purposes these headings will suffice:
- Public data is typically defined as data that anyone can access and it may be disclosed to the general public without impact to the organization. Examples of this type of data may include product marketing materials, sales collaterals and for publically held companies the annual report.
- Internal data is typically defined as internal business correspondence, records and data that are created during the normal course of business which is not identified as confidential or restricted. Examples of data classified as Internal include business emails, correspondence with clients.
- Confidential data typically includes any and all of business, financial and technical information including, customer, product, pricing and product development plans, network and system diagrams or other non-Restricted data created in the normal course of business which if made public would cause harm the organization.
- Restricted data includes all information subject to restriction in access, storage or processing by law, or regulation, or by customer contract and any other information owned or under the stewardship of an organization that could cause significant harm if inappropriately disclosed, accessed or modified.
Another important aspect that is relevant to data leakage is to define a data lifecycle to determine when and how to appropriately retire and dispose of data that is no longer needed by the business. This should be addressed in an organization data retention policy. In many cases such a policy does not exist. The data leakage issue may be the key to convince an organization to develop a comprehensive and enforceable data retention policy.
How data leaks occur
Now that we have identified the "what" we can move on the "how." This "how" will be divided into two parts. The first "how" will focus on how information and data leaks from an organization. The second "how" will be concerned with how an organization can guard against this leakage and reduce the risks associated with that leakage.
There are many egress vectors for information and data leakage. While certainly not a complete list some examples of these egress vectors include personal e-mail, P2P, unauthorized encrypted transmissions, malware infections in endpoint devices, unauthorized PDAs, smart phones and MP3 players, social engineering both electronic and non-electronic, faxing to personal e-mail, unauthorized media (CD/DVD, USB Drive, Memory Stick, etc., and traditional postal and overnight services.
In any given organization there are no doubt additional egress vectors for information and data leakage that may be specific to the type of business being conducted. The important thing is to understand what these outward vectors are such that appropriate controls can be defined and instituted to provide the required level of security to the majority of the information in the environment. The previous statement was crafted using the word "majority" for a good reason. That reason is that like any other set of security controls nothing should be considered fool-proof. While it is essential that an organization takes every reasonable precaution to protect its restricted data, it is impossible to ensure that all data is secure all of the time, especially if you are in a business that by its very nature is a target for information leakage.
How to protect against data leaks
Now that we have briefly visited the "How" that describes some of the more common information and data leakage sources, we move to the second part of "How." This second part of "How" will be an attempt to describe how to institute a set of controls that will provide the optimal level of protection for an organization.
The best chance of accomplishing this will be to remember that it is vital to not depend on any one type of solution or process. There are a variety of tools and techniques, both technical and non-technical to assist the security professional achieve the appropriate and reasonable level of security for the various types of information and data that typically exist in an enterprise.
The defense-in-depth concept is alive and well when it comes to protecting against information and data leakage. The only difference here is that when applied to infrastructure we tend to start at the outside and work our way to the inside. Assuming that we have done a reasonably good job of securing that infrastructure, for the purposes of data leakage we need to shift our thinking a bit and look to work from the inside to the outside.
For those of you with technical backgrounds think of applying an access list on a device in a network or deploying an intrusion sensor. Ideally you want to deploy either as close to the source of what you are trying to monitor and protect as possible. The data is on the inside, therefore we should start at the inside and work our way outward. This concept is extremely important as we start to consider technology solutions to help us better manage the information and data leakage issue.
From an organizational perspective, there is one weapon that every security practitioner has at their disposal that in many instances is not optimally leveraged. This weapon is ultimately the first and last line of defense in the protection of corporate information and data, as well as being the most variable in its ability to perform. The weapon that I refer to is the people in an organization. The people in an organization are closest to the critical data, so when it comes to data leakage they can be security's best friend or its worst enemy.
It is vitally important that information and data leakage and its potential impact to both the individual and the organization are covered fully in any new hire orientation session. It is also important to mention the protection of corporate information in any type of annual policy review acknowledgement that may exist. If neither of these vital parts of any training and awareness program currently exists, the data leakage issue may serve as a good leverage point to have them instituted in an organization.
The second important facet of people's involvement in combating information and data leakage in an organization is to have a mature and effective incident response capability. This is a very important aspect of any security program and equally important to any information and data leakage program. Incident response capability is the absolute last line of defense in this effort to protect information and data. Security practitioners should not operate under any illusions and should set expectations with senior management that no matter how well thought out a security program is, eventually there will be an incident of some type. The maturity of the incident response capability within a security program will make the difference between a complete disaster and a bad situation that can be overcome over the long haul.
If employees and associates can be trained and incented to understand the importance of this issue and how it can affect them, it will go a long way toward reducing the overall risk of leaking information and data from the enterprise.
Technology controls to protect informationWhile the organizational and people oriented elements just described are critical to the success of any program to protect data and information from abuse and improper disclosure, those elements alone are not sufficient to provide the fullest possible level of protection.
To this point we have discussed the need for a data classification policy in an organization and the need to have the proper structure, incentives and capabilities around user awareness, training and incident response to educate the community with regard to that policy on an ongoing basis.
To properly monitor and enforce those policies, there needs to be a sound implementation of appropriate technology solutions to provide the "teeth" for the policies and processes established around the protection of data and information in the enterprise.
There are several technical elements that make a good information and data protection framework. These elements include:
- Mature Identity Infrastructure
- Digital or Enterprise Rights Management
- Data Leakage Prevention
Identity infrastructure is the base on which the majority of the other tools and solution types are dependent to properly operate. Without proper identity there can be no consistent assignment of rights and privileges to information resources across the enterprise. Most organizations have many moving parts in their identity infrastructures. Invariably some parts are either missing or not working up to their full potential. Without a viable identity infrastructure, many of the tools specifically designed for monitoring and protecting information and data will have only limited success at best; at worst they could possibly be seen as a failure. Once there is a solid identity infrastructure in place with a granular set of user attributes, additional solutions can be deployed for the protection of data and information.
Digital Rights Management (DRM) solutions encrypt content at a document level making use of access and authorization criteria from identity infrastructure to prevent the misuse, modification, loss or theft of intellectual property and sensitive information.
In contrast Data Leakage Prevention (DLP) solutions monitor for content on networks and endpoints based on defined criteria such as tags in documents, key word searches and so forth. As content is scanned and the criteria of the search parameters are met, rules are triggered. In less sophisticated solutions, these triggered rules result in some type of alert, typically an email to an administrator who makes decisions and inquiries based on established response procedures. In more sophisticated solutions, content can actually be interdicted or quarantined by the solution based on a rule set.
At first blush, DRM and DLP appear to be competing and mutually exclusive solutions that take different approaches to solving the same issue. There have been equal amounts of controversy and confusion in the market place regarding these types of solutions, which in many ways has slowed the maturity of the solution sets and their mainstream acceptance in the market place.
Both of these solution sets have their pros and cons and some vendors attempt to convince potential customers that their solutions will solve all of their problems in the area of information and data leakage. The fact of the matter is that the majority of these solutions, when deployed as a single solution, provide only partial protection against loss or disclosure of data or information. Other vendors make the caveat that their solutions only provide protection against the inadvertent or accidental loss or disclosure of data or information. These solutions make no specific claim to guard against deliberate loss or disclosure of data and information.
It is important that security practitioners not be lulled into a false sense of security if one of these solutions is deployed and advertised within an organization as the "Silver Bullet" of information and data protection.
These two seemingly competing technologies have some striking similarities to another set of technologies that came to the forefront of the security industry a few years ago. In the early part of the decade, Intrusion Detection Systems (IDS) started to mature and move towards mainstream acceptance and adoption by the security community at large. Not long after that Intrusion Prevention Systems (IPS) were introduced and presented by many as the logical evolution of IDS. Not long after the introduction of IPS, there were proclamations by many information security pundits that IDS was dead, long live IPS! The evolution of the technology has for the most part played out and in the final analysis there is a place in the enterprise for both technologies.
Recently, although on a somewhat smaller scale, a similar proclamation was made regarding DLP technology solutions. Once DLP and DRM technologies are examined, it becomes apparent that there is a place in any enterprise that requires comprehensive monitoring and enforcement of its data classification policies to protect its data and information from improper use.
Going back to the analogy that was drawn between these technologies and the IDS/IPS technologies, it became apparent that you use IPS technologies where you new what you wanted to block and were very certain that only specific inappropriate traffic was going to be affected. In areas where that certainty was not there, it became apparent that you use IDS technologies to monitor, alert, respond and institute change in the environment to eliminate unwanted traffic as it was identified.
Similarly the same approach can be used with regard to DRM and DLP technologies being deployed in the enterprise. A DRM solution can be deployed for information that has been properly classified and is resident in known information stores. Once subject to an enterprise policy of a DRM solution, that information is protected during its lifecycle and can be retired at the proper time based on an organizations retention policy, or when there is suspicion of inappropriate use of that information.
For information that has not been classified and/or is not residing in known information stores, a DLP solution can be employed. As critical content is detected by the DLP solution it can then be properly classified, moved to the appropriate information store and become subject to enterprise DRM policy and governance.
The last element of any information and data protection program is to employ encryption on any and all high risk devices in the enterprise. This typically means laptops and mobile devices. It is important to identify all types of information that exists in the enterprise that may not be subject to the DRM solution or by its nature not be detectable by the DLP solution at some point in its life cycle.
Those are the areas that require traditional encryption solutions. Examples of this type of information might be data that is received in batch transmissions from customers for processing or analysis that enters the environment in an unencrypted format due to customer preference. Once that data is on your organization's systems, your organization may be responsible for it unless specific language in a legal agreement states the opposite. As this data is passed through an organization, the source data is often unclassified and only the output of the processing or analysis is classified. This again is an obvious requirement to have encryption for all places that this data might end up. A combination of both full disk and volume encryption on laptops, files servers and mobile devices will provide maximum protection of this type of information.
By using these solutions in combination with good user awareness and training, appropriate policy and process, an extremely well thought out solution to reduce the risk of information and data leakage can be accomplished, resulting in a set of reasonable controls against these risk areas.
In summary there are several things that drive the need for protecting information and data in addition to infrastructure:
- The change in mentality and motives of hackers and cyber criminals.
- The realization that it is the information and not just the infrastructure that needs to be protected.
- The increase in a technologically savvy workforce that use every conceivable tool and utility to bolster their productivity and connectivity to others at work, at home or on the road.
- The intentional break down of enterprise perimeters and the increased collaboration between partners, customers and suppliers.
- The ever increasing regulatory pressure to manage the information and data that exists with an organization.
To achieve a reasonable level of information and data protection requires that the following are in place within an organization:
- A work force that understands the importance of the various types of information and data in the enterprise;
- Consequences for the individual and the organization for the misuse of this information;
- Understanding all of the information egress vectors that exist in a given enterprise;
- Developing the proper controls to address the information egress vectors that have been identified; and
- Implementing the proper technology solutions to monitor and enforce those controls over time.
The basic elements of a data leakage prevention program consist of:
- A data classification policy
- A user training and awareness program
- Inclusion of security in general and data leakage/protection of critical information in employee policy acknowledgements and as individual performance objectives
- A mature identity infrastructure
- A Digital Rights Management (DRM) Solution
- A Data Leakage Prevention (DLP) Solution
- Encryption on targeted devices based on risk
- A mature incident response capability
Many organizations have at least some of these elements in place and at some level of functionality already. Based on an organization's risk tolerance, consideration should be given to adding those elements not already in place to any long term security strategy.
Jason Stradley is a senior security consultant for BT, providing executive-level strategic security and business consulting to Fortune 500 clients. He can be reached at firstname.lastname@example.org or by phone at (630) 525-1834.