Closing the gaps in enterprise data security: A model for 360˚ protection
This paper examines the primary data threats that currently concern chief security officers (CSOs) and IT security management within enterprises, and recommends best-practice techniques to minimize and overcome risks to data security. These best practices have been successfully implemented and deployed in organizations worldwide as components of a holistic data security strategy.
Closing the gaps in enterprise data security: A model for 360˚ protection
Businesses adapt to increased mobility and expanded connectivity: Evolving data threats
Mobile computing and global networking cast a new light on data security issues as, in response, organizations reassess the technologies in use within their IT infrastructures and reconsider the ways in which staff members, customers and partners communicate. Solutions that do not provide the appropriate balance between protection and usability must be discarded in favor of solutions that effectively minimize risks of data theft or loss, achieve compliance with existing regulations and equip personnel with tools that help them work productively and securely. The crux of the matter is simple: Business processes today rely on vastly different methods of data storage and data exchange than even a few years ago. These changes in the computing landscape make it essential that companies adopt a very different approach to security. According to the Forrester Research report, “The State Of Enterprise IT Security: 2008 To 2009,” 90% of organizations say that data security is “important” or “very important” and would get high priority in 2009. The following sections detail three possible scenarios illustrating how these individual threats can affect the business operations, data integrity and overall security of organizations. Scenario one: Theft of a mobile computing device Scenario two: Losing removable media containing confidential data Scenario three: The insider threat Each section also provides recommendations as to how each individual threat can be minimized by using technology that is available today. The objective is to provide full 360-degree security that protects against the widest range of attack vectors.
Scenario one: Theft of mobile computing device
California-based Company A, a channel partner of a global chip manufacturer, has designed a promising media player. Product manager Sally Ortez worked closely with the chip maker to negotiate the specifics of the processor purchases, product rollout plans, marketing strategy, projected sales in various channel outlets and product road map details. Ortez routinely kept all documents relevant to the collaboration on her notebook computer, including proprietary information under a non-disclosure agreement with the manufacturer. At a large trade show in Hong Kong, Ortez was navigating the packed aisles of vendors and technology companies with her computer bag secured by its strap over her shoulder. After she was bumped from behind, someone quickly cut the strap of the bag and grabbed it. Police efforts to locate the thief failed. Five days later, the full specifications of the unreleased processor showed up on the Internet, along with the marketing plan for the media player and product road map. A day after that, the chip manufacturer cancelled the channel co-marketing plans with Company A and threatened legal action because of the disclosure. Ortez never recovered the lost notebook. The mobile workforce depends on smaller, lighter and more portable computing devices to get their work done in the field. Their reliance on these computing devices heightens the importance of protecting the information on them from loss, theft or viewing by unauthorized individuals. The 2008 CSI Computer Crime and Security Survey reports that laptop theft/fraud ranks among the top three threats, with 42% of security professionals who responded citing it. As reported by a number of different sources, theft of mobile computing equipment is all too common and—without protection —the information stored on systems is easily accessible to thieves. Even a power-on password and other forms of single-factor authentication are of little use in guarding against theft or loss.
However, encrypting the data on mobile computing devices makes it inaccessible to thieves and outsiders, and provides a level of data protection that is both prudent and responsible.
Solution: SafeGuard Enterprise
With SafeGuard Enterprise the ending to the previous scenario could have been much different. Consider this alternative ending. Following the advice of a leading data security publication, the director of IT operations at Company A implemented a policy to perform full hard disk encryption on all company notebook computers using SafeGuard Enterprise The software deployment took place overnight. Following the initial usage, which requires a simple log-in process, employees using single sign-on (SSO) need only enter their password once to access the computer, just as they had done previously. Employees didn’t notice any difference in the behavior of their laptops. During the Hong Kong trade show, Sally Ortez lost her notebook computer when her computer bag was snatched in a crowd. Because of the strong encryption protection on these devices, there was no potential for the disclosure of any sensitive data, and the business partnership with the chip maker continued to flourish. Company A also avoided having to notify companies and individuals about the stolen data, as is required by California SB 1386 for any losses of unencrypted data. Encryption preserved both the data privacy and a valuable business relationship to the benefit of everyone involved in this scenario. Industry-leading encryption solutions from Sophos deliver enterprise-caliber data security, giving mobile workers the confidence and protection to travel freely without being concerned about revealing information that could damage both their company and their career. SafeGuard Enterprise effectively protects data on mobile computing devices—including laptops and netbooks.
Scenario two: Losing removable media containing confidential data
Fabian Bredcowski worked as a technical support specialist for Company B, a thriving New England-based computer retailer, and was privy to files and information stored on the Company B servers—all of which were strongly protected by a corporate firewall and rigorous authentication and access protections. Bredcowski took security seriously, but he was also tenacious about pursuing solutions to problems— even when away from the workplace. After dealing with one particularly vexing support question that he could not resolve over the phone, Bredcowski couldn’t get the problem out of his mind and decided to work on it at home with his home computer. At the end of the day, he hastily copied the tech support customer files to a 1GB memory stick and slipped it into a pocket in his wallet. The files included contact information and personal data about several hundred Company B customers. On the way home, Bredcowski stopped at a local restaurant for a take-out dinner. His wallet slipped out of his pocket and fell to the ground when he got out of the car. The driver of the next car that pulled into the lot noticed the wallet, picked it up and found the memory stick inside. He pocketed both and quickly drove off. When Bredcowski reached for his wallet to pay for his dinner, he was shocked to find it was missing. At the same instant, he realized the memory stick with private customer data was inside. Conscientiously, he reported the loss to his supervisor, who was furious that, as a matter of policy, Company B would have to notify each customer of the personal data loss—a grave reflection on the company’s handling of personal information. For this breach, Bredcowski was docked the cost of mailing the data loss announcements and demoted to a position in the shipping department. For several months after the event, the customer support personnel at Company B had to respond to a steady stream of phone and mail complaints from customers disturbed that their personal information had been treated so casually. The increased storage capacities and evolving form factors of removable media create a new vector of possible data loss. Securing removable hard disk drives, flash memory devices, optical discs, magnetic media, memory sticks and similar media should be a top priority for security strategists within an organization. The compact size and lightweight form factors of removable media devices make them especially prone to loss or theft. Such potential security breaches can damage customer relationships and result in financial losses for the businesses involved. Protect sensitive data and intellectual property residing on endpoint devices: Encryption prevents unauthorized access to hard drives, flash memory cards, optical discs, memory sticks and similar media.
Solution: SafeGuard Data Exchange
The use of SafeGuard Data Exchange could have resulted in a very different ending to this story. Consider this alternative scenario. After dealing with the difficult support question that he could not resolve over the phone, Bredcowski copied the relevant files to a 1GB memory stick protected by the SafeGuard Data Exchange solution. All data being stored on the memory stick was automatically encrypted, protected by a secure password that Bredcowski previously assigned. The loss of his wallet in the restaurant parking lot turned out to be a personal tragedy; but the driver who stole both the wallet and the memory stick had no way to access any of the data files because they were encrypted. Although Bredcowski reported the loss to his supervisor, no action was taken because the data on the memory stick was securely protected. For several months afterward, Bredcowski had to deal with fraudulent charges on his credit cards; but the good customers at Company B were protected from the potential revelation of their personal information and the company maintained its strong reputation. SafeGuard Data Exchange provides security-to-go for all forms of removable media. As a reasonable precaution against loss or theft, this solution ensures consistent, effective protection of commonly used media storage devices in your company. To ensure that confidential information remains confidential, you can configure SafeGuard Data Exchange to prevent any sensitive data from leaving the company on a removable medium without first being encrypted. As an additional measure of protection, access to any unencrypted data stored on removable media can simply be denied.
Scenario three: The insider threat
Wendy Profolo had been working as a contract software developer since her mid-twenties, and her proficiency and integrity gained her a good deal of trust. In her new assignment for Company C, she was quickly provided network access and her manager was pleased to see her making steady progress on the coding project she had been given. What her manager did not know was that Profolo had a serious gambling problem and had become proficient at finding ways to exploit information extracted from a company server to cope with her rising gambling debts. Within two weeks, Profolo managed to modify her access privileges, scour the network file structures to retrieve a dozen corporate credit card numbers, gather personal information about the executive board that might later prove useful, accumulate financial records that she thought might be sold to a Taiwanese competitor of Company C and steal the source code for a revolutionary new product that the company was developing. Profolo was caught one evening as she was trolling through the human resources files by one of the janitors, who was startled to see his name up on her screen and immediately reported her to her supervisor. Profolo is serving time at a minimum-security prison and, as a result of this experience, Company C currently relies on encryption to protect sensitive resources stored on corporate servers. Threats from insiders—whether contractors working on software code, disaffected administrators acting maliciously or rogue personnel with unknown agendas—are among the most insidious data threat scenarios. The
2008 CSI Computer Crime and Security Survey reports that insider abuse ranks among the top two concerns, with 44% of the security professionals who responded citing the threat. A comprehensive data protection strategy should address this potential risk and find techniques to mitigate it. First, consider the range of assets that insiders theoretically can view or access, and then employ decisive measures to secure these assets against unauthorized viewing. This may include file access on internal LANs, server content that is accessible to insiders and information stored casually on workstations or notebooks physically accessible on desks and tables within a facility.
Solution: SafeGuard LAN Crypt
Before Company C hired Wendy Profolo, a savvy manager in the software engineering group procured a trial copy of SafeGuard LAN Crypt. Impressed by the capabilities of the software application, the manager purchased and installed a licensed version of the product. Following Profolo’s hiring, despite a progression of attempts to penetrate the encrypted server contents, she eventually realized that there was no possible way to access protected files and folders on the LAN. Given this situation, Profolo was forced to confront her problem and her supervisor helped her gain admission to a 12-step gambling addiction program, which successfully brought her problem under control. Profolo has bounced back and focused her skills on application design, recently becoming a valued, full-time employee of the company. SafeGuard LAN Crypt prevents confidential information stored on company servers from being viewed by anyone without the appropriate authorization. In any organization where insiders have potential access to the contents of servers, encryption provides an effective means of guarding sensitive information from prying eyes.
Embracing a 360° approach to data protection
As discussed throughout this paper, maintaining data privacy and confidentiality is an essential component of any data security strategy designed to contend with today’s data threats. With a suite of data security solutions based on advanced encryption technology, Sophos products directly address the three stages in the data life cycle: the endpoint or the back end (data at rest), during transmission (data in motion) and during processing (data in use). The prevailing model of the open enterprise— where mobile workers, removable media and increased networking generate new threats—requires a strategy that aligns business practices with full, comprehensive data protection. Central management and oversight of data protection measures give organizations a means to ensure that the security policies in force are enacted consistently throughout the organization. SafeGuard solutions combine central management with the key security components to provide a unified approach to data protection—an important factor in countering data threats.
This article was provided by Sophos and is published here with their full permission. Sophos provides full data protection services including: security software, encryption software, antivirus, and malware protection.