Wednesday, January 7, 2009

Confidential Data: Gone Surfing!?!

Data's new motion is through the web. Undefined data surfing through web 2.0 technologies have posed the most significant risk. With this in mind it is important to understand what kind of data is unidentified as well as the channels it can escape through.
With data that is identified while it was at rest the web channel poses very little risk. Most solutions today are able to catch items leaving through the web when they have a tag on them. But what about the data that is too new or was not caught in the ID process? This data can be the most damaging. As with all things that are not defined a set of parameters needs to be established in order to catch what you are looking for while reducing false positives. Look for solutions that have real time check sums on credit cards, dictionary thresholds, and AI engines for records and source code to help catch this newer and unmarked data. Many corporate email filters offer these same techniques but almost no one offers it for the web channel due to the latency this type of inspection can induce.
There are 3 main ways data can exit via the Web. The first main way is though web based email. It has always posed a security risk as well as a convenient way to circumvent corporate email filtering. While the inclusion of AV scanning by most free services has dramatically reduced the security issues the issue of data leakage has only grown worse. The adoption of DLP for corporate email has proven that email is the number one way data used to leak. However as corporate email systems have been enhanced webmail has come to be the next easiest way to bypass scanning. Any DLP solution being considered will need to be able to open up SSL webmail and inspect it with the dynamic engines and techniques mentioned above. Be wary of latency with any solution claiming this capability as decrypting SSL is not trivial and can induce a great deal of latency.
The second method of data leakage is through Instant Messaging. IM has also added AV to most file transferring but like webmail, it too is an easy way to leak information. The issue with IM has always been keeping up with the client’s protocols. They constantly morph to avoid aggregator products as well as security filters. It is possible though now to block all but on the approved types and versions you wish running on your network. By minimizing the variations of clients, recording transmission, and key word filtering messages, this medium can be very productive. Many solutions offer this capability but few are deployed due the complex nature of the client’s and their morphing abilities as well as the need for hardware at all internet egress points. This is one area where cloud based offering really make sense by reducing the need for gateway infrastructure. Just make sure the cloud offering you consider really doesn’t need any additional hardware or software at the gateway as many of the so called SaaS vendors do.
The third way is through blogging. User generated content is the fastest growing risk. It is the most recent way that content can remain in motion unfiltered. This includes all of the social networking sites like Facebook, Web 2.0 sites like Wikipedia and blogging sites like Blogger. Anywhere a user is able to upload content through the web it will need to be inspected. There are several classic examples of corporate employees using corporate assets to undermine the company by using this medium to post material that is either confidential or damaging that could have been stopped through the usage of some type of web 2.0 controls.
By knowing the information leak channels, seeing what can be monitored and finally understanding the technology architecture needed to keep up you will be able to create policies for how data is really leaving your corporate assets. Surfing has its place in the web world but not with your confidential data!

No comments: