997471

Dam data leakage at source

by Ian Kilpatrick

Image of a tap Computer networks today have become increasingly open with more and more staff accessing a greater number of applications and databases. Remote access has also grown hugely. The opportunities for unauthorised viewing of data, data theft and data leakage have increased tremendously and organisations now need to look urgently at managing this problem.

What data is at risk?

All confidential data which is held on a network is at risk and needs to be protected from unauthorised access, both inside and outside an organisation.

Internally, there are risks from employees and skilled IT staff. Employees can also inadvertently expose confidential data to the outside world through the use of unprotected wireless, unprotected remote access or careless laptop use.

Another high risk area is the use of USBs and mobile devices such as PDAs and Blackberrys for the storage of confidential information. Externally, companies are at risk from hackers or criminals, wanting to use information (particularly financial) to carry out crimes.

Data leakage is a very important issue and companies have a legal requirement, under The Data Protection Act, to secure information on their employees and on their customers. The impact of negligent data loss on their reputation is also now moving organisations to focus on dealing with the data leakage threat.

There have been many cases of data leakage including the recent loss of a laptop containing salary details, addresses, dates of birth, national insurance and phone numbers of some 26,000 employees from a printing firm, which was writing to M&S workers about pension changes. Identity theft is the possible result of such losses.

Is current protection adequate?

We have used various methods up until now to protect company data, but they are no longer enough in themselves, because of the increased risks we face.

Firewalls and access control are commonly used. However, computers being used by staff at home to communicate with the office and access information may not have firewall protection, or the firewall may not have been enabled or updated. And, of course, if access control is inadequate, firewalls will not stop data being read.

According to the DTI Information Security Survey 2006, the vast majority of companies still rely on weak, static passwords. These, however, are generally recognised as being inadequate. Companies may also use more sophisticated means, such as strong two-factor authentication, with hard tokens, biometrics, smart cards or virtual tokens.

Traditionally, larger companies have relied on the security of mainframe systems to protect key data. However with this company confidential data now routinely accessible from and downloadable onto the network, this protection has significantly diminished.

Regularly reviewing access control lists is another key component in data security, as is managing emails and instant messaging, because unencrypted emails are vulnerable to interception.

However, the computing scenario has now changed so much that these methods, on their own, are unable to cope with the current state of threat.

One strong area of risk is allowing unauthorised or departed members of staff to have unmanaged access rights to data, for which they have no valid need. This is a major cause of data leakage.

High risk areas

Email - Email is a key area of risk for many organisations. The route for email over the Internet is via servers. Sending unencrypted emails is the equivalent of sending postcards by ordinary mail.

One solution to this, offered by encryption specialist Utimaco, is to send emails as encrypted PDFs, readable by the recipient using a password. Other systems operate around PKI and the use of public and private keys.

If you don't want to encrypt all emails, you can just make sure you encrypt confidential emails. Encryption is also a good idea for confidential internal emails. If you're emailing remotely, then VPN encryption will protect the confidentiality of your emails.
Remote and laptop use - Security is a particular risk when people are working away from the office either at home or while travelling. All remote access to head office applications should be done over encrypted VPNs, which will protect data confidentiality.

Laptops are a problem area, often disappearing from employees' homes, cars, hotels, etc. However, if the data on these laptops is encrypted, thieves will be unable to decipher the information on them.
Wireless - Wireless computing is also very risky, whether used in or away from the office and the original wireless security standard, WEP, is flawed and unreliable. If you're sending confidential emails using a wireless computer then you need to use an encrypted VPN and you should consider whether to encrypt the email itself.

Similarly, if your organisation is using unencrypted wireless in the office, all the information held on your network can be at risk. This is one reason it is wise to encrypt all relevant confidential files, data, internal emails and network attached storage (NAS).

Securing data across the organisation with UEM

Using encryption should be evaluated for use throughout an organisation, with a particular focus on email, business-critical stored data, remote access and wireless use. However, you don't have to encrypt everything - just data which is confidential.

While encryption is an obvious solution, it has historically only been implemented by a minority, largely due to the high cost and the difficulty of using older-style encryption solutions. Also, it has been difficult to centrally manage encryption across all elements of an enterprise.

Major improvements in technology and price reductions have now radically changed that.

Encryption can now be easily managed across all data risk areas using a comprehensive approach known as 'unified encryption management' (UEM) and this is revolutionising encryption.

Improved centralised management capabilities, which support UEM, are part of solutions from companies such as Utimaco and Pointsec. Utimaco, for example, offers a management centre which manages and co-ordinates encryption across the whole network, whether it be for laptops, mobile devices, wireless devices, for your LAN, USB sticks, or network attached storage.

However, encryption is only one component in an access control programme, which should also include authentication and, in turn, be part of wider company wide security policies.

Conclusion

Encryption has now become a vital part of the security equation if companies are to protect confidential data. Encryption solutions from suppliers such as Utimaco and Pointsec are increasingly cost-effective and easy-to-use, so there is now little excuse for organisations not to secure themselves. The growth of encryption is moving towards centralised unified encryption management and this is a trend which is expected to continue.

About the author:
Ian Kilpatrick is chairman of Wick Hill Group. The company is exhibiting at Infosecurity Europe 2008, Europe's number one dedicated Information security event. Now in its 13th year, the show continues to provide an unrivalled education programme, new products & services, over 300 exhibitors and 11,700 visitors from every segment of the industry. Held on the 22nd - 24th April 2008 in the Grand Hall, Olympia, this is a must attend event for all professionals involved in Information Security. Find out more and register online at www.infosec.co.uk.

Menu: Home, Services, Events, Features, Interviews, Profiles, Reviews, News, Resources, Press