The recent Health Net data breach—affecting some 1.5 million users—is a failure of all aspects of IT security, including the ability to set appropriate policy, communicate that policy to employees and deploy the relevant security technology.
Health Net announced last week that unencrypted records, and the portable external hard drive containing those records, were lost. A loss of this magnitude from normal business practice suggests that either sensitive data accumulated over a long period of time and was not systematically erased when no longer needed, or the user worked on extremely large chunks of data without proper security controls. IT should have been aware of both possibilities and acted to protect the business.
One of the lessons of Health Net is that corporate use of mobility products, including laptops, phones, and removable media, require special attention as they can carry sensitive data beyond the reach of security teams. For example, mobility products (which include notebook computers and mobile workstations) represent 32% of Dell's net revenue—the largest segment in Dell's reported product mix. The use of devices by mobile and remote users is a trend that is likely to increase, requiring protection beyond that planned for desktops and virtual desktops.
Eric Ogren's weekly security columns:
Secure your remote users in 2010: As companies shave operational costs by hiring more remote workers, IT security teams should plan to protect sensitive data being used by a highly mobile workforce in 2010.
How to use Internet security threat reports: Security threat reports help drive security vendor business, but they can also provide some useful information for IT security pros.
Two-factor authentication, vigilance foil password theft:Password stealing Trojans, keyloggers and other malware are reaping account credentials by the thousands forcing some to rethink password policies and develop new defenses.
Spot check mobile and remote users need to understand what applications are commonly used, and how these applications treat sensitive data. In particular, audit for temporary files that are created in application or system folders and not erased upon termination of the session. There are tools, such as that offered by Liquidware Labs Inc. that can automate application profiles to help in the investigation. The goal is to render regulated data on mobile devices as unreadable, either by deletion or encryption, as soon as the business session expires.
Evaluate data masking software for applications that require large amounts of data to be processed remotely. For instance, Camouflage Software Inc. allows organizations to mask sensitive identity data when extracting information from the data center. Data masking can minimize the risk of data loss by reducing the number of copies of production data that must be secured. Development organizations can write applications on masked production data and remote users can conduct database research without exposing regulated data to loss.
Transparent full disk encryption of the endpoint removes chances of regulated data being exposed to loss. It is always better to understand the application profiles and use of sensitive data, however IT resource constraints may force a more comprehensive encryption program. Automatically encrypting all business data on mobile devices avoids possible exposure when the device is lost and can save considerable expenses required to meet disclosure requirements. Companies such as Check Point Software, Lumension and SafeNet can help enforce transparent full disk endpoint encryption policies.
Security teams should extend data protection policies to mobile phones with the same considerations as mobile laptops due to their extensive storage capability. For instance, a standard Samsung Galaxy Android-based phone includes 8Gb of storage. Applications accessed via browsers on handhelds can leave sensitive data in temporary buffers and files which IT needs to proactively remove or encrypt.
These breaches are bound to happen again, unless IT security professionals deploy the right technologies to protect company data.
Eric Ogren is founder and principal analyst of the Ogren Group, which provides industry analyst services for vendors focusing on virtualization and security. Prior to founding the Ogren Group, Eric served as a security industry analyst for the Yankee Group and ESG. Ogren has also served as vice president of marketing at security startups Okena, Sequation and Tizor. He can be reached by sending an email to firstname.lastname@example.org.