Despite all the attention paid by enterprises and vendors alike to data leaks that occur over email or the Web, the truth is that sensitive corporate data is far more likely to end up in someone else's hands through a lost laptop, CD, or USB drive. Here are just a few real-world examples:
1. In May 2006, the
2. In October 2007, Her Majesty's Revenue & Customs service lost two CDs containing the financial records of 25 million UK citizens.
3. In February 2006, a Deloitte & Touche employee leaves a CD with personal records of 9,290 McAfee Inc. employees in an airline seatback.
4. In 2007, reports surface that USB flash drives with sensitive military information are being sold in street markets in Afghanistan.
Although there are still a few organizations sending techs out armed with hot glue guns to gum up the USB ports and read-only CD drives on their client machines, most enterprises rely on a slew of software options to manage these potential leak points. Let's review a few of them below:
1. On Windows XP and Vista, group policy objects can be used to restrict device installation. Vista offers more granular policies than XP, but devices already installed by the user may still be accessible depending on how the GPO is configured. This option is free, but it is not as flexible as alternatives, and it may not offer as much security.
2. A variety of third-party software tools can restrict access to portable storage, including CD-ROM and USB devices -- Policies can be extremely granular, allowing access to only corporate-approved devices, or allowing read-only connections to digital cameras and music layers while still preventing outbound data transfers. Most tools support role- and system-based policies, allowing restrictions for different user and computer groups (e.g. completely disabling write access for desktops, while allowing it for executive laptops).
3. Third-party software to block or audit access to portable storage -- Policies can allow access while keeping a secure copy of the files, which are then sent to the management server the next time the laptop connects to the corporate network. An administrator can then review the activity, including the contents of the file, to see if it complies with policy.
4. Encryption software for optional or mandatory encryption of data on portable storage -- Users can choose (depending on policy) between corporate and group keys, or self-decrypting archives with password protection for transfer to partners not using the same encryption software. Some tools can apply policies based on user, group, system or even storage device.
5. Dedicated USB devices tied to central policies -- Probably the most expensive option and they don't offer any material security benefits over software solutions.
6. Data loss prevention products with endpoint protection -- These tools can apply dynamic policies based on detected content. For example, a file with credit card numbers can be restricted, while a PowerPoint presentation with no sensitive content can be transferred. The best tools use deep content analysis to protect not only easily recognizable data like credit card and account numbers, but also less structured data like portions of protected documents. Some tools include, or partner for, encryption. DLP is the most flexible option, and all tools will eventually have to include content-based capabilities. They are more complex to define policies for, however, and maturity levels vary greatly.
Enterprises have a wide variety of options, from simply blocking devices to real-time content-based policies tied to dynamic encryption. The best option for your organization will depend on your specific needs, user tolerance, budget, and existing infrastructure.
About the author
Rich Mogull is the founder of Securosis LLC, an independent security consulting practice. Prior to founding Securosis, he spent seven years as an analyst at Gartner Inc. He blogs regularly on security issues at http://securosis.com.
This was first published in February 2008