Despite all the attention paid by enterprises and vendors alike to data leaks that occur over email or the Web, the truth is that sensitive corporate data is far more likely to end up in someone else's hands through a lost laptop, CD, or USB drive. Here are just a few real-world examples:
1. In May 2006, the U.S. Department of Veteran's Affairs revealed the personal information -- including Social Security numbers -- of more than 26 million veterans was lost on a stolen laptop. The records were actually on a portable hard drive, later recovered.
2. In October 2007, Her Majesty's Revenue & Customs service lost two CDs containing the financial records of 25 million UK citizens.
3. In February 2006, a Deloitte & Touche employee leaves a CD with personal records of 9,290 McAfee Inc. employees in an airline seatback.
4. In 2007, reports surface that USB flash drives with sensitive military information are being sold in street markets in Afghanistan.
While it's fairly straightforward to protect a laptop using full-disk encryption, portable media presents more challenges. Mobile employees often have a legitimate need to use such devices to transfer data, even sensitive data, while on the road. At one time specialized hardware was considered for this task, but prices have dropped so much that even gigabyte thumb drives are routinely handed out for free on conference floors, and it's hard to find a laptop without a CD or DVD burner included as standard.
Join us for a live webcast
- On February 27, 2008, at 12:00 noon ET, Rich Mogull will lead a live presentation and evaluate today's latest data-leak prevention products.
Although there are still a few organizations sending techs out armed with hot glue guns to gum up the USB ports and read-only CD drives on their client machines, most enterprises rely on a slew of software options to manage these potential leak points. Let's review a few of them below:
1. On Windows XP and Vista, group policy objects can be used to restrict device installation. Vista offers more granular policies than XP, but devices already installed by the user may still be accessible depending on how the GPO is configured. This option is free, but it is not as flexible as alternatives, and it may not offer as much security.
2. A variety of third-party software tools can restrict access to portable storage, including CD-ROM and USB devices -- Policies can be extremely granular, allowing access to only corporate-approved devices, or allowing read-only connections to digital cameras and music layers while still preventing outbound data transfers. Most tools support role- and system-based policies, allowing restrictions for different user and computer groups (e.g. completely disabling write access for desktops, while allowing it for executive laptops).
3. Third-party software to block or audit access to portable storage -- Policies can allow access while keeping a secure copy of the files, which are then sent to the management server the next time the laptop connects to the corporate network. An administrator can then review the activity, including the contents of the file, to see if it complies with policy.
4. Encryption software for optional or mandatory encryption of data on portable storage -- Users can choose (depending on policy) between corporate and group keys, or self-decrypting archives with password protection for transfer to partners not using the same encryption software. Some tools can apply policies based on user, group, system or even storage device.
5. Dedicated USB devices tied to central policies -- Probably the most expensive option and they don't offer any material security benefits over software solutions.
6. Data loss prevention products with endpoint protection -- These tools can apply dynamic policies based on detected content. For example, a file with credit card numbers can be restricted, while a PowerPoint presentation with no sensitive content can be transferred. The best tools use deep content analysis to protect not only easily recognizable data like credit card and account numbers, but also less structured data like portions of protected documents. Some tools include, or partner for, encryption. DLP is the most flexible option, and all tools will eventually have to include content-based capabilities. They are more complex to define policies for, however, and maturity levels vary greatly.
Enterprises have a wide variety of options, from simply blocking devices to real-time content-based policies tied to dynamic encryption. The best option for your organization will depend on your specific needs, user tolerance, budget, and existing infrastructure.
About the author
Rich Mogull is the founder of Securosis LLC, an independent security consulting practice. Prior to founding Securosis, he spent seven years as an analyst at Gartner Inc. He blogs regularly on security issues at http://securosis.com.