Problem solve Get help with specific problems with your technologies, process and projects.

Data loss prevention from the inside out

Corporate information loss can often be credited to a company's internal organization, or lack thereof. In other words, in order to prevent data leakage, corporations must not only eliminate external threats, but also internal processes that could enable data leakage. In this tip, contributor Noah Schiffman highlights these internal risks as well as some storage-specific DLP issues.

The traditional business-centric view of computer security has focused on the external threat landscape, often overlooking internal vulnerabilities. Subsequently, recent studies from Ponemon, Orthus and Vontu have revealed that a majority of corporate data loss, often termed data leakage, is caused unintentionally by an organization's own actions.

Listen to Noah Schiffman's tip

Download the author's data leak prevention advice to your computer or favorite MP3 player.

The potential legal liability and brand-reputation damage from corporate data loss has spurred growing demand for data leakage prevention (DLP) technologies. These technologies have largely focused on the need for automated data management. This "inside-out" security paradigm has resulted in corporations striving to achieve rapid data governance via products that emphasize outbound content compliance (OCC) policies, insider threat management, and extrusion prevention systems (EPS).

However, before considering a comprehensive enterprise data management product or platform, information security departments must understand their organizations' business workflow and how it relates to the protection of existing IT assets. This process should include investigating and targeting key aspects of the network infrastructure that may be a source of data loss. Here are some important issues to consider when identifying potential areas of data leakage:


  • As the complexity of an IT infrastructure increases, so does the difficulty of knowing where all the data resides, how it's accessed and by whom.
  • As the roles of data managers and storage managers blur, assigning the responsibility for creating a data ranking system becomes harder to define.
  • The business must strive to assess the criticality of corporate. Once content discovery of all data is completed, a classification scheme must be implemented to categorize data sensitivity. .
  • Those with access to the data are the ones usually responsible for its loss. Identify users with overly permissive access controls, including senior managers, who often request high privilege levels without possessing the proper training in data security.
  • While inbound email is analyzed to protect against internet threats, outbound email is often overlooked as a major source of data loss. The accidental loss of confidential and proprietary information from insider email is one of the largest areas of data loss. The risks associated from activities such as personal web based account use and inappropriate message auto forwarding, can have serious legal, financial and regulatory consequences. .
  • Unauthorized use of Internet protocols and services -- such as IM, peer-to-peer file sharing, blogging, social networking sites and unauthorized uploading (FTP) of data to Web sites -- is a major contributor to data security incidents and should be controlled via a detailed policy.
  • The use of contractors and outside consultants usually requires the creation of new user credentials. However, knowledge and accountability of these user accounts is essential, as they are often lost.
  • Removable storage media, such as flash drives, optical media, external hard drives and personal media devices, create a portable medium for the loss of data.
  • Mobile computing platforms (i.e. laptops, PDAs) allow data to be physically removed from the corporate environment where all monitoring and control is lost.
  • For more information:

    Michael Cobb explains how well database extrusion products can protect an organization's information. 

    Learn how corporations can avoid insider threats by forming an incident response plan and monitoring employee behavior.

    Tony Bradley explains how Windows Rights Management Services (WRMS) can help implement document access restrictions and protect sensitive data.

    Strategic planning for prevention
    Enterprise storage has evolved far beyond direct-attached storage (DAS), basic networked file shares and simple database storage. Today's architecture employs storage area networks (SANs) using iSCSI and Fibre Channel, tiered and hierarchical storage models, virtual storage systems, high-end storage arrays and clustered storage. Due to the wide variety of hardware and software and their numerous configurations, the remediation strategies for data leakage are ultimately company specific.

    Nevertheless, the commonality of all DLP planning should involve consideration of the following:


  • Implementing basic company-wide standards and procedures for all employee data usage and information ownership;
  • Assessing and ranking corporate data based on the business risks associated with its loss or exposure;
  • Ensuring detection and classification software uses effective identification algorithms with lexical examination of data content;
  • Performing frequent inventory reviews of business critical data, ensuring proper safeguards are in place and making sure security protocols are up to date;
  • Using an effective data security model that simplifies role based access control (RBAC) and granular control of individual users;
  • Enforcing employee training of corporate email acceptable use policies. Consider messaging protection platforms for automated corporate compliance and policy management of outbound email;
  • Ensuring that employees are aware of computer usage monitoring as a deterrent to attempts at policy circumvention;
  • Administering frequent reviews of user-privilege levels to assess and confirm that the appropriate settings are configured for each user;
  • Embedding access controls directly into sensitive data through use of digital rights management (DRM) technologies;
  • Maintaining data security when dealing with business partners through the use of federated identity management; and
  • Generating routine audit and data-flow assessment reports to monitor data leakage threats and track data locations with respect to time and user request.
  • Do you have a burning IT question?
    Contribute to IT Knowledge Exchange and you could win an Xbox 360 Elite, iPod Touch or $100 Amazon gift certificate. Earn the most Knowledge Points by asking, answering or discussing a question in order to win. Contest runs from January 28th to March 15th.

    Data loss prevention has become a relevant compliance issue and is critical in protecting confidential company data and preserving customer data privacy. Data growth rates today are such that it is a challenge to efficiently manage new and existing data. Corporate security policies that address data proliferation issues must also sustain data availability, business productivity, operational continuity and data restoration. Most importantly, to avoid end-user misperception that your DLP strategy is set of IT laws, thorough communication and education is essential in facilitating acceptance of the organization's DLP program as an important parallel business strategy.

    About the author:
    Noah Schiffman is a reformed former black-hat hacker who has spent nearly a quarter century penetrating the defenses of Fortune 500 companies. Today he works as an independent IT security consultant specializing in risk assessment, pen testing, cryptography and digital forensics, predictive analysis models, security metrics and corporate security policy. He holds degrees in psychology and mechanical engineering, as well as a doctorate in medicine from the Medical University of South Carolina. Schiffman is based in Charleston, S.C.

This was last published in February 2008

Dig Deeper on Data security technology and strategy