The Wall Street Journal asked me recently to write to them regarding methods companies use to keep their private data from escaping their network. Because I never know how much a magazine or news reporter will use of what I send them, I thought I would post my entire response here so at least you would know my thoughts on the subject. This is a very big issue right now and growing all of the time. DLP (data leakage prevention) is definately one of the big pushes looking through the rest of 2009 and beyond.
——————–
In looking at these methods, an organization needs have a firm understanding of what they want out of the solution. When using technology to keep sensitive data from leaving your organization, a company must decide if they are doing this in an attempt to stop malicious employees, or just careless and untrained employees (employee mistakes). In my opinion, there are many methods and technologies available to help organizations limit employee mistakes. Stopping Malicious employees is a whole other matter that is very difficult. Here are some of the methods that companies currently use to keep sensitive data from leaving their networks.
- Email content filtering is popular to block certain types of data leaving the network over email
- DLP (Data Leakage Prevention) is also used because this usually is for a broader array of ports and services. In other words, it should block sensitive data leaving the network for more than just email.
- Whitelists and Blacklists are sometimes used to block access to personal email accounts such as gmail, hotmail, and many others.
- Web Content Filtering solutions are also used to block access to websites. These are also often used to block access to social networking sites and sites where users could download software that could bypass traditional security
- Some organizations attempt to use intrusion detection system software, writing specific signatures for content leaving the network, but this doesn’t work very well.
- Some load software directly on the end users computers to manage content. There are some solutions that scan the drives and will encrypt or block access to sensitive data. Other packages will block a users attempt to send sensitive data from their computer.
- Some have developed methods that do not block the sending of sensitive data, but rather if sensitive data is found, it will force it to be sent securely. Of course this assums that the person on the other end should see this information, otherwise the sensitive data was sent to an unauthorized user in a very secure way.
- Some firewalls and other gateway or network devices have methods of blocking certain types of attachments so they cannot leave the organization.
- Of course software that attempts to detect the use of P2P activity on systems or networks can help keep sensitive data local
- Walking out with sensitive data on a USB thumbdrive, CD, DVD or other mobile media is also a problem. There are many solutions available to limit this type of activity.
- There are software programs that will simply monitor the end users ever move, including taking screen shots of what they are doing, capturing keystrokes, etc. These “recordings” can be audited if malicious or mistaken behavior is suspected.
As with anything, each of these methods can be subverted if the employee is even the slightest bit technical. Most solutions out there are designed to “keep the honest people honest” or in other words keep good employees from making mistakes.
