Solution provider takeaway: Solution providers can help customers embark on data theft prevention projects, cutting...
down on malicious access, with the help of data theft prevention tools.
Have you ever been in a meeting with a customer discussing subjects you feel comfortable with, like virtualization or backup, when the customer asks you a question out of left field and you have no idea how to answer it? It's awkward to say the least, especially when the subject is one that you feel you should know something about.
Data theft prevention projects, in my experience, almost always grow out of one of those "by the way" questions. Here are some tips for dealing with questions about data theft protection.
First, as always, make sure you understand the question. It can really be about one of two things: data encryption -- protecting data that travels across a WAN link or is shuttled around on a tape -- or preventing users from accessing data on disk in a malicious fashion. While encryption is certainly a worthy topic, here we'll concentrate on the malicious access problem.
There are many motivating factors driving malicious access to data. It could be purely theft, for instance, copying a customer list to a USB drive. It could also be inappropriate modification; a user may want to give himself a pay raise, for example. (Beyond those two scenarios, users might also store inappropriate or copyrighted material on file servers, which could lead to legal troubles for your customers.)
Unlike encryption or other forms of loss prevention, where you have to keep the thief out, the challenge with data theft as described above is that the user more than likely has the credentials to access the data; they have been authenticated and are logged into the system. The culprit who you're trying to help the customer protect against is likely either a disgruntled employee or a careless one who leaves their desktop logged in to network resources. The careless employee doesn't recognize that they're doing anything wrong, and the disgruntled employee oftentimes thinks they're committing a victimless crime.
The solution to this vulnerability isn't as simple as removing or restricting network access across the board; that will only make users less productive and the IT staff less popular. A more viable approach is to use data theft prevention tools to assess the current state of affairs and then recommend a plan of action.
Data theft prevention tools
Companies like CoSoSys SRL, Trend Micro (with its LeakProof) and Cofio (with its AimStor) are in the data theft prevention space. Cofio goes beyond the others by integrating its AimStor line into what I call a data supervision tool, essentially a total data control solution. The goal of all of these solutions is to monitor access to verify data use, allowing appropriate use to continue without interruption and loss of productivity yet preventing and reporting inappropriate use of data.
The architecture of these products includes agents that reside on file servers and in some cases user desktops. The agents collect a detailed metadata map of the servers. From there users can set up detailed policies based on user type and/or data type. For example, everyone in sales and marketing could be allowed to access and update the customer database but restricted from copying that data to an external hard drive or emailing that data to an external email account.
These solutions typically can also build an audit log of what data has been modified and by whom. This would allow for all edits to the payroll spreadsheet, for example, to be emailed to several users for checks-and-balances protection.
Before any policy changes happen, though, it's critical to conduct an assessment of network activity.
Because an assessment of network activity could unearth information that could threaten job security for some staff members, data theft prevention projects have to be approached carefully and have executive sponsorship. In almost every case, the initial assessment finds evidence of inappropriate use or storage. It's critical for you and your customer to outline a reaction plan before the assessment takes place. Unlike assessments that simply find wasted disk space or underallocated servers, a data theft prevention assessment will likely find employees that are either performing actions that are harmful to the company or outright illegal. To make matters worse, oftentimes, companies don't have a written policy on data theft and treatment! It seems logical to everyone involved that users should not be copying the customer database, but there is seldom anything written that specifically says, "Don't do that."
It's also important to determine prior to the assessment whether employees should be notified of the pending assessment. Obviously, their knowledge of the assessment will affect test results, but some companies are uncomfortable with the idea of not disclosing the assessment.
We recommend that customers run the audit without notifying users, to get a sense of how widespread the problem really is. However, we also recommend that no punitive actions be taken against violating employees, except in extreme cases.
To conduct the assessment, you should run the auditing solution in an audit-only mode for 30 to 90 days. At the end of that time period, you should review and summarize the audit for the customer. Look for files being copied to external drives, files being emailed to non-organizational email accounts (Hotmail, Yahoo, Gmail) and modifications to important common-use documents like spreadsheets.
In addition to summarizing the audit, you should make specific recommendations on what policies should be implemented and how. You should also make recommendations on what a formal "data usage" policy will be.
In tough economic times there will be disgruntled employees; most of those employees will do nothing illegal, but a very few may. A data theft prevention solution will prevent that from happening, protecting not only the organization but also the employee (sometimes you have to prevent people from harming themselves). These solutions aren't the classic ROI sale that you look for in tough economic times, but they will prevent the loss of assets, and that may be worth more than any good-ROI system in the long run.
About the author
George Crump is president and founder of Storage Switzerland, an IT analyst firm focused on the storage and virtualization segments. With 25 years of experience designing storage solutions for data centers across the United States, he has seen the birth of such technologies as RAID, NAS and SAN. Prior to founding Storage Switzerland, George was chief technology officer at one of the nation's largest storage integrators, where he was in charge of technology testing, integration and product selection. Find Storage Switzerland's disclosure statement here.