By Yuval Shavit, Features Writer
Data leak prevention (DLP) technology can monitor, and sometimes block, your clients' employees as they try to send potentially sensitive data to outside parties. But DLP is a relatively new and immature technology, and it's fairly expensive to install and maintain. In this installment of our Hot Spot Tutorial on data leak prevention, we'll look at some alternatives to data leak prevention technology that your client may consider. These range from relatively simple and cheap technologies to cutting-edge software, with DLP sitting midway on the spectrum in terms of maturity and price.
One of the problems with DLP is that it can monitor users as they send data to unauthorized parties, but it isn't as good at stopping them. While it's possible to configure DLP products to block transmissions that trigger a filter, that will only catch about 80% of the data you should be stopping, said Mark Finegan, president of SIM2K, an Indianapolis consultancy. At best, this can breed complacency when a significant part of data is still leaking; at worst, it gives malicious employees real-time feedback about exactly what the filter does and doesn't catch, so they can adjust their methods.
DLP scans data each time the user performs an action that could leak sensitive data, such as attaching a file to an email, or sending an email with sensitive data in the body. But hiding the data is easy -- even a simple zip file encrypted with the password "1" is virtually uncrackable, said Nick Selby, research director of enterprise security at The 451 Group in Boston.
Clients can set the DLP filters to raise a red flag if a user sends too much encrypted data, but only a more in-depth investigation, conducted by humans, can determine if the encrypted content is inappropriate, Finegan said.
Digital rights management (DRM)
The most advanced alternative to data leak prevention software is digital rights management (DRM). Also known as enterprise rights management (ERM), DRM is client-side software that tracks pieces of potentially sensitive files as they are copied and pasted. If a file is categorized as sensitive -- either manually or by an automated filter -- the DRM software recognizes when a portion of that file is copied, encrypted or otherwise embedded into another file. The original file's categorization, or fingerprint, then transfers over to the new file, allowing the software to monitor or block its transmission without having to actually scan it as it's sent. Data protected by DRM is encrypted, so hackers can't bypass the DRM application and access the data directly.
DRM software works very well but is a much more expensive alternative to data leak prevention, said Rob Eggebrecht, senior partner and CEO of BEW Global, a Castle Rock, Colo.-based security consultancy. Whereas DRM technologies can be applied company-wide, DRM is better kept as a tactical tool deployed only in a few key departments, he said. Depending on your client's company, you may want to recommend complementing a company-wide DLP deployment with DRM in the most at-risk departments, or it may be enough to protect just those departments.
Encryption for data in motion
A cheap alternative to data leak prevention is encryption, which can help protect data even if sensitive files are sent. If your client isn't already encrypting data in motion -- that is, data passed over Internet and intranet connections -- this is a good place to start. Transport layer security (TLS) lets applications set up a secure tunnel over an unencrypted network, like the Internet.
TLS lets users access company resources like email or file servers securely over the Internet. TLS is cheap to set up and a good place to start securing your client's data, said Bill O'Brien, president of Commercium Technology Inc., an IT consultancy in Rumson, N.J.
Encryption for data at rest
Your client should also consider encrypting data at rest -- that is, when it's just sitting on the hard drive. Windows' password protection doesn't actually prevent unauthorized users from accessing files, so if a drive goes missing, whoever finds it can easily get access to the data. This can happen if a backup tape or production drive goes missing or, more commonly, if a user's laptop is lost or stolen. DLP helps protect against employees sending data out, but encryption is important to protect against data being stolen without employees sending it.
Encrypting the drive ensures that hackers won't be able to access the data even if they have the physical drive. This can be done with software installed on the machine, or the drive itself may contain an encryption layer. You should make sure that the drive is secured using a robust algorithm and not a trivial algorithm, like XOR encryption, which is easy to break.
Other data leak security options
If your client isn't ready to invest in DLP-specific technology, you may be able to find less robust alternatives to data leak prevention by reusing some existing tools. For instance, you can set up email filters on users' machines that provide some basic DLP monitoring functionality. This approach is limited because employees have control over the system; not only can users circumvent the filters easily, but maintaining the rules can be very difficult unless the company is small.
You should also make sure your client is protected from malicious outside hackers by installing antivirus, antispyware and IPS gateways, O'Brien said. Since one way that data leaks is through Trojans or other malware, preventing those programs from infecting users' systems is a good first step to securing your client's data. Employees should also turn on their personal firewalls, either those built into Windows or provided by a third party.
But the most effective way to prevent data from leaking from a computer is to make sure it's not there in the first place. This is especially true if your client isn't ready to invest in robust, DLP-specific technologies. Employees should also exercise common sense by keeping as much sensitive data off their personal computers as possible and being careful about which outside Web servers they post data to, O'Brien said.