May 2007

New Approach to Protecting Customer Data and Intellectual Property Assets

Views: 964

The life blood of every business and institution is its core information assets, such as financial documents, customer data, source codes, intellectual property and more. These pieces of data are potentially just a few mouse-clicks away from being distributed to inappropriate recipients and exposing the organisation to the risk of data loss. In order to minimize the risk of data loss, organisations must gain full control and retain absolute visibility of the data leaving the employees’ end-stations, including emails, instant messaging, printed documents, USB drives, floppy disks, etc.

All IT security revolves around the fact that one critical asset is protected which is “data”. Regardless of whether data loss happens accidentally or as a result of malicious activity, the effect on the organisation can be severe: loss of trade secrets, loss of customer goodwill, and regulatory penalties. To stem the damage to balance sheets, brands, and competitive advantage, organisations must adopt a new approach to protecting customer data and intellectual property assets. The current protections are insufficient as there is no data loss coverage. Driven by industry regulations and internal governance policies, most security programs still concentrate on limiting unauthorised access. They fend off external attacks with traditional data security measures including firewalls, intrusion prevention, and anti-spyware. They rely heavily on identity and access controls and, in some cases, data encryption to limit exposure of sensitive information. But these approaches leave coverage gaps that enable an insider threat: inadvertent and deliberate loss by authorised users. Though the focus is around “Intrusions” (External threats) there is less focus on “Extrusion” (Internal Threats).

The Insider Data Loss Problem

In a typical month, data loss incidents make mainstream news more often than violations of the Sarbanes-Oxley Act (SOX). While hacking gets justified attention, a great number of losses are due to authorised users inside the organisations. According to the 2006 CSI/FBI Computer Crime and Security Survey, a remarkable 68 percent of survey respondents had experienced tangible losses attributed to insiders. These losses tarnish reputations and brands, jeopardise competitive advantage, and require costly remediation. Consider 2006.

  • One of the most high-profile of the incidents made public was in July last year when an  employee of HSBC Electronic Data Processing Pvt. Ltd—a Bangalore-based captive back office outfit of HSBC Bank Plc—was arrested after he allegedly siphoned off nearly INR 20 million  from the accounts of 20 bank customers in the United Kingdom (UK).
  • Earlier in 2005, workers at the BPO services division of Mphasis BFL Ltd, which counted Citibank as one of its key clients, defrauded some of the US bank’s customers of nearly half a million dollars.
  • Same year in June, an undercover reporter from UK’s The Sun tabloid bought information of 1,000 UK bank account details from an Infinity e-Search employee in Gurgaon, India.

Some other examples around the world are:

  • Industrial espionage charges were filed against a Chinese- Canadian engineer for theft of military training software
  • The Republican National Committee inadvertently emailed a list of donors’ names, Social Security numbers (SSNs), and races to a New York Sun reporter

What do these losses have in common? Authorised users. Users already inside the organisation  had a business need to view and handle sensitive information. Through  uninformed misuse, errors in judgment, or malicious intent, their legitimate access to  information led to losses that caused cfinancial and legal liability, and public relations headaches. Are these losses new? In some cases, yes, as more business and government  practices go online to support distributed, just-in-time operations. In other cases, they are simply visible now.

There is hence a body proposed in India called SRO (Self Regulation Organisation) and is  designed by trade body National Association of Software and Service Companies (NASSCOM)  in September 2006 to identify and enforce a set of security and privacy standards that  member companies will be expected to adhere to.

“In addition to accidental or malicious IT security policy breaches caused by an end  user actions, organisations need to protect their systems from targeted Trojans, file-sharing applications and worms that use employee credentials to access  sensitive information and send it externally without the end user or organisation  even being aware that it is happening. In today’s world, protecting the organisation  against these risks is an absolute necessity, and in many cases, a  properly installed security measure is mandated by regulations. There are many”

so Far, not so Good

The traditional approach to data security emphasises “keeping the bad guys out” using  firewalls, intrusion prevention, anti-spyware, and data encryption products. To control unauthorised information usage by insiders, many companies deploy identity management  systems and use access control lists. These traditional security and access controls are helpful, but they do not fully protect companies from data loss. In February 2006, Gartner Content  Monitoring and Filtering Research indicated that the market would likely evolve to the  “successful blocking of all channels on the network and hosts from which data can be stolen.  This would include host-based agents that can stop someone from downloading sensitive  data—for example, through a Universal Serial Bus (USB) drive—and printing it and walking  out the door.” (Paul E. Proctor and Rich Mogull, 23 February 2006)

What are some examples of data loss?

  • Emailing of a confidential document to a competitor (or other unauthorised recipient)
  • Printing of financial documents (and leaving in the printer tray)
  • Copying customer record files to a USB drive (easily taken offsite)
  • Sending an internal document via Hotmail

These simple everyday tasks have escalated data loss into the limelight with its tremendous impact and damage to organisations and consumers alike.

So how does data loss occur and why is this becoming a mission critical issue for organisations?

The life blood of every business and institution is its core information assets, such as financial documents, customer data, source codes, intellectual property and more. These pieces of data are potentially just a few mouse-clicks away from being distributed to inappropriate recipients and exposing the organisation to the risk of data loss.

In order to minimise the risk of data loss, organisations must gain full control and retain absolute visibility of the data leaving the employees’ end-stations, including emails, instant  messaging, printed documents, USB drives, floppy disks, etc. In addition to accidental or  malicious IT security policy breaches caused by an end user actions, organisations need to  protect their systems from targeted Trojans, file-sharing applications and worms that use  employee credentials to access sensitive information and send it externally without the end  user or organisation even being aware that it is happening. In today’s world, protecting the organisation against these risks is an absolute necessity, and in many cases, a properly  installed security measure is mandated by regulations. There are many data loss channels. To  simplify, let’s group data loss channels into three groups

  • Physical–copying files from the desktop or laptop onto a storage device (USB, iPod, CD, DVD, and other removable storage, printer, fax)
  • Network–sending sensitive data from the endpoint (LAN, WiFi, FTP, HTTP, HTTPS)
  • Applications—email, webmail, Instant Messenger, screenscrape, P2P, Skype or malware (Trojan horses, spyware, worms,etc.)

A Data Loss Prevention solution must cover all of the above data loss channels. Anything less  puts organiations at risk. It is clear that organisations need to protect their confidential data.

What has been their approach?

Traditional security technologies has meant using access control – i.e. ensure that the  information access is enabled to the authorised persons with the organisation and restricted to  the types of information and resources that are required for the person to do their job.  However, that is not enough. Organisations need to think differently…

so, Why is a Paradigm shift needed?

Legitimate access to information does not grant the user the right to remove it from the  enterprise (organisation) Data loss usually happens unintentionally and usually by people authorised to access the data.

  • Employees are authorised to access the data to complete their work assignments.
  • However, that does not mean they are authorised to transfer the data as they please.
  • Access control does not provide visibility or control over where or to whom the information can go next.

“There are McAfee solutions available around safegauarding DATA termed as DLP (Data Loss  Prevention). As we realise from the above discussions, the fact is neither are traditional solutions or is Access control sufficient as a methodology for dat protection. A new data loss  prevention solution from McAfee® closes this gap. It combines host and network protections  throughout the data usage lifecycle, from creation and manipulation to transfer and  transmission. Organisations gain consistent, reliable data loss prevention across applications, network channels, and even physical devices”

As you can see, access controls are not enough. Access controls cannot solve this problem.  Organisations need Data Loss Prevention. Universal protection prevents data loss for the user at work, at home, and on the road

  • Network–LAN, WiFi, SMTP, FTP, HTTP, HTTPS
  • Physical devices–USB, iPod, CD, DVD, etc.
  • Applications–email, webmail, instant messaging, P2P Content-aware protection prevents data loss even when data is modified, copied, pasted, compressed, or encrypted support for over 390 file types
  • Modified, copied, pasted, compressed, zipped, or encrypted (for the use case when the file is encrypted on the host)
  • Allow organisations to focus on monitoring only the scenarios in which a user attempts on  sending out sensitive data Advanced forensics gather evidence on instantly blocked and monitored data loss events
  • Sender, recipient, timestamp, and sensitive data evidence
  • Details enable proper and prompt response


Summary

With data being the Key Asset at government agencies the legitiamate access and control will play an important role. Especially in the highly sensitive spaces of:

  • Internal security
  • Law and Judiciary
  • Military and Paramilitary
  • Homeland Security
  • Internal Reveue
  • Development (Scientific and ancillary)

There are McAfee solutions available around safegauarding DATA termed as DLP (Data Loss  Prevention). As we realise from the above discussions, the fact is neither are traditional solutions or is Access control sufficient as a methodology for data protection. A new data loss prevention solution from McAfee® closes this gap. It combines host and network protections  throughout the data usage lifecycle, from creation and manipulation to transfer and  transmission. Organisations gain consistent, reliable data loss prevention across applications, network channels, and even physical devices.

The McAfee Data Loss Prevention (DLP) solution makes it possible for organisations to enforce  policies and monitor and report on improper usage—even when laptops are physically disconnected from the network. It helps inform users of proper policies while preventing losses.  It also offers new visibility into actual data handling to help security managers appropriately direct investments in safeguards, training, and process improvement. Because  this protection comes from McAfee, it complements and reinforces other network and host-based defenses. The McAfee DLP solution closes the authorised-user coverage gap and  provides an easily managed element of any security risk management programme.

Comments

comments

Click to comment

Leave a Reply

Your email address will not be published.

Latest News

To Top