Plugging Leaks

An employee sends an unencrypted e-mail that contains sensitive information. Another downloads private data onto a USB storage device that he later loses. Yet another has a notebook stolen from his home. These are but three examples of a growing problem that data-leak prevention (DLP) technology seeks to address.

Although DLP technology is still emerging, large security manufacturers that recognize its promise have made a spate of acquisitions. WebSense and McAfee kicked off the buying spree in late 2006, acquiring PortAuthority and Onigma, respectively. Last year RSA, the security division of EMC, landed Tablus; Trend Micro grabbed up Provilla; and Symantec acquired Vontu.

These DLP products have been integrated to varying degrees with the manufacturers' larger security suites. While the technical approach of DLP products varies from manufacturer to manufacturer, the technology is evolving into a network appliance that monitors all outbound communications (SMTP, web mail, IM, FTP), inspects it for sensitive data and enforces data policies.

Meanwhile, client-side technology is applying policies to removable storage devices and media. The most advanced DLP suites from companies such as Symantec and WebSense have the ability to discover, analyze and classify such data, using techniques such as data fingerprinting, lexical analysis, partial document matching and statistical analysis.

Once set, policies can be applied to data as it flows through and out of the organization (data in motion) and also as it is stored (data at rest) and manipulated in-house (data in use).

At least that's the promise of DLP technology. Today, the reality is more modest: Organizations have specific risks they must address before fully engaging in discovery and the creation of multiple policies.

USB Approval

The city of Lake Forest, Ill., is a case in point. "We had unauthorized USB devices all over the place," says Joe Gabanski, network administrator for the city. With 350 end users and approx­imately 500 end-points to consider, it was impossible for Gabanski and his small IT staff to keep track of what devices were coming into the network and what information was leaving on them each night.

"We didn't want to prohibit USB storage devices altogether. The good thing about them is that they're cheap, they hold lots of data, and they're convenient for end users," Gabanski says. "From a security standpoint, the trouble is that they're cheap, they hold lots of data, and they're convenient for end users."

Lake Forest compromised by deploying Lumension Security's Sanctuary Device Control on PCs and notebooks. This software automates the oversight of USB databases by monitoring and controlling the peripheral devices that can connect to each end-point, while enforcing data-use policies that are managed by a central server. In order to connect to a workstation, USB devices must now be approved by IT. In other words, removable storage is welcomed, while portable music players are not.

Next, Sanctuary applies policies when users add or remove devices. Data must be encrypted and access is password-protected. "Once a device is approved, that doesn't mean it escapes our notice. Sanctuary's logging features show us exactly what data is transferred to and from the device," Gabanski says. "This ensures that removable storage media is limited to appropriate city business only."

While Lake Forest intends to adopt other DLP features in the future, such as e-mail encryption, IT started small and addressed its most immediate concern. Sanctuary Device Control is priced at $25 per user, with volume discounts available.

The California Department of Managed Health Care followed a similar adoption path. "More than half of the e-mail we received was spam," says Barbara Garrett, CIO of the Department of Managed Health Care in Sacramento. "I was getting daily e-mails and calls from every level of the organization. People just couldn't believe what was getting past our filters."

When the regulatory and licensing agency upgraded to Cisco's IronPort e-mail security appliance, the data loss features were an added benefit. "We communicate constantly with the health-care organizations we oversee," Garrett says. "The security of confidential and sensitive information is a challenge and concern for any governmental agency, especially a regulatory agency."

Garrett and her IT staff configured IronPort to monitor outbound e-mail and encrypt anything sensitive. Although only in the initial phase of adoption, Garrett believes that DLP strategies are a must. They have already deployed a separate solution that encrypts all notebooks, and they intend to roll out removable storage protection soon.

"The step-by-step approach makes sense," says Jon Oltsik, senior analyst for information security for the Enterprise Strategy Group in Milford, Mass. "If I'm a state licensing agency, the first thing I want to do is make sure that no one is sending out clear-text e-mails containing Social Security numbers. Today's DLP solutions do this well."

What they do less well is analyze volumes of data stored in disparate applications. "When it comes to determining exactly what data is floating around the enterprise, classifying it, and then figuring out who is using it and for what purposes, the technology has a long way to go," he says.

Future Developments

Many organizations feel they are better off waiting for the technology to mature. In the meantime, they are addressing data-leak risks through training and education. Spencer Wood, deputy director of the Ohio Department of Transportation, is following this path.

"Ohio has very aggressive public-information laws. People request all sorts of information," Wood says. The trick is balancing the public's right to know with the citizen's right to privacy. Wood isn't convinced that technology can do that.

"We're busy training people on what exactly constitutes restricted information," Wood says. Some things are obvious, like driver's license numbers, but the department has plenty of information that straddles the public/private line. For instance, the DOT compiles information on highway accidents. Newspapers and insurance agencies have a right to some of that information, but accident reports often contain private information on the individuals involved.

It's this kind of data that DLP isn't quite ready for yet. "Classifying data and putting policy around it is hard," Oltsik says. "The more rules you put in place, the more processing power you need." Some sort of standardized tagging could help with this in the future.

Security wares are currently in a transition period, and DLP is no exception. Most analysts expect to see an integration of firewall, intrusion detection capabilities, unified threat management and DLP features in the future.