* Ryan Naraine is on vacation.
Guest Editorial by Paul F. Roberts
What do 225,000 Ohio taxpayers, 64,000 state employees and 600 lucky holders of winning lottery tickets have in common? They were all unlucky enough to have some of their personal information -- names, social security numbers, and bank account numbers -- stored on a "data backup device" in the back seat of 22 year old Jared Ilovar's Chevy Cobalt, on the evening of June 10th. An unidentified passerby noticed the tape (and Mr. Ilovar's radar detector), and decided to help him or herself to both.
The news from Ohio was depressingly similar to prior data leak mishaps: the misplaced storage device -- magnetic tape, CD, DVD or laptop -- a stock character. Then there's confused murmurings from the aggrieved organization about what data is and isn't on the device, and whether it will be accessible to the thieves. (Ohio's take on this was novel: the data's probably safe because it was contained on a "specialized medium" that couldn't be accessed without "knowledge" and "special equipment." Translation: 'The data's in the clear.') Then there's the rube - in this case, poor Mr. Ilovar, a 22-year-old intern stuck with the job of lugging home a sensitive backup of information on hundreds of thousands of state residents. Such is the sorry state of data security in 2007.
One detail worth noting is the "rolling" nature of the bad news. After initially disclosing that the backup device in question contained personal data on more than 64,000 state employees on June 15, Governor Ted Strickland was forced to correct himself not once, not twice, but three times, on June 16th, 17th and 20th, telling reporters that, in fact, the device contained information that hadn't been properly accounted for previously, and that an additional 346,000 sensitive records were exposed. All this after the Strickland said the state had reviewed 338,634 files to figure out what was on the tape. I guess those were the wrong 338,000 files?
So what's going on? One conclusion is that the State of Ohio, like many organizations, doesn't have a clue what kinds of sensitive data are on its network, nor does it know where that sensitive data resides. That puts the state in good company with leading departments of the federal government and a Who's Who of U.S. corporations (WalMart, Boeing, Ford Motor Company), all of which have contributed to the approximately 155 million records lost or stolen in data breaches in the last two year, according to the Privacy Rights Clearinghouse's Chronology of Data Breaches.
As with previous security threats -- computer viruses, denial of service attacks, spam -- security lemons have become lemonade for a cadre of new technology firms -- in this case "anti data leakage" companies. To date, there are 42 of them, by our count, with names like Fidelis, Provilla, Code Green Networks, Vontu, Verdasys, Safend and Check Point - which bought Pointsec, which had bought Reflex Magnetics. Each, in its own way, promises to keep track of sensitive data, block it from leaving a company's network, or at least to tell organizations when their sensitive data has gone AWOL.
What these companies don't want you to know is that there's very little consensus about where and how to actually stop data leaks. As an example, on a recent panel discussion I moderated, executives from no fewer than five "enterprise data protection" companies talked about their solutions to data leaks. Each had a different take on the problem. There was the enterprise storage encryption guy, the network access control guy, the desktop security guy, the traffic monitoring guy, and the data encryption guy. However, there was no easy way to join these products together, and only a couple of partnered with each other, meaning that companies who wanted to use these products would have to layer them on top of other point security products that they already had.
Beyond that complexity, leak prevention companies often require their customers to indicate which data it is that they're trying to protect. Firms like Code Green Networks and Vontu, for example, offer a kind of "content fingerprinting" technology that promises to lock down sensitive data, or spot data leaks both over the network and on local hosts. The limitation, of course, is that sensitive information must first be identified and fingerprinted. That might work in some scenarios, but it's hard to see how an organization like the State of Ohio could feel confident that it had fingerprinted all the information it needed to protect, when it took five days to figure out what information was on a backup.
None of this will prevent any of these companies from going out and trying to sell their products anyway. In fact, the next twelve months will bring a flurry of mergers and acquisitions in the leak prevention space, as larger companies like Symantec, IBM, EMC and others scoop up promising leak prevention technologies to add to add to their suites. With federal data privacy regulations and leak disclosure laws already on the books in many states, and a federal version pending, they'll have a ready audience.
But, as with any hot new market, it's "buyer beware." Data leaks aren't an isolated problem within organizations, nor is leak prevention technology an end in itself. If it's done right, leak prevention is a bridge between two areas of enterprise security that have been languishing on their own: endpoint data protection and network access control, or NAC.
The idea is this: companies need to know not only when sensitive information is leaving their network perimeter via e-mail, FTP or Web traffic. They also need to know where it's residing within their LAN -- on local hard drives and in file shares and databases -- and be able to monitor its movements within the LAN. That means good leak prevention technology shouldn't have to be told what information is sensitive and where it resides -- given that companies aren't sure of that, themselves. It also needs to be able to follow sensitive information wherever it flows, behind or beyond the firewall. That intelligence can then be tied to access control agents on the desktop, or at the perimeter that can enforce security policies and keep sensitive information from walking. The truth is that very few so-called leak prevention companies offer all that -- at least so far.
The even bigger, uglier truth is that responsibility for data leaks transcend IT. They reside, just as much, in the human resources office as the data center. What does it say, after all, that IT staff for the State of Ohio felt that sending a backup home with a 22 year old intern was enough to satisfy the policy requirement that a copy of critical data be stored off site? And what happened to the internal security culture at the State that so degraded the perceived importance of that task? Those are questions that can only be answered by humans, and only solved with policies and training that foster a culture of security. Despite that, user awareness and security training are often downplayed by the IT security industry, which often treats user education as a "nice to have" after the six figure software license deal is signed.
For proof of that, look no further than BigFix CTO Amrit Williams recent blog entry "No wars are won through awareness ," in which he declares "unrealistic" the idea that "focusing efforts on user awareness training will fend off Mongol hordes riding against our golden palaces."
Williams solution? A laundry list of more than 40 security point products at the desktop, network and application layers, plus "a healthy dose of process coordination, a loving spoonful of work flow integration to enable auditing and transparency of change management." Get those in place, Williams says, and maybe a little user training will help.
Data leak prevention, it should be noted, is just one of those 40 products. There's got to be a better way.
* Paul F. Roberts has reported on security for The IDG News Service, eWeek and InfoWorld. He is currently a senior security analyst for enterprise security at The 451 Group.