How to keep your data secure

How do you define Data Leakage Protection? Safend's Edy Almer answers questions about planning and executing a data leakage prevention strategy.
Written by Edy Almer Safend, Contributor
Commentary--How do you define Data Leakage Protection? Safend's Edy Almer answers questions about planning and executing a data leakage prevention strategy.
Data Leakage Prevention (DLP) encompasses the tools that prevent accidental data leakage, including device and port control, encryption (both hard-drive and removable media encryption) and content inspection.

What risks to an organization do portable devices pose and how are these different from traditional security risks from desktop systems?
With the proliferation of portable storage devices, it is difficult for IT to be aware of every single device employees bring in that has connected or is connecting to the corporate network and even more importantly, what data they might be downloading once connected. This is due to the fact that a large majority of companies have strict policies for managing desktops and laptops, but do not have endpoint security solutions in place that log removable device connections to the network. The risk from an enterprise standpoint is that confidential corporate data is easily downloaded to and stored on the device, leaving sensitive data at risk if the device is lost or stolen when taken outside of the office.

What data security policies should organizations put in place to ensure the integrity of all sensitive corporate data?
To mitigate the risks portable devices pose to the enterprise without infringing on employee productivity, IT administrators should incorporate endpoint security software into its DLP strategy. The more granular access control that is provided combined with stringent encryption policies and built-in compliance policies the easier it is to combat security threats.

Granular access refers to the settings determined by the IT administrator. For example, an IT administrator may get as specific as they like, specifying what devices may be connected to which computer, specific file types that can or cannot be accessed by specific employees, and so forth. It can even get as granular as deciding accessibility by device model or serial number. There is no such thing as becoming too granular when referring to DLP. Once the IT administrator sets the policies, they can be easily managed and enforced, ensuring the utmost security of corporate data.

By implementing encryption in the enterprise, administrators are able to take steps to neutralize the threat. Every hard drive and portable storage device represents a risk if it contains data that could be used to harm, distress or embarrass a corporation, government or an individual. That is where encryption products come in. They ensure the data stored on computers and storage devices are safe, even if the data is lost or stolen, by providing the protection and security today’s organizations are seeking.

What are the most important things that you would suggest a company do to prepare for movement to a network-wide DLP strategy?
1. Define written data protection policies: Establish clear policies on what data is and isn’t permissible to be accessed and stored on portable devices and moved outside of the organization.

2. Start small, grow bigger: As the implementation of robust DLP solutions that include device control, encryption and content inspection take time to complete, develop a short term strategy to enforce policies at a minimum. Thereafter, the deployment of device and port control technologies are a good first step for policy enforcement.

3. Monitor everything: Start by implementing a “no-blocking” policy, and monitor activity to learn how employees are using the data that they are downloading to devices (approved or not) and be sure to log all actions to improve processes.

4. Evaluate and adjust as needed: In order for any short or long-term DLP strategy to be successful, it needs to be constantly evaluated to see where adjustments might need to be made. Review previously established policies and refine based on actual employee usage trends and risks identified during the monitoring period.

Why is a transparent solution to track and monitor the access, transfer and use of corporate data recommended?
End-user transparency is an important attribute. Full transparency allows an organization to deploy a solution that will require little-to-no end user training, have a minimum impact on the organization's helpdesk and no effect on end-user productivity.

In order to ensure that users cannot easily circumvent security policies, it is important to first make sure the policies in place are flexible and transparent enough that they don’t hinder productivity, but strong enough to prevent data leakage threats. This is accomplished through granular, transparent policies that allow administrators to block, allow or restrict access to data from everything from file type, device type and even specific device serial number.

When securing the enterprise companies often choose a binary approach where they allow all or block all access to removable devices. When blocking all access is used for ensuring data security, employees are clearly inhibited from being productive outside of the office environment. A granular solution allows administrations to grant access for specific data to specific users, enabling productivity to remain intact while adhering to data protection policies. A centrally managed solution also enables administrators to establish such policies based on existing role-based settings and efficiently deploy the policies via Active Directory or eNovell Directory.

What changes have stood out over the last five to ten years with data protection?
Along with the increasing mobile workforce has been the expanding, or often times disappearing, network perimeter. This has meant that the traditional network security of the past no longer addressed the data security challenges caused by the growing use of laptop computers, Wi-Fi and removable storage devices.

The most striking difference is the move from protecting physical hardware to protecting the data itself. Before, the thought was “how do you protect the endpoint?” Today, there is an increased focus on protecting the data that resides on the endpoint. Additionally, data is more portable than ever – creating an even greater risk and need to protect corporate data.

Where do you see the future of data protection heading?
With increased awareness around protecting sensitive data, organizations are demanding more stringent and comprehensive solutions for data leakage prevention. In the future, to meet these demands, vendors will be challenged to develop a complete DLP solution—including content inspection, encryption and device and port control—that can be centrally-managed via one console and one client. By integrating all of these technologies into one management console, organizations will be able to more easily harness the power of DLP to keep their data safe.

Additionally, from a data leakage prevention standpoint, it is no longer enough to manage what devices and ports are being used to access corporate information stored on PCs and laptops. It is now essential to also monitor and manage information stored on virtual machines. Regardless of whether the data is stored on-site or virtually, it is still at risk of being compromised without a strong DLP strategy in place.

Edy Almer is Safend's associate vice president of product management.

Editorial standards