Data leak prevention starts with trusting your users

By Michael Morisy, News Writer 23 Oct 2008 | SearchNetworking.com

Network management news, advice and technical information Digg This!     StumbleUpon     Del.icio.us

"I literally have seen advertisements that say the insider is the enemy," he said.

That approach, which pits IT against end users, is exactly the wrong way to develop and execute security policies, Burgess said. Trust is a much more powerful motivator than mistrust. It encourages communication between IT and end users, and once communication channels are open, the benefits continue to flow.

A collaborative security approach also helps prevent IT organizations from imposing policies that are ignored or haphazardly followed because they get in the way of employees doing their jobs.

"Don't create security policy in a vacuum," Burgess warned. "Don't force workers to choose between doing their job and following policy." For instance, IT shouldn't make the mistake of locking down access to video-streaming sites like YouTube even as the company's corporate communications department embraces those same sites to push out information.

Rather than issue blanket decrees, IT should set rules against the bad behavior, Burgess said. Don't use YouTube excessively, and don't use peer-to-peer file sharing to violate intellectual property rights.

When it comes to developing data leakage prevention practices, Burgess has three golden rules to create a solid policy:

1) Do no harm: If you're not sure what you're going to do, you want to take the route that will be the least invasive. Don't just press forward with a project or implementation without fully understanding all the consequences.

2) Know what you're dealing with: "Know the value of the data you're handling," Burgess said. "If it's customer data, handle it correctly. If it's R&D;, handle it correctly." Before data leakage prevention policies can be enforced, a reliable system to classify such data in an easy, intuitive manner must be developed, and this data should ultimately have one person or department responsible for it.

3) Ignorance isn't an excuse: "This is pretty straightforward," Burgess said. "If you don't know the answer, stop and get it." Ask around and feel free to cross departmental lines as you determine who is in charge of what data, what laws and regulations apply to it, and how it needs to be used.

So how does IT turn those three maxims into practice?

The first step, Burgess said, is to find an opportunity to develop a security policy, such as laptop deployments. Then IT can make a policy recommendation, such as locking down all laptops to prevent third-party -- and potentially malicious -- software from running on it.

"The recommendation creates discussion," he said. "That leads to a position paper. That goes out to the client base that is affected by it, which says: 'If you do that, I can't do this.' "

Once IT and end users have both contributed to the discussion, a security policy that balances the organization's security requirements with the needs of workers is created. And that policy is easier to enforce because end users now understand the reasoning behind it and will be more likely to adhere to it.

"Once they see this is a positive engagement rather than a negative engagement, they're showing up at your door regularly," Burgess said.

While applauding the idea of bringing users into the security conversation early, Carol Baroudi, research director for Aberdeen Group, said network security professionals could not afford to rely on the goodness of users as a defense.

"I don't know anybody who's saying trust anybody," Baroudi said. "Only trust them in the sense of making them part of the discussion, making them understand what's at risk."

Many users have no understanding of the basic compliance rules and other regulations that apply to them, she said, nor how basic concepts like encryption can reduce risk. Because of this knowledge gap, education is one of the most important tactics an IT organization can adopt.

According to Baroudi, however, few companies are up to speed on data loss prevention in general, whether it comes to user education or almost any other aspect -- scanning email attachments or flash drives, for example. The real concern, she said, is that if any of these areas is left undefended, serious security holes are wide open.

"DPI [deep packet inspection] is going to do nothing if you have a thumbdrive and pull it off and walk out the door with it," she said. "You can just leave yourself open in a wide area of arenas."

The truly effective approach to data leak prevention, Baroudi said, is a combination of comprehensive protection with a dose of education – and flexibility – built in, such as an email program notifying a user when he tries to send a protected file, and giving him information on how to get the proper clearance to send the file.
[an error occurred while processing this directive]

Tags: Network Security Best Practices and Products,  Network Security Monitoring and Analysis,  Network Administration,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Network Security Best Practices and Products Best of 2009: Computer networking advice Network security forecast 2010: Startups cash out, uber-devices step up Mobile computing security concerns lead to more IPS, SSL VPN spending How do I change my security setting to allow ActiveX? What are two common devices that control outbound network access? 3Com acquisition confirms HP-Cisco battle for China Enterprises demand next-generation firewalls with IPS, app visibility Preventing hacker attacks with network behavior analysis IPS Is there a way to trace my stolen laptop computer? Integrating NAC with network security tools Network Security Monitoring and Analysis Network security forecast 2010: Startups cash out, uber-devices step up Mobile computing security concerns lead to more IPS, SSL VPN spending Application-specific network intrusion detection systems emerge Anomaly-based intrusion protection configuration and installation How can I calculate perimeter firewall throughput? How do I find the application on my network that's dropping packets? Integrating NAC with network security tools Where can I find a sample security audit report? How can I run my own? The firewall remains the network traffic cop, but its role is changing Troubleshooting VLANs: How to monitor 802.1q tagged traffic Network Administration How do I set the Web page default on a network of computers without setting them all individually? What IP enables file sharing among multiple computers on different Internet connections? Why is access denied to my Active Directory (AD) users and computers? What network loss testing tools/methods calculate dropped packets from a PC? Network user management Do I have to disable DHCP on my router to create a DHCP server? What preventative maintenance procedures for network devices exist? Top 10 reasons why computers do not have network access to each other Troubleshooting -- 'Network Know-How' Chapter 17 How server virtualization improves efficiency in a client-server model Network Administration Research

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary anti-replay protocol  (SearchNetworking.com) dynamic packet filter  (SearchNetworking.com) HELLO packet  (SearchNetworking.com) packet filtering  (SearchNetworking.com) rule base  (SearchNetworking.com) stateful inspection  (SearchNetworking.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary