Data leak prevention starts with trusting your users

By Michael Morisy, News Writer 23 Oct 2008 | SearchNetworking.com

Network management news, advice and technical information Digg This!     StumbleUpon     Del.icio.us

"I literally have seen advertisements that say the insider is the enemy," he said.

That approach, which pits IT against end users, is exactly the wrong way to develop and execute security policies, Burgess said. Trust is a much more powerful motivator than mistrust. It encourages communication between IT and end users, and once communication channels are open, the benefits continue to flow.

A collaborative security approach also helps prevent IT organizations from imposing policies that are ignored or haphazardly followed because they get in the way of employees doing their jobs.

"Don't create security policy in a vacuum," Burgess warned. "Don't force workers to choose between doing their job and following policy." For instance, IT shouldn't make the mistake of locking down access to video-streaming sites like YouTube even as the company's corporate communications department embraces those same sites to push out information.

Rather than issue blanket decrees, IT should set rules against the bad behavior, Burgess said. Don't use YouTube excessively, and don't use peer-to-peer file sharing to violate intellectual property rights.

When it comes to developing data leakage prevention practices, Burgess has three golden rules to create a solid policy:

1) Do no harm: If you're not sure what you're going to do, you want to take the route that will be the least invasive. Don't just press forward with a project or implementation without fully understanding all the consequences.

2) Know what you're dealing with: "Know the value of the data you're handling," Burgess said. "If it's customer data, handle it correctly. If it's R&D, handle it correctly." Before data leakage prevention policies can be enforced, a reliable system to classify such data in an easy, intuitive manner must be developed, and this data should ultimately have one person or department responsible for it.

3) Ignorance isn't an excuse: "This is pretty straightforward," Burgess said. "If you don't know the answer, stop and get it." Ask around and feel free to cross departmental lines as you determine who is in charge of what data, what laws and regulations apply to it, and how it needs to be used.

So how does IT turn those three maxims into practice?

The first step, Burgess said, is to find an opportunity to develop a security policy, such as laptop deployments. Then IT can make a policy recommendation, such as locking down all laptops to prevent third-party -- and potentially malicious -- software from running on it.

"The recommendation creates discussion," he said. "That leads to a position paper. That goes out to the client base that is affected by it, which says: 'If you do that, I can't do this.' "

Once IT and end users have both contributed to the discussion, a security policy that balances the organization's security requirements with the needs of workers is created. And that policy is easier to enforce because end users now understand the reasoning behind it and will be more likely to adhere to it.

"Once they see this is a positive engagement rather than a negative engagement, they're showing up at your door regularly," Burgess said.

While applauding the idea of bringing users into the security conversation early, Carol Baroudi, research director for Aberdeen Group, said network security professionals could not afford to rely on the goodness of users as a defense.

"I don't know anybody who's saying trust anybody," Baroudi said. "Only trust them in the sense of making them part of the discussion, making them understand what's at risk."

Many users have no understanding of the basic compliance rules and other regulations that apply to them, she said, nor how basic concepts like encryption can reduce risk. Because of this knowledge gap, education is one of the most important tactics an IT organization can adopt.

According to Baroudi, however, few companies are up to speed on data loss prevention in general, whether it comes to user education or almost any other aspect -- scanning email attachments or flash drives, for example. The real concern, she said, is that if any of these areas is left undefended, serious security holes are wide open.

"DPI [deep packet inspection] is going to do nothing if you have a thumbdrive and pull it off and walk out the door with it," she said. "You can just leave yourself open in a wide area of arenas."

The truly effective approach to data leak prevention, Baroudi said, is a combination of comprehensive protection with a dose of education – and flexibility – built in, such as an email program notifying a user when he tries to send a protected file, and giving him information on how to get the proper clearance to send the file.

Tags: Network Security Best Practices and Products,  Network Security Monitoring and Analysis,  Network Administration,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Network Security Best Practices and Products Ethical hacking and countermeasures: Network penetration testing intro Are you on a domain name system (DNS) blacklist database? Rogue access points: Preventing, detecting and handling best practices Network security threats solved by risk management: John Pironti explains How to evaluate and manage UTM for network security Profiling -- and protecting against -- network problem users: The Internet Novice How does a firewall work? Physical network security key to fighting low-tech threats Why are TCP/IP networks considered unsecured? Troubleshooting networks: Can vendor software self-install firewalls? Network Security Monitoring and Analysis Where can I find a sample security audit report? How can I run my own? The firewall remains the network traffic cop, but its role is changing Troubleshooting VLANs: How to monitor 802.1q tagged traffic Poor data-loss prevention practices almost cost Intel a billion How can I block my competitor's IP address range from my website? Hospital gains network visibility by convincing vendors to collaborate What software monitors and locks users from accessing my router? NagVis -- 'Nagios: System and Network Monitoring, Second Edition,' Chapter 18 What is a genetic algorithm and where can I learn more about them online? Networking data visualization not just for pointy-headed bosses Network Administration How server virtualization improves efficiency in a client-server model Understand Windows tracert output to troubleshoot network connectivity Why would a computer show drive letters for discs that don't exist? Using tracert and TTL to troubleshoot network connectivity problems Open source software for enterprise network management and monitoring When do applications suffer from poor network performance? Tight times? Organize your networking group to stay above the stress Managing Network Problem Users: The make-it-so CEO Checking IP configuration to troubleshoot Windows network connectivity Bandwidth allocation: How can I give a download limit for each user? Network Administration Research

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary anti-replay protocol  (SearchNetworking.com) dynamic packet filter  (SearchNetworking.com) HELLO packet  (SearchNetworking.com) packet filtering  (SearchNetworking.com) rule base  (SearchNetworking.com) stateful inspection  (SearchNetworking.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary