How to Secure Sensitive Data
VARIOUS LAWS AND REGULATIONS, plus good business practice, make it imperative for businesses to protect sensitive data, such as a customer’s Social Security number. But achieving that objective can be difficult.
One challenge has been that many organizations don’t know where their most sensitive data resides within the network. Another is that once an employee accesses data, there are relatively few existing solutions to prevent that employee from sending it through unsecured e-mail or downloading it onto an unprotected USB stick, making it easy to steal or lose.
But one solution, called data loss prevention (DLP), is gaining acceptance. DLP’s precise definition can vary slightly. In the past, some saw it mainly as technology that scanned for sensitive data across an organization, including in servers, file sharing programs, desktops, and laptops. Others saw it primarily as a solution that could block or automatically encrypt information. Increasingly, though, it’s seen as a combination of the above—and then some.
In the past few years, the products have gotten better at detecting content. Most solutions have traditionally scanned for personally identifiable information (PII), which refers to data such as Social Security numbers, credit card numbers, driver’s license numbers, and birth dates. Newer algorithms are generating fewer false positives and enabling companies to search for ever-expanding types of data. They can spot language referring to subjects such as intellectual property, racism, or sexual harassment, for example.
Customers can set DLP products to search for data based on regulations or laws. At least one vendor, RSA, the security unit of Hopkinton, Massachusetts-based EMC Corp., lets customers scan for California driver’s license information.
DLP can be seen as a more sophisticated, next-generation version of Enterprise Digital Rights Management (EDRM). The latter typically involves a common file server. Individual employees can “lock” documents or applications, usually with a user name and password. But the reliance on employees to take that extra step has been one of EDRM’s chief weaknesses, says Scott Crawford, a research director at the IT consulting firm Enterprise Management Associates (EMA) of Boulder, Colorado. Some vendors are considering coupling the two solutions, providing EDRM with automation and a more centralized administration.
Vendors are also increasingly bundling endpoint protection into their broader DLP suite solutions. Such technology can keep employees from copying sensitive data onto removable media.
Aside from DLP, another relatively common business use for scanning technology is for purposes of e-discovery, related to legal matters. Another use is for life-cycle management, which frequently involves shifting data among locations, often into storage.
Most DLP customers have been mid- and large-sized companies. But small organizations are starting to look at the technology, says Crawford.
Among the sectors taking this approach are healthcare and financial services. The solutions are also becoming more popular in educational institutions, which typically hold large amounts of sensitive student data.
Following is a look at how two companies phased in different DLP solutions. Their experiences illustrate what is entailed in adopting this approach.
Meridian Health has a slew of regulations to follow when it comes to protecting data. There’s the Health Insurance Portability and Accountability Act (HIPAA) and Sarbanes-Oxley, which applies to public companies, healthcare-related or not. Then there’s the Payment Card Industry (PCI) Security Standard, which governs companies taking payment by credit card.
They’ve all added pressure, says Catherine Gorman-Klug, corporate director of privacy and data security at the Neptune, New Jersey- based company. Meridian first implemented DLP solutions a few years ago when New Jersey passed a strict new data protection law.
Gorman-Klug says she looked at several products that could help Meridian meet all of its data management and protection responsibilities. She selected two products from security vendor Tablus, which has since been purchased by RSA. The two solutions—DLP Network and DLP Datacenter—are two main components in RSA’s DLP Security Suite.
DLP Network scans e-mails, sending an alert to the data center when messages contain sensitive material. When combined with third-party encryption products, DLP Network can be set to automate message encryption. DLP Datacenter, on the other hand, can scan an organization’s entire network for sensitive data—including servers, file shares, and computers.
Gorman-Klug says she liked that both products had a rich healthcare industry lexicon. Another attraction of DLP Network was that it could scan not just corporate e-mail but also personal messages from accounts such as Yahoo! or America Online. Few existing products can do that, she says. The ability to check personal accounts was important because Meridian, which has four hospitals, a trauma center, and other facilities, has a flexible e-mail policy for its 10,000 employees, many of whom are part-time or work off-site.
Implementation. Installing software to implement both products took under a day, but getting secure e-mail running smoothly took about seven weeks. Once the software was installed, the next major step was to figure out who in the company was e-mailing sensitive data. To do that, the company had to tell the system what it wanted labeled sensitive.
Users interface with both DLP Network and DLP Datacenter through a dashboard of information called a console. This console, called DLP Enterprise Manager, is typically viewed on a monitor at the company deploying RSA DLP products. The console displays incident alerts and lets managers produce reports for auditors. It is also where managers define policies for these programs, among which are the search criteria. RSA has a team trained in linguistics and regulations that hones and expands search criteria options, says Katie Curtin-Mestre, an RSA product marketing director.
Gorman-Klug says she initially checked numerous boxes telling the system what items should trigger an alert. “When you first get a toy, you want to check out all the features.”
For the first few weeks, she opted against turning on a feature that would block flagged e-mail. She was mainly interested in observing. When messages were sent with sensitive data, she would receive an alert, which would appear on the product’s dashboard as well as in any IT manager’s e-mail inbox.
In the first few weeks, it became clear that the product was set to scan for too much data. Gorman-Klug then scaled back on the criteria, setting the solution to seek out PII, she says. This was more manageable. RSA says it’s available to consult with customers about setting scanning parameters.
Once the system’s scan parameters were more suitably set, Gorman-Klug says she or another IT manager would investigate whether alerts were legitimate. If so, employees would be sent an e-mail stating the firm’s policy that they should encrypt messages with sensitive data. The message also included instructions on encrypting messages.
In cases where employees planned regular communication with customers, the employees could enable automatic encrypting. This involved clicking on a link that was embedded in an e-mail from IT. They were led to a secure page where they were asked to create a user name and password; they could then designate certain email addresses for future encryption.
Employees were also told about another method for less frequent messages. It involved placing a phrase, of Meridian’s choosing, in the messages’ subject line. Secured messages are routed through a server from Cisco Systems.
Recipients of Meridian’s secure messages receive an e-mail with an embedded link that takes them to a secure page. They’re asked to create a user name and password, which they’ll need to open future messages.
Gorman-Klug says that in nearly all cases, recipients have been able to set up the accounts themselves. In a few cases, recipients’ company gateways didn’t permit the message: it could have been labeled as spam. In some of these instances, recipients were able to fix the problem by contacting their company’s IT staff. In very few cases, Meridian found it necessary to take an alternative approach, sending information via a secure file transfer protocol (FTP), a common way of downloading Web-based files.
Gorman-Klug says the solution now works “seamlessly.” The key is creating a balance between the need to encrypt and ensuring that business flows smoothly, she says.
Enterprise scanning. After that, Gorman-Klug says the company also began a few other projects, both involving DLP Datacenter. The first involved scanning all the company’s laptops for PII. It was spurred mainly by the state’s data breach law, she says.
Laptops could be scanned whenever employees logged into the network for any reason. Employees who didn’t log in were contacted by IT. In cases where significant PII was found, IT would speak to the employee about why that information was on the laptop. If the data was deemed necessary, laptop owners would be asked to install an encryption product.
Meridian is also about halfway through a much larger project: scanning the entire enterprise for Social Security numbers. Much of the project involves scanning the organization’s active directory, which lists employees and the data they can access. Gorman-Klug says that she’s not aware of a law requiring the undertaking but that her firm wants to be proactive.
As a part of the project, Gorman-Klug has been speaking with department heads and top executives about the nature of data they work with, including where it resides, how it might be transmitted, and what the impact of any leak involving that data might be on the company. The meetings also involved discussing whether certain employees needed access to sensitive data. In cases where access was considered necessary, the IT department increased access controls.
The project—which had already taken several months and would take many additional months—involved collaboration among HR, legal, privacy, compliance, and IT staff. The task is arduous, but once it is accomplished, it will be a major step towards complying with an assortment of data-breach and compliance laws, says Gorman-Klug.
Even just the process of implementing these solutions has heightened employees’ awareness of the types of sensitive information they handle. Healthcare workers are already relatively sensitive to data privacy, she says, but DLP is helping increase awareness that sensitive data extends far beyond specific health-related information.
The cost of the two RSA solutions was about $50,000, which Gorman-Klug calls “well worth it.”
Increasing regulatory pressure also led First Advantage Corp. of San Diego, a business risk consulting firm, to research DLP solutions. Another reason was the growing business the firm had been doing online in recent years, says Isabelle Theisen, the firm’s chief security officer. It wasn’t difficult to get the company’s top executives to back a DLP product, according to Theisen, who says they supported the idea after she gave a short presentation to the board’s risk management council in addition to the CEO and CIO.
The next step was to select a specific approach to DLP. The company tested several products and chose Vontu Data Loss Prevention, from Cupertino, California-based Symantec, because it was found to be more accurate, says Theisen. She was also impressed with Vontu’s full range of features.
Another benefit was that the product was highly scalable, letting the company roll it out over time. Other reasons for the choice included Vontu’s intuitive interface, or dashboard, and the quality of the compliance reports, says Theisen.
The company deployed the DLP solutions in stages. The first goal was to set the system to locate and encrypt sensitive emails. This involved using Vontu’s Network Prevent product.
As in Meridian’s case, it took several weeks to get everything in place. Theisen had to speak with department heads, educate employees, and adjust the system’s parameters. She also experimented with some of the more complex screening features but settled on just scanning for basic PII. The latter approach can protect data without hindering workflow, she says.
The biggest challenge, she says, was creating policies on how to handle the rare cases when employees continue to send out sensitive information unencrypted. For now, employees are sent additional e-mails. But Theisen also spoke with HR and the legal department about creating possible repercussions if problems persist. They also discussed how the repeat infractions would be reported for future auditing.
After Theisen gains a thorough understanding of each employee’s access to data, she plans to implement endpoint protection with another Vontu product, Endpoint Prevent. The solution could be a good way to prevent fraud, she says, “such as if someone tries to copy 500 sensitive files to a USB.” Any attempts to do so would also produce an alert.
She says she thinks the endpoint process will be more labor intensive and expensive than the e-mail project. It will involve deploying individual software agents and purchasing multiple user licenses. It might also require comparatively more employee training.
Theisen hopes to begin deploying endpoint protection soon. The firm’s experience with DLP has already been worthwhile, she says. “We’ve avoided many mistakes.”
Some employees have been grateful to get help in adhering to policy, she says, adding, “Some may feel watched, but if you’re not doing something wrong, you shouldn’t worry."
John Wagley is an associate editor at Security Management.