SMT Online Web Exclusive

Data control in the Extended Enterprise

06 Jan 09

Do the traditional and recognised boundaries of the enterprise actually exist any more and, if not, how might firms effectively protect their assets and prevent data loss? David Howorth offers a distilled solution.

By David Howorth

In today’s successful businesses, information is everywhere. Business is global. Why? The biggest opportunities are found in global markets. Therefore, business cannot be confined. It takes place on desktops, within devices, along networks and around the world. Data and information must span systems, countries, languages and borders. Supply chains need to be connected and optimised across the globe to meet customer and market demands.

This is the ‘Extended Enterprise’ – and organisations are working to harness the potential of global time zones and new service models to improve customer service and relationships, increase business resilience and enhance overall productivity.

In this extended enterprise environment, data protection is more important than ever. No-one has to be convinced that we need to protect data against data loss, theft or leakage. However, in the extended enterprise environment, IT as a function becomes increasingly more and more complex. Understandably, this can have a profound effect upon security.

One has to ask with increasingly complex networks whether it is possible – or, more to the point, feasible – in a business sense to protect all files. Is it actually necessary to secure all files, or just the most business-critical data? How do you know which data is business-critical? Most fundamentally, do the traditional recognised boundaries of the enterprise actually exist any more and, if not, how can firms effectively protect their assets and prevent data loss?

Is complexity jeopardising your security?

Ultimately, there are a number of different ways in which businesses can improve their security environment to effectively reduce the risk of data loss or leakage. All information security professionals strive to accurately assess the value of the information assets they own. This value can, and of course does, rapidly change – but unexpected information disclosure is guaranteed to lead to a downturn.

However, keeping data safely throughout the extended enterprise isn’t a trivial task. Not only is there an increasing risk to the business from malware and other forms of electronic attack, but the intrinsically complex nature of the extended enterprise can also bring about security concerns.

In terms of general attacks, there are several threat vectors that could allow information to be inadvertently disclosed – and not all of them involve malicious behaviour. A simple configuration error could cause data to be exchanged through an unencrypted channel, or potentially even sent to the wrong recipient. In a recent Verizon Business 2008 Data Breach Investigations report, 62% of all breaches were found to result from significant errors (among them poor decisions, misconfigurations, omissions or process breakdowns).

As such, protecting against data loss is more than just protecting against data theft. It requires comprehensive monitoring capabilities able to provide situational awareness on where data is located (be it at rest, in transit or even in use).

Concentration on data being moved out

A few years ago, a fringe market appeared related to the awareness of the limitations of defensive capability. This didn’t concentrate so much on attacks moving into the corporate network, but rather on data being moved out. Intrusion Detection System (IDS) technology, which had introduced pattern matching to the masses, was already well known and quickly became a logical first step in detecting data theft. Data-in-transit (or in-transit) detection of intellectual property had become a fact.

However, the limitations of pattern matching quite quickly became clear. Detecting the code name of a highly protected project in outbound mail is easy. Detecting documents based on, but not copied from, intellectual property was quite another challenge. Several other techniques (such as cyclical hashing and statistical analyses) were thus developed and quickly implemented.

One solution was to focus on identifying concentrations of data in places where it didn’t belong, or even monitoring users’ actions when data was visible. This approach required detection of data both at rest and in use, and demanded much more complex techniques to assess data presence such as end user agents or even rights management applications employing unique, hardened clients.

However, firms have to face up to a fundamental problem: the traditional and recognised boundaries of the enterprise don’t actually exist any more. The successful extended enterprise will inevitably be based upon a large-scale unbounded network that acts as part of an orchestration of networked communities, where the traditional restraints and boundaries don’t apply. In this ‘cloud-based’ approach, users will act as network nodes. Necessarily, traditional views about security must change.

Protecting assets, preventing losses

Given the new way of working, how can firms effectively protect their assets and prevent data loss? Managing risk at an increasingly complex and porous network level now implies almost impossible cost and danger. The journey from simple hardware-based security towards a multi-layered approach that can potentially lead to an unsustainable solution set is a fraught one indeed. That solution set might comprise hardware and domain-based technologies, firewall ports relying on known IP addresses, increasingly complex rules through defined ports, signature-based detection of malware and the use of encryption for some categories of data (at best to protect data at rest).

Other methodologies ratchet up the complexity. For example, there’s the overlay of heuristics for pattern matching to provide additional intelligence in fending off zero day attacks. Then there’s the overlay of traffic assessment, log management and assorted decode-based analyses that probe deeper into packets and move from hosts to end points.

That said, because the new extended enterprise is multi-layered and has added complexity, such overlaid solutions introduce latency as well as being more difficult to manage effectively. There has to be a better way of working.

Effective and manageable data loss prevention

If the traditional borders and boundaries approach to security is no longer sustainable, what models should firms adopt? Even though the transition to user-based security is underway, it should never be forgotten that the primary task is to focus on the most important thing that needs protection: the data itself.

The industry has created a buzz phrase – Data Loss Prevention (DLP), but what exactly is that all about? How did it evolve, and how might it be implemented within the extended enterprise?

DLP encompasses data leak prevention, data monitoring and information content protection. Driven by compliance and breach notification regulations, organisations started deploying major pilot projects to see how data loss could be minimised. Not surprisingly, the services industries, healthcare and insurance were among the first to deploy, closely followed by virtually all industries that are heavily dependent on their established intellectual property base. For these organisations in particular, any theft or even inadvertent disclosure of data would significantly impact their bottom line.

Today, the DLP market consists of two main industries: the first deals with database audit and protection, the other focusing on data monitoring. The former was conceived on the principle that data should be protected at its origin. By checking access and identifying requests that are ‘out of place’, a compromise can easily be detected.

These types of tools are deployed to monitor access in front, or even inside, the database application. They look, for example, at when data was changed and how the actual content changed. By taking all of these factors into account, a picture of normal behaviour can be obtained, and anything unusual flagged up. Some practitioners see it as an advanced form of database auditing.

Tagging and data streams

Data monitoring can be categorised as having two different approaches: one aims to prevent the loss of data by tagging it – essentially adding a signature that remains with the documents, wherever they go, and using custom clients to prevent unauthorised reading or tampering. However, this approach encompasses an inherent weakness in that it relies on employees to assign appropriate rights and privileges on documents when they’re created.

The other approach focuses on the principle of monitoring the data streams. Modern DLP solutions allow an organisation to index data, scan endpoints and servers for its presence and then apply deep inspection rules to gain a comprehensive view of its location within the enterprise. These tools have adjusted to meet detection needs on many channels (including e-mail, Blackberry devices and more recent business applications such as enterprise instant messaging).

Establish a policy, categorise, classify, act

Given DLP’s relative immaturity, many organisations are not quite sure how to proceed with its implementation. Before data can be protected it has to be categorised and classified. There are a number of challenges, not least of which the fact is that most of the data firms have is in an unstructured format, not to mention the sheer scale of the data that they have to manage and, ultimately, protect.

Not only do firms have to contend with information they generate and store themselves, they must also take into account what comes in from the vast, thriving and self replicating reservoir of information contained in cloud-based Internet communities.

It follows that, before protection begins, firms need to consider what type of data they need to run their business, how to make it easily understandable to both users and tools and how to identify different data elements, no matter where in the organisation they might be stored. The latter could incorporate a manual discovery process, using interviews and workshops with employee representatives or, where possible, an automated process that involves scanning file servers and desktops to see where data is located.

The truth is that it’s a hard task to successfully implement a DLP strategy, but it’s not an impossible one. The most important consideration is to reflect upon the current situation of the organisation before rushing into a project, and to have a clear objective in sight. Without a clear goal, or even a coherent data protection policy, projects can become costly failures, lacking direction and providing little impact on the overall level of data protection.

Establishing the DLP policy

There are basic places to start. First of all, companies need to establish a DLP policy and then data encryption at the host. Next, there’s the management of encryption keys and managing access at the network level, with encryption at the end points covering disks, devices and USBs through to document and mail encryption.

Organisations also need to design their data protection policy. Once the various data classification levels are known and understood, policy has to be developed to mark how that data should be handled. This policy, which defines expected user behaviour, can then be used to delineate a technical enforcement and detection architecture.

Developing this type of policy – and, perhaps even more importantly, making sure users understand it – is one of the most difficult issues to resolve. The problem is not one of information security per se, but rather one of understanding business needs.

Business owners need to be involved in data classification, and executive management also has to clearly articulate an organisation’s appetite for risk. What’s more, this needs to be an ongoing effort. Most important of all, DLP and data protection must be carefully integrated into any incident response process. If it isn’t, it will be a swift return to the early days of IDS deployments: policy violations will be carefully logged, but no-one will be listening.

Data security requires an holistic approach

The end goal for any organisation is, of course, data protection. This requires an effective and swift response to any incident. Depending on the individual business’ requirements, it may also require 24/7 follow-up of alerts generated by the solution, and fine tuning to incorporate changing business requirements. This is especially important in the new extended enterprise where new business relations are often born in the field, and not always directed from the top of the organisation.

Transactions will be flagged as exceptions by any DLP tool that enforces the data protection policy, and will need to be validated by the business.

Safeguarding critical business data requires an holistic approach encompassing consultancy, technology and monitoring services. Choosing the right partner can be project critical. Organisations should look for a partner that is vendor-neutral and able to provide a total solution, complementing DLP technology with expertise and processes in information security.

At the end of the day, information security is about reducing risk and protecting a business’ most critical assets. Implementing DLP technology alone will not address the full spectrum of risks created by the extended enterprise. However, it certainly helps to reduce both a company’s and its customers’ overall risk exposure by enabling the accurate positioning of overall security posture.

DLP has a crucial role to play in protecting and controlling data flow – itself an absolutely critical part of security risk management.