The truth of enterprise data loss is that it will happen. Whether by malicious intent or accidental breach no company can lock up all its data, and nor should they try.
Based on more than 25 years of experience in the security industry, RSA has developed a framework for managing information risk – the key to unlocking the value of business information.
In order to help companies take manageable risks and leverage their information, RSA has identified the best practices that can help companies identify information at risk in order to prevent enterprise data loss.
By following the below best practices, companies can not only improve their ability to secure sensitive customer data, but also better protect revenue, ensure customer loyalty, and meet government regulations.
Let’s look at each of these best practices in more detail.
Best Practice #1: Understand what data is most sensitive to the business.
Not all data is of equal importance from a security perspective. The first step in preventing enterprise data loss is to determine which data is most sensitive, or at highest risk, to your business.
Then, you can prioritise your efforts and define appropriate polices. But how do you know which data is most sensitive to your business?
To answer the question, you need to understand your business structure, examine the various departments and lines of business across your organisation, and identify both the regulatory and non-regulatory security drivers for each department.
Once it is understood, you can then prioritise your data by grouping information into various ‘classes’. For example, you might create three classes of information from the most restricted and sensitive (e.g. data relating to the company’s unannounced financial results) to the least sensitive (e.g. data pertaining to vendor shipping rates).
The next step is to determine the data categories, elements, and owners for each class of information. Then, you should determine which elements of the information are most critical and which department or business unit within the company owns this data.
Finally, after you have classified your data, you must then define the policies – the rules for ‘appropriate handling’ of the data, including which employees and applications are authorised to access this data and how, when, and from where they are allowed to access it.
Best Practice #2: Know exactly where the most sensitive data resides.
At first glance, the answer to the question, “Where does my company’s most sensitive data reside?” seems to be obvious. You would probably answer, “In databases, of course!” But databases are really just the tip of the iceberg, especially with today’s mobile, highly collaborative environments.
If data is stored in a database, then it is also stored on a disk, which is likely backed up to other disks or tape media. Additionally, your data is probably accessed through a variety of applications and from a wide array of devices, transformed on desktops, laptops, and wireless handhelds, emailed to other users, and then stored on yet other file servers or collaboration portals.
The truth is that the answer to the question is not so obvious, yet it is critical to preventing enterprise data loss. Most companies, however, do not take the time to conduct thorough data discovery, leaving them with three choices, none of which are viable:
One, they secure all their data, which is only possible with an unlimited budget.
Two, they secure none of their data, which is only acceptable if the company is willing to accept all the risk that accompanies this strategy.
Or three, and most commonly, they secure some of their data in a haphazard manner, lulling themselves into a false sense that data is secure and ignoring significant risks, which is simply dangerous.
Best Practice #3: Understand the origin and nature of your risks.
In addition to knowing where your important data resides and how it is being used, you need to understand your risks. How could your data be compromised or stolen? By whom? And how much risk would your company assume with exposure of this data?
Some of the more common risks have had their share of headlines over the past 24 months, including:
• Lost or stolen media
• Privileged user breach
• Unintentional distribution
• Sensitive data is sent out via
public email, exposed on public portals, or otherwise distributed to unauthorised users.
To prevent enterprise data loss and strike a balance between cost and risk, you must go beyond simply determining which databases house your critical data.
Rather, you should undertake a complete data discovery process, which requires you to answer some basic questions about your infrastructure, including:
• Do you have sensitive data in databases? If so, in which database tables? In which columns or fields?
• Do you have sensitive data in file shares? If so, in which folders? In
which files?
• Do you have high-risk data on laptops? If so, on whose laptops?
Next, you will also need to answer data type and usage questions, such as:
• Is your intellectual properly unwittingly exposed through
custom-built applications?
• Are your unannounced company financial reports illicitly finding
their way onto laptops, PDAs, and USB drives?
Through the data discovery process – which should be continuous – your company can create a map of its critical and sensitive data, which serves as a foundation for your security policy and control strategy.
Creating a risk model that takes into account all the potential ways your data might be compromised or stolen provides the context you need to implement an appropriate control strategy that outlines both the types of control mechanisms (i.e. how to secure the data) as well as the points of control (i.e., where to secure the data).
Best Practice #4: Select the appropriate controls based on policy, risk, and where sensitive data resides.
Once you understand your policies, where your sensitive data resides, and the risks at those locations, you can develop an appropriate control strategy. That strategy will likely include both processes and technology.
The physical control strategy is comprised of two components: the control mechanisms (i.e. the types of controls), and control points (i.e. where in the infrastructure they are placed; at the storage, database, file server, application, network, or end point).
A comprehensive control strategy will include a combination of controls from all three categories described below implemented at various layers in the
IT stack:
• Access Controls control both authentication (i.e. is the user who he or she claims to be?) and authorisation (i.e. what can the user do once he or she gains access?). A wide range of products are covered in this category, including web access management, two-factor authentication, and knowledge-based authentication.
• Data Controls control the data itself. Data controls include products and technologies such as encryption, data loss prevention (DLP) and information rights management (IRM).
• Audit Controls provide the feedback mechanisms to ensure the policies and controls are in fact working as they should. Often called security information and event management (SIEM), audit control products provide the means to prove compliance as well
as refine policies and controls.
Over the past few years, more companies are focusing on implementing data controls, especially encryption solutions and Data Loss Prevention (DLP) systems, due to the increasing number of data breaches and growing regulatory scrutiny of data privacy and integrity issues.
It is also increasingly important because both encryption and DLP systems are highly effective in collaborative environments where data is mobile, shared, and transformed. These two types of data controls exemplify the notion of ‘self-defending data’. That is, they enable your data to defend itself.
Best Practice #5: Manage security centrally.
The management of control mechanisms has a greater impact on both the effectiveness of controls and their total cost of ownership. Organisations often make the mistake of managing each control mechanism separately, which results in policy misalignment, high management costs, and a lack of business process continuity.
To avoid these problems, companies must manage their security control mechanisms including both policies and keys centrally. Centralising the administration of security policies ensures that control points consistently enforce security rules and makes proactive monitoring of activity that could result in a security violation easier to automate.
In addition, centralisation helps ensure that users consistently follow appropriate usage rules for sensitive data to avoid unintentional leakage.
The second piece of centralised security management involves encryption keys. With centralised key management, encryption controls can be effectively and consistently implemented across all control mechanisms, protecting the organisation from data breaches due to human error, lost keys, or incompatible and conflicting encryption policies.
Without centralised management of both security policies and encryption keys, processes can be irrevocably broken, leading to business disruption.
Best Practice #6: Audit security to constantly improve.
As with any corporate process, a security program should have a feedback mechanism that enables the organisation to assess its compliance with policy, and provide feedback on the effectiveness of data controls.
Business is not static – neither are the security mechanisms that protect it. You need real-time tracking and correlation of security events in order to respond quickly to change.
Audit control systems such as Security Information and Event Management (SIEM) systems enable you to analyse and report on security logs and real-time events throughout your enterprise.
To enable proper auditing of your data security infrastructure, you need an SIEM system that automatically collects, manages and analyses the event logs produced by each of the security systems, networking devices, operating systems, applications, and storage platforms deployed throughout your enterprise.
These logs monitor your systems and keep a record of security events, information access, and user
activities both in real time and for forensic analysis.
By correlating events in your data control systems in real time, you can quickly respond to incidents as they occur, remediating any potential losses. Such proactive log management is the foundation for a comprehensive auditing strategy.
A SIEM system enables you to regularly review your security infrastructure for:
• Incident investigation and forensics
• Incident response and remediation
• Compliance to regulations
and standards
• Evidence for legal cases and
• Auditing and enforcing data
security policy.
By establishing auditing best practices and implementing an effective SIEM system, you can reduce the cost and increase the efficiency of compliance, risk management, and forensics. Equally important, auditing provides an opportunity for continuous improvement. Security should always be viewed as a process rather than an event.
More about Pullen
Mark Pullen is A/NZ country manager at RSA, the security division of EMC, responsible for directing RSA’s ANZ sales and field operations and developing the long-term sales strategy for the region.
This includes delivering a broad portfolio of products and services designed to meet the diverse business needs of compliance, security, and IT and network operations personnel.
Mark is an advocate for an information-centric approach to security, recognising the market’s need for intuitive, cost-effective solutions that act as accelerators of business innovation and growth.
Mark has more than 18 years of local experience in the IT software arena, including eight years at RSA and 12 in the security industry. Prior to joining RSA, Mark was sales director for eSign – the local affiliate of VeriSign – where he was instrumental in the company attaining Australian government GateKeeper PKI certification. Mark also spent two years with Network Associates focusing on anti-virus, firewall and intrusion detection software.
His specialist background, combined with his experience in RSA enabling solutions – security information and event management, two-factor authentication, developer solutions/encryption and web access management – has provided him with a well-rounded knowledge of security technologies.
Enterprise data loss prevention
Staff Writer on Sep 4, 2008 12:50PM
Got a news tip for our journalists? Share it with us anonymously here.
Partner Content
Channel can help lead customers to boosting workplace wellbeing with professional headsets
How NinjaOne Is Supporting The Channel As It Builds An Innovative Global Partner Program
Tech For Good program gives purpose and strong business outcomes
Build cybersecurity capability with award winning Fortinet training from Ingram Micro
Secure, integrated platforms enable MSPs to focus bringing powerful solutions to customers
.png&w=100&c=1&s=0)
.png&w=100&c=1&s=0)
