For years IT organizations have focused on securing the computer network. Technologies such as firewalls and network access control (NAC) are designed to keep malware and unauthorized traffic from coming in. That makes sense from an operational integrity standpoint. Viruses, worms, spam, phishing attacks, etc. can bring a network to a standstill. But, while the focus has been on keeping bad traffic out, data packets have moved freely – for the most part – through and beyond the private network. After all, that’s what the network is for. It plays a supporting role to the star of the show: your data. Without data, there’s little need for a network. But therein lies the rub! Even as organizations block traffic and prevent infected or noncompliant endpoints from connecting to the network, they allow confidential, sensitive and proprietary information to flow between departments, between LAN segments, between private networks and across the Internet.

Increasingly, companies are recognizing the vulnerability this creates and the need to secure not just the network but also the data that is stored and transmitted across it. That is where data loss prevention comes in. Data loss prevention (DLP) refers to a category of information security products that aim to prevent the unauthorized distribution or loss of sensitive information. It is a complex set of technologies designed to identify confidential information, monitor the network for the transmission of this information and enforce policies accordingly. DLP solutions typically have three components: one at the endpoint where it monitors and controls activities, one at the network where it filters data streams and a component in storage devices to protect data at rest.

The Need for Data Loss Prevention

It used to be there was only one way to steal a company’s valuable assets – through the door. Not so today. Many businesses live and die based on the information they possess, be it customer data, trade secrets or other intellectual property. And that information can leave an organization any number of ways. Perhaps the most high profile means of data loss of late is through the theft or loss of mobile data-bearing devices, such as laptops, thumb drives and smartphones. The storage capacity on these types of devices continues to grow, and companies are eager to enable their users to work anytime anywhere. This means an increasing dependence on mobile devices. Sales teams have access to Web-based CRM applications. Executives email sensitive documents while on the road. While the functionality enables a more productive workforce, it also increases the vulnerability of the company’s data. Smartphones and laptops areleft in taxis,at airport checkpoints, at conferences and hotel rooms – where they can be easily picked up by the next passerby. In fact, according to Ponemon Institute’s Business Risk of a Lost Laptop study,the most vulnerable time to lose a laptop is during travel. But these devices are vulnerable wherever they are used. Laptops have been stolen from office buildings, and even end users’ homes and vehicles. For example, in January 2008 a laptop was taken from a Horizon Blue Cross Blue Shield employee in Newark, New Jersey. The laptop, which was being taken to the employee’s home, held more than 300,000 member names, Social Security numbers and other personal information.

Mobile data-bearing devices are a weak point in your company’s data security, but an even larger threat to data loss is email. In its seventh annual study of outbound email and data loss prevention issues, Proofpoint Inc. found that email is the number one source of data loss risks in large enterprises. According to the study, 35% of respondents investigated a leak of confidential or proprietary information via email in the previous 12 months. Consider how many of your end users use email and have access to sensitive information. Even authorized users sending sensitive information to legitimate recipients put your data at risk if said data is transmitted in clear text. Then there’s the possibility that data is sent to the wrong recipient or perhaps the sender or recipient shouldn’t have access to the data at all. On Sept. 2, 2010 medical technology provider Kinetic Concepts Inc. announced that an attachment with sensitive employee information was accidentally emailed to company employees*. With a simple click of a mouse unauthorized recipients had access to their colleagues’ Social Security numbers, addresses, dates of birth and salary information. Imagine the mess that created for HR!

And that brings us to another looming threat – the insider. Data can be lost by end users via accidental disclosure. These are folks who have access to sensitive information but don’t know how to use it safely. Again, perhaps they are emailing confidential documents to an appropriate recipient but are not encrypting them. Then there are users who intentionally disclose sensitive and confidential information to “get back” at their employer. In February 2010, ITPro.co.uk reported that a database containing contact information of 170,000 Royal Dutch Shell workers was emailed to organizations campaigning against the oil giant. The database is “thought to have been sent by a disaffected former employee of the company,” according to the report. That’s just the tip of the iceberg. According to the Privacy Rights Clearinghouse, 77 data breach incidents resulting from intentional disclosure by insiders were made public from January through October, 2010. Those 77 breaches exposed 1,268,807 records.

Malware and Web applications also pose a risk to corporate data. Users can download myriad Web apps to their smartphones that use or store data from the phone. For example, software marketed to catch cheating partners can be downloaded onto an unsuspecting user’s phone. The software then records all communications and stores the information on a server where it can be accessed by a third party. Other Web apps aren’t as seemingly malicious. They may enable smartphone users to send and receive virtual business cards or record telephone conversations for later playback. But these applications potentially expose sensitive and confidential information to third parties, especially if it is stored on the Web app providers’ (unsecure) servers.

Malware writers have also come to realize that there is money to be made in possessing sensitive data. Hackers create viruses, spyware and the like to steal data that can later be used to commit identity theft or blackmail, or be resold. Case in point: The United States’ fourth largest credit card payments processing company fell victim to a malware attack in 2008. Heartland Payment Systems’ system became infected with malware that allowed attackers to collect unencrypted payment card data in transit. This went on for several months.

Full articles includes information on following things:

- The Cost of a Data Breach

- Symantec DLP Solutions

- Discover Where Confidential Data is Stored

- Monitor How Confidential Data is Being Used

- Protect and Prevent Confidential Data Loss

- Manage and Enforce Unified Data Security Policies

- Data Loss Prevention Best Practices

For full article visit Logical Security Resources

Other Information:

Certified Information Systems Security Professional (CISSP)

Free CEH online course