Data protection strategies: Unraveling the data leakage riddle

By Aishwarya Ramani, Contributor 18 Nov 2009 | SearchSecurity.in

Enterprise IT news roundup Digg This!     StumbleUpon     Del.icio.us

Vishal Salvi, the CISO of HDFC Bank categorizes data into two broad categories — structured and unstructured data. Unstructured data is typically created by users on a daily basis in the form of spreadsheets, presentations or documents. Such forms of data worry CISOs, as the level of complexity increases when trying to put in data protection controls.

Since loss prevention and privacy protection measures like access control are built into applications, data flow is logically considered secure. However, unstructured data may flow through various channels to external entities. In such cases, unless this data flow is controlled, data leakages that may happen can even mean huge losses to the company. "Anything which can impact an organization or should not be made available has to be included in the scope," says Sunil Dhaka, the CISO of ICICI Bank.

While users use multiple formats to save data and resort to no standard method in naming files, it only makes the CIO's job harder when looking for data protection solutions. Hence data classification is the primary requirement for a good data protection strategy.

Snoop and scoop

Demarcating data ensures it does not fall into the wrong hands. Vijay S, the director of IT advisory for KPMG suggests creation of an information asset list to decide data relevance and criticality based on that list. The next step can be to decide which data will fit the confidential, restricted, public and private buckets. "A collection of vendor invoices in a purchase department file is also sensitive information that needs to be protected, in addition to how this information is stored in a database," says Vijay.

Several Indian CIOs like Sudhir Reddy of IT solutions player Mindtree Ltd., are in the process of evaluating several data protection solutions. Sudhir feels that it is easy to train a certain group of individuals and ensure checkpoints for controls. But implementing the same organization-wide needs will require more than just user education. As Sunil explains, "The sensitivity and criticality of data is best established by its owner."

Currently, Sudhir is looking for solutions that do not allow users to save documents created by them, unless they enter information to classify that data. The parameters for labeling any created data must be decided by the organization's information security policy. "Such a customization shouldn't be too difficult for vendors like Microsoft to put in," says Sudhir.

Despite the absence of a data protection solution at present, Mindtree has a mechanism where network drives are dedicated for different departments. Access to those drives is controlled, and audit trails are maintained to track visitors to that drive. However, without a good data classification mechanism, it will become difficult for data within a single drive to be protected from loss or leakage.

Sunil warns against improper data classification, as the necessary controls fail to mitigate the risk of data leakage. Reddy suggests drop-down lists to tag documents while saving them, so that users can choose from a set or predefined data classification schemes.

After classifying data, necessary document rights management (DRM) mechanisms can be applied to protect data and ensure privacy. DRM solutions allow users to define the data's recipient, thus preventing unauthorized persons from accessing the file. "With DRM solutions, you get to decide document with time limits, authorized IP addresses, and users with read/write authorization," explains Vishal.

Periodic risk assessment is essential to understand the organization's data protection needs. All the more so, since data flows through multiple channels to various recipients.

What the data protection solution should achieve, depends on the organization's needs. It is mandatory to study the organization's needs and find the right data protection solutions. Sunil suggests conducting a Gap analysis on the evaluated solution to determine whether it addresses people, process and technology issues.

The need analysis should be followed by a risk assessment of the current situation. Once the risk is identified, necessary controls can be laid down, and a solution enforcing these controls can be implemented.

Periodic risk assessment is essential to understand the organization's data protection needs. In an organization, data flows through multiple channels to various recipients. An information security consultant should start by looking at various scenarios to establish what might go wrong in each scenario, and then define a risk control matrix accordingly.

Despite the benefits of data classification and data protection, awareness is poor among Indian companies about the necessity of data protection. Top management should lay down rules of how they would want their data to be classified and these must be communicated to every employee.

Tags: Data loss prevention technologies,  Identity management, authentication and access control solutions,  Network and endpoint security tools and technologies,  Hacking countermeasures,  Enterprise risk management strategies,  Business compliance management,  Risk Management Strategies,  Network Security Tactics,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Data loss prevention technologies Information rights management helps L&T protect its knowhow Interest in data leakage protection, event log management rises Considerations for buying and implementing DLP solutions Data classification as an insurance to protect information Security trends for Indian organizations: The 2010 edition Leveraging DLP to gain customer confidence: The Cognizant way IT (Amendment) Act, 2008 has information security market on toes Using data loss prevention software to comply with new HIPAA policies Basic Database Security: Step by Step How Windows servers get hacked Identity management, authentication and access control solutions Two factor authentication gets token agnostic at Central Bank of India Considering two-factor authentication? Do cost, risk analysis PCI tokenization push promising but premature, experts say How to perform an Active Directory health check Information rights management helps L&T protect its knowhow Voice data security risks on the rise, say experts Security awareness is the key... cultivate employee loyalty Preventing password fatigue with single sign-on (SSO) authentication How to choose online data backup services for data protection Protecting enterprise networks from new mobile application downloads Network and endpoint security tools and technologies Two factor authentication gets token agnostic at Central Bank of India Considering two-factor authentication? Do cost, risk analysis How to perform an Active Directory health check Information rights management helps L&T protect its knowhow Voice data security risks on the rise, say experts Firewall audit tools aid compliance Interest in data leakage protection, event log management rises Zeus Trojan continues reign infecting 74,000 PCs in global botnet Fraudulent mobile applications will threaten mobile banking security Mobile Reputation Security prototype from Symantec: A closer look

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary