Reducing the business risk that results when data leaves the enterprisenetwork should be on the radar screen of every administrator, accordingto industry watchers.
''Information security, or the lack thereof, affects the reputation,reliability and trustworthiness of every company. And, once you lose it,you lose it forever,'' says Larry Ponemon, founder of the PonemonInstitute, a think tank that studies privacy data protection andinformation security policy.
Industry participants predict that increasing numbers of companies willbe poised to address data leakage in 2005, followed by productimplementations through 2007. Why? Because the problem is growingexponentially and no one wants to be tomorrow's headline news because ofit.https://o1.qnsr.com/log/p.gif?;n=203;c=204660766;s=9477;x=7936;f=201812281312070;u=j;z=TIMESTAMP;a=20392931;e=i The time is now
To grasp the scope of a problem, a recent study by the Ponemon Institutelooked at 163 Fortune 1,000 companies. The study revealed that 75 percentof them reported a security breach in the prior 12 months. The leaks mayhave involved personal information about customers, personal informationabout employees, involved confidential business information, andintellectual property, including software source code.
''What we're seeing is that many companies have poor access controls overwho gets data and no way of controlling the outflow of data,'' saysPonemon.
According to Gartner Inc., more than 80 percent of high-cost securityincidents occur when data from inside the organization gets out. Mostdata leakage occurs by accident or because of poor business processes,says Rich Mogull, a research director at Gartner. Whether accidental ormalicious, security breaches from inside the company aren't addressed bythe bulk of security dollars spent on technology that addresses theperimeter of the network.
While the problem of information exiting the company has always beenaround, the depth and breadth of the problem has changed dramatically inthe past few years.
First off, information is more valuable and there's more of it inelectronic form. For instance, there is more electronic communication,such as email, and instant messaging. More people work remotely. Hackersare evolving into professional criminals, and outsourcing is reaching afevered pitch.
Up until recently, most corporate security policy focused on keeping thebad guys out. But now, says Jim Nisbet, chief technology officer atTablus Inc., ''The danger in what leaves the organization exceeds thedamage of what comes in.''
It's the law
What's really turned up the heat on stopping data leakage is a relativelynew patchwork of laws that make businesses liable for privacy and dataprotection, and governance: California SB 1386 and A.D.1950,Gramm-Leach-Bliley, Health Insurance Portability and Accountability Act(HIPAA), The Patriot Act, and Sarbanes Oxley Act (SOX), to name several.
The DeKalb Medical Center is a Decatur, Ga.-based hospital with multiplefacilities and a variety of network traffic that includes standardbusiness data, and local and Internet communications, as well as privatepatient health information. Up until January 2004, it had no networkmonitoring tools to prevent data leakage.
''Being a hospital, HIPAA put the issue on the forefront,'' says SharonFinney, information security administrator at DeKalb, adding that withregulation in place, noncompliance becomes actionable and public. Thedeadline for HIPAA compliance is April, 2005. The hospital beganaddressing HIPAA requirements three years ago.
With a clear-cut path for what it needed to do, the hospital conducted arisk analysis, identified problem areas, established policies andsearched for a technology solution. ''We knew from the start, that weneeded a tool that could identify protected health care information outof the box,'' says Finney.
With only three monitoring products available, at the time, only VericeptCorp. was able to meet the medical center's turnkey requirements. DeKalbuses the vendor's Healthcare Compliance Solution, and Filter for HIPAA.
Not only are business being forced to comply with compliance regulationsor risk paying fines, they're also aware of the cost of damage to thecompany's reputation. ''For DeKalb, or any organization that handlesconfidential information, the damage to our reputation could bestaggering,'' says Finney.
In addition to implementing a security solution to prevent data fromleaving the organization and establishing policy, education was key to asuccessful outcome. DeKalb's user population includes employees, vendors,contractors, temporary workers, and off-site physicians and their staff.''We had to bring users to a level where everyone was reading off of thesame page when it came to security policy and procedures,'' she says.
DeKalb is currently upping the ante on data security, and is looking atimplementing a second layer of protection via an email encryption tool.
Sorting through solutions
While some tools, such as encryption or PKI, have been available for anumber of years, they tended to be difficult to manage.
''Most companies opted to focus on higher priority projects and wrote offthe cost of data loss as part of doing business,'' says Paul Proctor,vice president of security and risk strategies at Meta Group.
Currently, there are more than a dozen vendors offering solutions thataddress data leakage. A fractured market, products use a variety oftechniques to identify whether data should be stopped or let through thenetwork. Some content monitoring and filtering solutions are applicationspecific, or, for example, watch email traffic, IM, or FTP. Otherproducts are more general and work below the application layer and lookat multiple channels.
An early Reconnex Inc,.customer, Extreme Networks, a worldwide vendor ofnetwork infrastructure solutions, is concerned about insider threats orthe loss of high-value intellectual property.
''Depending on the size of the company and the data lost, theramifications can be crippling,'' says Paul Hooper, CIO at Extreme. Forthe high-tech company, the Reconnex inSight platform for data protectionsecurity is viewed as an insurance policy.
In addition to help meeting regulatory compliance requirements, securitysolutions that help companies protect data from leaving the corporatenetwork, also can help protect brand loss and a company's competitivestance in the market.
Like most security solutions, this next layer of security protection isnot going to help companies make money. ''What we're selling is riskreduction,'' says Joseph Ansanelli, CEO and cofounder of Vontu Inc. Hesays it's also about saving money by preventing future events.
According to Gartner's Mogull, limited product deployments begin atbetween $20,000-$50,000 and can immediately cut down on data leakage.
''Limited product deployments may not protect everything, but if acompany has data stores that are more important than others, beginthere,'' he says. Mogull suggests that companies start with smallimplementations and grow from there, prioritizing where it's important tospend money.
Industry participants are quick to point out that preventing data leakageis not about technology alone -- it's about people, processes andtechnology. ''Companies must have a written policy and there must beconsequences for not adhering to that policy,'' says Ponemon.