Agency caulk: How a data leakage focus closes the holes opened by end-users

Prem Iyer

For years, agencies took the same approach to information security as they did for physical security  --  they focused on locking down the perimeter, using firewalls and routers and VPNs. The objectives centered on external threats.

But technology soon became ubiquitous in our daily lives. Government workers began using technologies in the office that they first adopted at home, like e-mail and IM, and a few years later, file transfer services, flash drives, even live streaming video. All surfaced new risks to security coming not from external hackers, but from earnest, most often, well-meaning internal users.

Soon after, social networks also swiftly became both a part of workers’ daily Internet behavior and even some business processes, further opening up organizations to accidental risk or even sabotage. And now, smart phones -- with cameras and live and speedy Internet connections -- are in the hands of more than 65 percent of U.S. workers.

To put it simply, the assumption that an un-breached perimeter means an un-breached network no longer applies. Organizations need to take on a broader and deeper strategy that focuses on assuring there is no source of data leakage in the agency’s boat.

An agency seeking to determine whether it is watertight can do so very quickly by answering these five essential questions:

1. Does your organization have reliable tools to protect data at rest (datacenter security), in motion (while traversing the network), and in use (at laptops, desktops, mobile devices, etc.)?
2. Has your organization engaged in a comprehensive data discovery process in the last year?
3. Has that data been formally classified by sensitivity or compliance requirements?
4. Is there a standardized process in place to notify the IT team of exceptions, i.e. breaches or non-compliance?
5. Has your organization formally identified all the compliance information it needs in order to regularly audit and report on security?

If you answered no to any of these questions, it would probably be a good idea to reassess your organization’s approach to security in today’s environment. Here are five steps you should take to plug the holes in the agency’s hull right now.

 1.  Get in the crow’s nest to understand what makes data critical.

The first step in creating a plan for data loss prevention is to take a top-down look and gather a full understanding and checklist of the kinds of critical data that exists within the agency. This requires an examination of the agency’s structure to identify regulatory and other compliance factors that might impact each workflow. Start with the rules that are most foundational to agency governance and work outward toward those that affect only certain agency functions and roles. 

2.  Make all data fall in line according to its “rating.”

With all that data, you need to get a sense of how to rank its importance. One common way to do this is to group data by class, according to the sensitivity of the information it represents. From there, it can be further broken down into categories, elements and organizational owners, for each class of data. Then create rules that govern how the data is handled, including which personnel and which software is authorized to access it, at what times and from what locations. 

3.  Scrub your hull to discover your data.

Thanks to virtualization sprawl, shared services and database redundancy, it’s not necessarily a straightforward task to know where all the critical data truly resides. To avoid securing “petty officer” data that doesn’t matter, or leaving “master chief” data vulnerable that very much does matter, an agency should use data discovery tools continually to create and maintain maps of how sensitive data flows through the organization. This will serve as key to policy and control, and should be frequently updated.

4.  Patrol the seams for the most likely leaks.

For years, people thought of security threats as centered on hackers and others with bad intentions. While stolen media and user privilege breaches are still risks that absolutely must be mitigated, perhaps even more common are unintentional breaches. The five most common sources of accidental data leakage:

a.  Portable media (lost laptops, USB drives, backups, etc.

b.  E-mail (accidental sends on corporate, Web mail and private)

c.  Instant Messenger (user video)

d.  Blogs and social networks (status information)

e.  FTP servers (large files too big for e-mail)

5.  Arm your ship with control and audit.

Given risks from both the ill-willed and the earnest, organizations seeking to reduce the risk from breaches of any sort should gather the tools necessary to implement a physical control strategy. These break down into three directives: