Closing the gaps in enterprise data security: A model for 360 degrees protection


Published on

This paper examines the primary data threats that currently concern chief security officers (CSOs) and IT security management within enterprises, and recommends best-practice techniques to minimize and overcome risks to data security. These best practices have been successfully implemented and deployed in organizations worldwide as components of a holistic data security strategy.

Published in: Business, Technology
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Closing the gaps in enterprise data security: A model for 360 degrees protection

  1. 1. Closing the gaps in enterprise data security: A model for 360˚ protection This paper examines the primary data threats that currently concern chief security officers (CSOs) and IT security management within enterprises, and recommends best-practice techniques to minimize and overcome risks to data security. These best practices have been successfully implemented and deployed in organizations worldwide as components of a holistic data security strategy. A Sophos white paper June 2009
  2. 2. A Sophos white paper Closing the gaps in enterprise data security: A model for 360˚ protection Closing the gaps in enterprise data security: A model for 360˚ protection Businesses adapt to increased mobility Each section also provides recommendations as and expanded connectivity: Evolving data to how each individual threat can be minimized threats by using technology that is available today. The objective is to provide full 360-degree security that Mobile computing and global networking cast a protects against the widest range of attack vectors. new light on data security issues as, in response, organizations reassess the technologies in use Scenario one: Theft of mobile computing device within their IT infrastructures and reconsider California-based Company A, a channel partner the ways in which staff members, customers of a global chip manufacturer, has designed a and partners communicate. Solutions that do promising media player. Product manager Sally not provide the appropriate balance between Ortez worked closely with the chip maker to protection and usability must be discarded in favor negotiate the specifics of the processor purchases, of solutions that effectively minimize risks of data product rollout plans, marketing strategy, projected theft or loss, achieve compliance with existing sales in various channel outlets and product road regulations and equip personnel with tools that map details. help them work productively and securely. Ortez routinely kept all documents relevant to The crux of the matter is simple: Business the collaboration on her notebook computer, processes today rely on vastly different methods including proprietary information under a non- of data storage and data exchange than even a disclosure agreement with the manufacturer. She few years ago. These changes in the computing also carried a PDA that stored additional private landscape make it essential that companies adopt a information. At a large trade show in Hong Kong, very different approach to security. According to the Ortez was navigating the packed aisles of vendors Forrester Research report, “The State Of Enterprise and technology companies with her computer bag IT Security: 2008 To 2009,” 90% of organizations secured by its strap over her shoulder. After she say that data security is “important” or “very was bumped from behind, someone quickly cut important” and would get high priority in 2009. the strap of the bag and grabbed it. Police efforts to locate the thief failed. The following sections detail three possible scenarios illustrating how these individual threats Five days later, the full specifications of the can affect the business operations, data integrity unreleased processor showed up on the Internet, and overall security of organizations. along with the marketing plan for the media player and product road map. A day after that, the chip • Scenario one: Theft of a mobile computing manufacturer cancelled the channel co-marketing device plans with Company A and threatened legal action • Scenario two: Losing removable media because of the disclosure. Ortez never recovered containing confidential data the lost notebook or PDA. • Scenario three: The insider threat 1
  3. 3. A Sophos white paper Closing the gaps in enterprise data security: A model for 360˚ protection risk: mobile computing devices that are lost or Following the advice of a leading data security stolen publication, the director of IT operations at The mobile workforce depends on smaller, lighter Company A implemented a policy to perform full and more portable computing devices to get their hard disk encryption on all company notebook work done in the field. Their reliance on these computers using SafeGuard Easy. All handheld computing devices heightens the importance of mobile computing devices also fell under this protecting the information on them from loss, theft mandate, in this case using SafeGuard PDA. or viewing by unauthorized individuals. The 2008 The software deployment took place overnight. CSI Computer Crime and Security Survey reports Following the initial usage, which requires a that laptop theft/fraud ranks among the top three simple log-in process, employees using single threats, with 42% of security professionals who sign-on (SSO) need only enter their password once responded citing it. to access the computer, just as they had done previously. Employees didn’t notice any difference in the behavior of their notebooks or PDAs. best practice: encrypt critical data on mobile devices During the Hong Kong trade show, Sally Ortez As reported by a number of different sources, theft lost both her PDA and her notebook computer of mobile computing equipment is all too common when her computer bag was snatched in a crowd. and—without protection—the information stored Because of the strong encryption protection on on systems is easily accessible to thieves. Even these devices, there was no potential for the a power-on password and other forms of single- disclosure of any sensitive data, and the business factor authentication are of little use in guarding partnership with the chip maker continued to against theft or loss. flourish. Company A also avoided having to notify companies and individuals about the stolen data, as is required by California SB 1386 for any The 2008 CSI Computer Crime and Security losses of unencrypted data. Encryption preserved Survey reports that laptop theft/fraud ranks among both the data privacy and a valuable business the top three with 42% of security professionals relationship to the benefit of everyone involved in who responded citing it. this scenario. However, encrypting the data on mobile computing Industry-leading encryption solutions from Sophos devices makes it inaccessible to thieves and deliver enterprise-caliber data security, giving outsiders, and provides a level of data protection mobile workers the confidence and protection that is both prudent and responsible. to travel freely without being concerned about revealing information that could damage both their company and their career. Solution: SafeGuard Easy and SafeGuard PDA or SafeGuard Enterprise SafeGuard Enterprise effectively protects data on mobile computing devices—from PDAs to wireless With SafeGuard Easy and SafeGuard PDA, the notebook computers. ending to the previous scenario could have been much different. SafeGuard Enterprise, which is now available, also includes features to address this type of problem. Consider this alternative ending. 2
  4. 4. A Sophos white paper Closing the gaps in enterprise data security: A model for 360˚ protection Scenario two: Losing removable media to his supervisor, who was furious that, as a containing confidential data matter of policy, Company B would have to notify Fabian Bredcowski worked as a technical support each customer of the personal data loss—a specialist for Company B, a thriving New England- grave reflection on the company’s handling of based computer retailer, and was privy to files and personal information. For this breach, Bredcowski information stored on the Company B servers—all was docked the cost of mailing the data loss of which were strongly protected by a corporate announcements and demoted to a position in the firewall and rigorous authentication and access shipping department. For several months after the protections. event, the customer support personnel at Company B had to respond to a steady stream of phone and Bredcowski took security seriously, but he was also mail complaints from customers disturbed that their tenacious about pursuing solutions to problems— personal information had been treated so casually. even when away from the workplace. After dealing with one particularly vexing support question that he could not resolve over the phone, Bredcowski risk: protection of information stored on couldn’t get the problem out of his mind and removable media decided to work on it at home with his home The increased storage capacities and evolving form computer. At the end of the day, he hastily copied factors of removable media create a new vector the tech support customer files to a 1GB memory of possible data loss. Securing removable hard stick and slipped it into a pocket in his wallet. The disk drives, flash memory devices, optical discs, files included contact information and personal magnetic media, memory sticks and similar media data about several hundred Company B customers. should be a top priority for security strategists within an organization. The compact size and lightweight form factors of The compact size and lightweight form factors of removable media devices make them especially removable media devices make them especially prone to loss or theft. Such potential security prone to loss or theft. breaches can damage customer relationships and result in financial losses for the businesses involved. On the way home, Bredcowski stopped at a local restaurant for a take-out dinner. His wallet slipped best practices out of his pocket and fell to the ground when he Protect sensitive data and intellectual property got out of the car. The driver of the next car that residing on endpoint devices: Encryption prevents pulled into the lot noticed the wallet, picked it up unauthorized access to hard drives, flash memory and found the memory stick inside. He pocketed cards, optical discs, memory sticks and similar both and quickly drove off. media. When Bredcowski reached for his wallet to pay for his dinner, he was shocked to find it was missing. At the same instant, he realized the memory stick with private customer data was inside. Conscientiously, he reported the loss 3
  5. 5. A Sophos white paper Closing the gaps in enterprise data security: A model for 360˚ protection Solution: SafeGuard Data Exchange and without first being encrypted. As an additional SafeGuard RemovableMedia measure of protection, access to any unencrypted data stored on removable media can simply be The use of SafeGuard Data Exchange could have denied. resulted in a very different ending to this story. Consider this alternative scenario. After dealing Scenario three: The insider threat with the difficult support question that he could Wendy Profolo had been working as a contract not resolve over the phone, Bredcowski copied software developer since her mid-twenties, and her the relevant files to a 1GB memory stick protected proficiency and integrity gained her a good deal by the SafeGuard Data Exchange solution. All of trust. In her new assignment for Company C, data being stored on the memory stick was she was quickly provided network access and her automatically encrypted, protected by a secure manager was pleased to see her making steady password that Bredcowski previously assigned. progress on the coding project she had been given. What her manager did not know was that Profolo The loss of his wallet in the restaurant parking lot had a serious gambling problem and had become turned out to be a personal tragedy; but the driver proficient at finding ways to exploit information who stole both the wallet and the memory stick extracted from a company server to cope with her had no way to access any of the data files because rising gambling debts. they were encrypted. Although Bredcowski reported the loss to his supervisor, no action was Within two weeks, Profolo managed to modify her taken because the data on the memory stick was access privileges, scour the network file structures securely protected. For several months afterward, to retrieve a dozen corporate credit card numbers, Bredcowski had to deal with fraudulent charges gather personal information about the executive on his credit cards; but the good customers at board that might later prove useful, accumulate Company B were protected from the potential financial records that she thought might be sold to revelation of their personal information and the a Taiwanese competitor of Company C and steal company maintained its strong reputation. the source code for a revolutionary new product that the company was developing. Profolo was caught one evening as she was trolling through the Threats from insiders—whether contractors human resources files by one of the janitors, who working on software code, disaffected was startled to see his name up on her screen and administrators acting maliciously, or rogue immediately reported her to her supervisor. Profolo personnel with unknown agendas—are among the is serving time at a minimum-security prison and, as a result of this experience, Company C currently most insidious data threat scenarios. relies on encryption to protect sensitive resources stored on corporate servers. SafeGuard RemovableMedia provides security- to-go for all forms of removable media. As a reasonable precaution against loss or theft, this risk: unauthorized internal access to server- solution ensures consistent, effective protection based information and workstations of commonly used media storage devices in your Threats from insiders—whether contractors company. To ensure that confidential information working on software code, disaffected remains confidential, you can configure SafeGuard administrators acting maliciously or rogue RemovableMedia to prevent any sensitive data personnel with unknown agendas—are among from leaving the company on a removable medium the most insidious data threat scenarios. The 4
  6. 6. A Sophos white paper Closing the gaps in enterprise data security: A model for 360˚ protection 2008 CSI Computer Crime and Security Survey SafeGuard LAN Crypt prevents confidential reports that insider abuse ranks among the top two information stored on company servers from concerns, with 44% of the security professionals being viewed by anyone without the appropriate who responded citing the threat. authorization. In any organization where insiders have potential access to the contents of servers, A comprehensive data protection strategy should encryption provides an effective means of guarding address this potential risk and find techniques to sensitive information from prying eyes. mitigate it. Embracing a 360° approach to data best practices protection First, consider the range of assets that insiders theoretically can view or access, and then employ As discussed throughout this paper, maintaining decisive measures to secure these assets against data privacy and confidentiality is an essential unauthorized viewing. This may include file access component of any data security strategy designed on internal LANs, server content that is accessible to contend with today’s data threats. With a suite to insiders and information stored casually on of data security solutions based on advanced workstations or notebooks physically accessible on encryption technology, Sophos products directly desks and tables within a facility. address the three stages in the data life cycle: the endpoint or the back end (data at rest), during transmission (data in motion) and during Solution: SafeGuard LAN Crypt processing (data in use). The prevailing model of the open enterprise—where mobile workers, Before Company C hired Wendy Profolo, a savvy removable media and increased networking manager in the software engineering group generate new threats—requires a strategy that procured a trial copy of SafeGuard LAN Crypt. aligns business practices with full, comprehensive Impressed by the capabilities of the software data protection. application, the manager purchased and installed a licensed version of the product. Following Central management and oversight of data Profolo’s hiring, despite a progression of attempts protection measures give organizations a means to penetrate the encrypted server contents, she to ensure that the security policies in force are eventually realized that there was no possible way enacted consistently throughout the organization. to access protected files and folders on the LAN. SafeGuard solutions combine central management with the key security components to provide a Given this situation, Profolo was forced to confront unified approach to data protection—an important her problem and her supervisor helped her gain factor in countering data threats. admission to a 12-step gambling addiction program, which successfully brought her problem under control. Profolo has bounced back and focused her skills on application design, recently becoming a valued, full-time employee of the company. 5
  7. 7. A Sophos white paper Closing the Gaps in Enterprise Data Security: A Model for 360˚ Protection Boston, USA | Oxford, UK © Copyright 2009. Sophos Plc All registered trademarks and copyrights are understood and recognized by Sophos. No part of this publication may be reproduced, stored in a retrieval system, or transmitted by any form or by any means without the prior written permission of the publishers.