April 2017 Digital Edition

Click Here

March 2017 Digital Edition

Click Here

Feb. 2017 Digital Edition

Click Here

January 2017 Digital Edition

Click Here

Nov/Dec 2016 Digital Edition

Click Here

Oct 2016 Digital Edition

Click Here

Technology Sectors

Market Sectors

Agency caulk: How a data leakage focus closes the holes opened by end-users

Prem Iyer

For years, agencies took the same approach to information security as they did for physical security  --  they focused on locking down the perimeter, using firewalls and routers and VPNs. The objectives centered on external threats.

But technology soon became ubiquitous in our daily lives. Government workers began using technologies in the office that they first adopted at home, like e-mail and IM, and a few years later, file transfer services, flash drives, even live streaming video. All surfaced new risks to security coming not from external hackers, but from earnest, most often, well-meaning internal users.

Soon after, social networks also swiftly became both a part of workers’ daily Internet behavior and even some business processes, further opening up organizations to accidental risk or even sabotage. And now, smart phones -- with cameras and live and speedy Internet connections -- are in the hands of more than 65 percent of U.S. workers.

To put it simply, the assumption that an un-breached perimeter means an un-breached network no longer applies. Organizations need to take on a broader and deeper strategy that focuses on assuring there is no source of data leakage in the agency’s boat.

An agency seeking to determine whether it is watertight can do so very quickly by answering these five essential questions:

  1. Does your organization have reliable tools to protect data at rest (datacenter security), in motion (while traversing the network), and in use (at laptops, desktops, mobile devices, etc.)?
  2. Has your organization engaged in a comprehensive data discovery process in the last year?
  3. Has that data been formally classified by sensitivity or compliance requirements?
  4. Is there a standardized process in place to notify the IT team of exceptions, i.e. breaches or non-compliance?
  5. Has your organization formally identified all the compliance information it needs in order to regularly audit and report on security?

 

If you answered no to any of these questions, it would probably be a good idea to reassess your organization’s approach to security in today’s environment. Here are five steps you should take to plug the holes in the agency’s hull right now.

 1.  Get in the crow’s nest to understand what makes data critical.

The first step in creating a plan for data loss prevention is to take a top-down look and gather a full understanding and checklist of the kinds of critical data that exists within the agency. This requires an examination of the agency’s structure to identify regulatory and other compliance factors that might impact each workflow. Start with the rules that are most foundational to agency governance and work outward toward those that affect only certain agency functions and roles. 

2.  Make all data fall in line according to its “rating.”

With all that data, you need to get a sense of how to rank its importance. One common way to do this is to group data by class, according to the sensitivity of the information it represents. From there, it can be further broken down into categories, elements and organizational owners, for each class of data. Then create rules that govern how the data is handled, including which personnel and which software is authorized to access it, at what times and from what locations. 

3.  Scrub your hull to discover your data.

Thanks to virtualization sprawl, shared services and database redundancy, it’s not necessarily a straightforward task to know where all the critical data truly resides. To avoid securing “petty officer” data that doesn’t matter, or leaving “master chief” data vulnerable that very much does matter, an agency should use data discovery tools continually to create and maintain maps of how sensitive data flows through the organization. This will serve as key to policy and control, and should be frequently updated.

4.  Patrol the seams for the most likely leaks.

For years, people thought of security threats as centered on hackers and others with bad intentions. While stolen media and user privilege breaches are still risks that absolutely must be mitigated, perhaps even more common are unintentional breaches. The five most common sources of accidental data leakage:

a.  Portable media (lost laptops, USB drives, backups, etc.

b.  E-mail (accidental sends on corporate, Web mail and private)

c.  Instant Messenger (user video)

d.  Blogs and social networks (status information)

e.  FTP servers (large files too big for e-mail)

 

5.  Arm your ship with control and audit.

Given risks from both the ill-willed and the earnest, organizations seeking to reduce the risk from breaches of any sort should gather the tools necessary to implement a physical control strategy. These break down into three directives:

  • Control user access – authenticate that users are who they claim to be and authorize what they can access specifically. Two-factor authentication is a key tool in this area.
  • Control data – protect the data itself, using encryption, enterprise rights management and data loss prevention tools.
  • Audit it all – demonstrate that all those policies and controls are actually being executed successfully, using a security information and event management solution.

In all, it is clear that agencies are becoming more and more dependent on their data, and secure and authorized access to it. Increasingly, it is also becoming clear that a data loss prevention approach to security is an agency’s best bet for 360-degree protection from both security and compliance risks. Success in this arena, as in most operations, depends on not only a discipline around planning and execution, but also a commitment to continual auditing and process improvement. The difference may be that, unlike a naval victory, a security victory is always as silent as the deep.

 

Recent Videos

HID Global is opening the door to a new era of security and convenience.  Powered by Seos technology, the HID Mobile Access solution delivers a more secure and convenient way to open doors and gates, access networks and services, and make cashless payments using phones and other mobile devices. ...
Mobile device forensics can make a difference in many investigations, but you need training that teaches you how to get the most out of your mobile forensics hardware and software, and certifies you to testify in court. Read this white paper to learn how to evaluate mobile forensics training...
PureTech Systems is a software company that develops and markets PureActiv, its geospatial analytics solution designed to protect critical perimeters and infrastructure.  Its patented video analytics leverage thermal cameras, radars and other perimeter sensors to detect, geo-locate, classify, and...
PureTech Systems is a technology leader in the use of geospatial video, focusing on perimeter security.  When combining geospatial capabilities with video analytics and PTZ camera control, managers of critical facilities can benefit by allowing the video management system to aid them in the process...