Please note that this is a page from a previous version of Continuity Central and is no longer being updated.

To see the latest business continuity news, jobs and information click here.

Business continuity information

Managing the risks of information leakage

By Bernardo Patrão.

Information leakage is a real and growing problem. Every month, news about another organization leaking confidential information becomes public. These are the known cases that have a visible impact. Many similar incidents occur daily and the vast majority of information leaks are accidental: it is not solely the result of intentional, harmful actions. Unintentional data loss is perhaps more dangerous because those affected are not necessarily aware of, or able to act on, the problem.

Aside from any other impact, information loss may represent a very high cost for organizations. Information loss has both direct and indirect costs: the intellectual property or industrial information itself together with the cost of handling the consequences of its loss. Indirect costs include: loss of credibility, erosion of competitive advantage and regulatory transgressions.

Problem definition
Nowadays little or no paperwork is involved in core business processes. Critical business information is increasingly held digitally. A recent IDC study shows that the trend of growth of digital format information is exponential and may reach 35 Zettabytes by 2020.

The growing awareness of the risks of information leakage was sparked by a series of corporate scandals in which confidential information was disclosed. As the majority of those cases demonstrate, such breaches are often not the result of malicious wrongdoing, but rather employees who unknowingly put their companies at risk. This may occur as employees send out email messages that contain files or content that they are not aware is confidential. Another example is employees delivering confidential files to their web-based email boxes, or copying files to mobile devices, and thus exposing them to untrusted environments.

Information security involves the protection of information from external attacks to organizations’ infrastructure and processes. Security standards and best-practices (e.g. ISO/IEC 27002:2005) are mainly focused on the protection of information systems from external sources and events, involving processes and infrastructure security. Information leakage can, therefore, slip under the radar of information security processes and teams.

Protecting systems, infrastructures and processes from penetration is no longer enough. Organizations must protect the information that they hold (often on behalf of others) from accidental disclosure.

A high-level solution
In order to help prevent information leakage, the information itself should be safeguarded from undue accesses. The only way to ensure this is to use a solution that is able to apply to information some form of persistent protection that travels with it; ensuring data is protected regardless of its state or location. Such solutions are known as data-centric security solutions.

By analysing the taxonomy of the most relevant information security techniques (presented in the following diagram) it is easily seen that most technologies focus on the protection of data in a specific state: ‘at rest’ – while it is stored in a computer or network hard drive; ‘in motion’ – while traveling through the network between two users or machines; and ‘in usage’, while being accessed (read, edited, printed, etc.) by the users.

Security technologies taxonomy

Two types of security solutions move information security on from its state-specific focus. These are: ERM and DLP.

Enterprise rights management
Enterprise rights management – ERM – is a security technology that applies persistent encryption to data, ensuring that information is protected regardless of whether it is at rest, in motion or in usage. Even while being used, the information is only decrypted to the computer’s memory and made available to the application using it. While ERM-protected information is in usage, ERM also applies detailed rights over the usage (e.g. to block certain actions like: print, copy to clipboard, export data to another format, forward by e-mail, etc.).

Data loss prevention
Data loss prevention – DLP – technologies include a broad range of solutions designed to discover, monitor, and protect confidential data wherever it is stored or used. DLP includes solutions that discover, protect, and control sensitive information found in data at rest, data in motion, and data in use. The systems are designed to detect and prevent the unauthorised use and transmission of confidential information.

Network-based DLP solutions are typically installed at the corporate gateway. These solutions scan network traffic such as email, instant messaging, FTP, web-based tools (HTTP or HTTPS), and peer-to-peer applications for leaks of sensitive information.

Host-based DLP solutions are typically installed on desktops, laptops, mobile devices, USB drives, file/storage servers, and other types of data repositories. Host-based DLP also includes solutions that provide data discovery and classification capabilities.

Discovery DLP solutions are designed to discover sensitive information on desktops, laptops, file servers, databases, document and records management, email repositories, and web content and applications.

In the following table, the strengths and weaknesses of each technology are presented. It is easy to see that DLP’s weaknesses correspond to the strengths of ERM and vice versa.

ERM vs. DLP for data-centric features

A solution that combines the advantages of both DLP and ERM would obviously be highly advantageous and such solutions are now starting to appear.

Author: Bernardo Patrão, information security expert at Critical Software.

•Date: 23rd November 2011 • Region: World •Type: Article • Topic: ISM

Business Continuity Newsletter Sign up for Continuity Briefing, our weekly roundup of business continuity news. For news as it happens, subscribe to Continuity Central on Twitter.

How to advertise How to advertise on Continuity Central.

To submit news stories to Continuity Central, e-mail the editor.

Want an RSS newsfeed for your website? Click here