The Changing Network Perimeter
Until recently, the primary focus of network security was to guard the perimeter and keep the bad stuff out. Businesses used firewalls to segregate the internal network from the external network and prevent unauthorized network traffic or potentially malicious content from penetrating the corporate network.
Antivirus, antispam and other technologies were deployed on e-mail gateways and other perimeter-facing servers to monitor and block potentially malicious content from entering the network. It was assumed, in many cases, that any data on the internal network was safe and that there was no need to monitor or block data on its way out.
But network security continues to evolve in some good and some not so good ways. For starters, technologies such as firewalls and antivirus applications offer an increasingly complex means to protect the perimeter. This is a good thing.
Unfortunately, as mobile computing and portable storage devices have taken off, the perimeter has disappeared and the line between inside and outside the network has been all but erased. The definition of the network is expanding, and the battlefront has also moved accordingly.
There are many ways that confidential or private data can leave a corporate network. Users may copy files to notebook PCs to take work home or copy data to portable storage devices, such as Universal Serial Bus flash drives, cell phones, digital cameras or MP3 players. Data can be intentionally or inadvertently sent out via e-mail, which makes it tough to protect against information leakage.
Ben Rothke, a New York City senior security consultant with International Network Services, calls it the “perfect storm” — curious people, ubiquitous high-speed Internet access and overall poor security on the servers storing that information. “When you put those three factors together, they combine to create the situation where confidential data can be quickly leaked and shared with an enormous amount of information. Once the data is shared in such a manner, it is effectively impossible to get it back in a secure state.”
As you battle information leakage in your organization, keep these five tips in mind:
1 Written policy on corporate data/removable storage. If the guideline defining what is or is not acceptable is not written down, employees cannot be expected to follow it. Your policy should specify what is expected from employees regarding the removal or transportation of internal corporate data, and should also define what is acceptable in terms of USB flash drives, MP3 players or other removable storage devices that users might connect to a computer.
2 Proper file/folder permissions. You should organize data into a meaningful directory structure, and design the file and folder permissions to limit access to sensitive or confidential information to authorized users or groups.
3 Encrypt confidential/sensitive data. Encrypt exceptionally sensitive or important data, preferably using a two-factor authentication that requires more than simply cracking a password to decrypt and view.
4 “Google hack” your company’s Web site. Many organizations are surprised to find out just how much confidential and sensitive information from their network is available online. Scan your company’s network or registered domain name and identify any accessible data before someone else does.
5 Consider implementing aninformation-leakage appliance. After you have developed policies and procedures to protect the data, and you have taken the necessary steps to secure sensitive data against unauthorized access, all that is left is to watch the network to detect and block any attempts — intentional or not — to e-mail or otherwise transmit confidential or sensitive data.