Information Protection

2010-04-01T14:59:00.000-07:00

If you ever wondered who company A was, it was JCPenney. It is now reported in media, that JCPenney was "Company A" in the Albert Gonzalez trial. JCPenney Has Dodged a Huge Bullet... Until Now

2010-03-29T18:11:00.000-07:00

According to an article in eWeek - March 29, 2010
Educational Credit Management reported the theft of portable media with Social Security numbers, names, addresses, and other information belonging to some 3.3 million people.
Millions of Student Loan Records Stolen in Data Breach

2010-01-26T15:32:00.000-08:00

Two health care providers this week experienced significant data losses of personal health care information, one is BlueCross, the other is University Medical Center, UMC. Insurer BlueCross BlueShield told thousands of members this week that a thief stole 57 computer hard drives from call center inChattanooga. See an article in internet news here: http://www.internetnews.com/welcomead/

UMC has for more than three months losing personal information of traffic accident victims including social security numbers, birth dates. According to UMC, this has been leaked by someone at University Medical Center. See article in the Las Vegas Sun here: http://www.lasvegassun.com/news/2010/jan/25/umc-patient-info-leaks-likely-date-back-july/

2010-01-25T13:33:00.000-08:00

A video on data loss prevention, rights management usage, RMS, file classification infrastructure in Windows Server 2008 R2, FCI, and RSA Data Loss Prevention, DLP is now available: Video: http://edge.technet.com/Media/Securing-Sensitive-Information--How-MSIT-uses-ADRMS--RSA-DLP/

2009-12-18T17:38:00.001-08:00

North Korea may have stolen sensitive information from an unsecured USB, see this article: http://joongangdaily.joins.com/article/view.asp?aid=2914211. The USB contained information from a secure military network, and got exposed when the USB was accessible via the internet. A good reason why data loss prevention with enterprise rights management is crucial for improved security.

2009-11-24T09:44:00.001-08:00

Updated white paper on how Microsoft IT does Data Loss Prevention, DLP using Rights Management Server, RMS, and RSA DLP: http://technet.microsoft.com/en-us/library/bb897856.aspx

2009-11-18T10:12:00.001-08:00

According to BBC, T-Mobile staff sold personal data: http://news.bbc.co.uk/2/hi/uk_news/8364421.stm

2009-10-21T09:52:00.000-07:00

A new Showcase Study on Microsoft IT's use of RMS and RSA DLP has been completed and posted at http://www.microsoft.com/casestudies/casestudy.aspx?casestudyid=4000005319

2009-10-21T09:49:00.001-07:00

A new white paper has been published to show how MSIT uses FCI in this MSIT Showcase Study http://vepcdn.microsoft.com/prod/images/64/Area/214/2676/9fd29bc1-bd16-42fe-a39e-f1d91d62aa60.pdf.

2009-10-21T09:37:00.000-07:00

According to an article in http://darkreading.com, a Ford engineer allegedly stole 4,000 sensitive files by copying and downloading to a USB device before seeking employment with a Chinese competitor of Ford

2009-08-26T17:01:00.000-07:00

NCA Security & Technology Conference '09

Technology Answers to Business http://www.ncanet.com/company/MSDLPIntegration.php

2009-07-27T16:10:00.000-07:00

Network Solutions hacked, 573,000 accounts compromised

According to an article in Washington Post, Network Solutions was hacked, and information from 573,000 accounts were accessed by the hackers. http://www.washingtonpost.com/wp-dyn/content/article/2009/07/24/AR2009072403527.html

2009-07-17T08:41:00.000-07:00

Twitter found itself having business secrets exposed here: http://www.techcrunch.com/2009/07/16/twitters-internal-strategy-laid-bare-to-be-the-pulse-of-the-planet/ after a hack of a username and password. The information stolen includes strategic meeting minutes, personal information and more.

2009-07-17T08:31:00.000-07:00

The breach at Lexis Nexis where PII was stolen, is linked to the Mafia according to this article from internetnews.com: http://www.internetnews.com/security/article.php/3829911/LexisNexis+Breach+Linked+to+Mafia.htm

2009-07-07T16:45:00.000-07:00

According to this article in Washington Post, SSNs can be guessed easily using publicly known information: http://www.washingtonpost.com/wp-dyn/content/article/2009/07/06/AR2009070602955.html. It is also covered inhis article from Fast Company explaining how information users post on Facebook can be used to reverse engineer their SSN: http://www.fastcompany.com/blog/chris-dannen/techwatch/facebook-new-algorithm-can-guess-your-ssn

2009-07-07T16:01:00.000-07:00

Methodology for deploying a protection program for sensitive information:

2009-07-07T15:48:00.000-07:00

Titus Labs has announced that they are capable of using the new File Classification Infrastructure provided in Windows Server 2008 R2.

2009-06-23T12:24:00.000-07:00

According to Principal AnalystForrester Research Chenxi Wang, Ph.D. Enterprises lack data leakage protection solutions for Web 2.0 applications. The answer is to deploy DLP and DRM technologies in the enterprise.

2009-06-23T11:50:00.000-07:00

I have started a twitter, o_O, you can find me by searching for Opedal, and I am building a face book, you can find me by searching for Olav Opedal

2009-06-23T11:41:00.000-07:00

A new feature in Windows Server 2008 R2, is really interesting. It allows for tagging meta data to files stored in file shares, and allows for search, retention management, classification and protection. Information about File Classification Infrastructure in Server 2008: http://blogs.technet.com/filecab/archive/tags/File+Classification+Infrastructure+_2800_FCI_2900_/default.aspx

2009-06-23T11:37:00.000-07:00

TechReady will be held July 27-31st, 2009, Seattle, Washington, and it will include a talk about DLP and RMS integration

2009-05-04T11:13:00.000-07:00

According to Associated Press, Lexis Nexis is notifying 32000 potential victims of data loss

2009-04-14T09:49:00.000-07:00

With RSA's new 7.0 release, they have improved their PII scanning capabilities along with reducing the overall TCO of maintaining their DLP solution: http://www.indiaprwire.com/pressrelease/information-technology/2009041423363.htm

2009-03-23T23:18:00.000-07:00

Heartland reveals in their annual report that the data breach last year is currently under investigation by SEC, FTC, DOJ, Federal Financial Institutions Examination Council, and the Office of the Comptroller of the Currency. This is in addition to attorneys general of several states, and Canadian authorities.

This breach is going to be a costly affair for the company if the attrition numbers are continuing to grow. Even more costly will be the loss of sponsorship from their primary sponsor bank. Visa booted Heartland off of its list of processors compliant with the Payment Card Industry data-security standards, or PCI last week.

2009-03-11T22:26:00.000-07:00

California State Sen. Joe Simitian introduced new legislation to Expand Data Breach Notification Law

According to the magazine, Wired - March 06, 2009, California State Sen. Joe Simitian has introduced legislation that would require companies to provide more information in their data breach notification letters to consumers and to send notices to state authorities.

2009-03-10T10:42:00.000-07:00

According to a study released by the Ponemon institute, 6 out of 10 US employees stole company data when they left their company according to this article in BBC NEWS: http://news.bbc.co.uk/2/hi/technology/7902989.stm

This is really a wake up call, to introduce digital rights management into the corporations to protect customer data, intellectual property and business secrets. Coupling Identity Management practices with DRM will ensure that sensitive information is adequatly protected even when walking out the door when the employee leaves.

2009-02-16T13:39:00.001-08:00

Three Florida men arrested for using stolen credit card information stemming from the Heartland breach. The value of attempted and actual fraud committed by these three alone exceeds $100,000:http://computerworld.com/action/article.do?command=viewArticleBasic&articleId=9127984&intsrc=hm_list

2009-02-09T23:00:00.000-08:00

FAA gets unvanted visitors into their computer systems last week according to a union leader, accessing names and national identification numbers of 45,000 employees and retirees, View article...

2009-02-04T12:30:00.000-08:00

Microsoft and EMC announces a continuance of their partnership, and Ballmer is talking about the DLP collaboration between RSA and Microsoft in this article: http://news.cnet.com/8301-10805_3-10156015-75.html?tag=newsLeadStoriesArea.1

2009-02-03T22:17:00.000-08:00

Search, SharePoint, tagging of sites and documents for classification purposes

How would you improve the security of SharePoint. One would be to classify sites and tag classified documents. The problem is the static nature of a search. A DLP pattern or fingerprint, is really nothing else than a search. It is more specialized than a search conducted by a user, however it is still search using regular expressions and fingerprints in addition to keywords etc.

How can search be improved for security purposes? I believe it is best done by placing more enabling tools in the hands of users. What is needed is improved feedback loops and a better understanding of the users of the system. In other words, can SharePoint security be improved upon by using the playbook from the semantic web movement? I believe it can.

Here is how I envision it to work. The SharePoint sites are scanned for sensitive information using rules and patterns that has a high accuracy rate, and tag/classify the matching documents found. This result set should then be visible to the users who has access to the site, whether it is directly when visiting the site, or when the site is shown in a search result.

Because documents of the same type tends to be clustered, the users of the site should be asked about the sensitivity of the documents not yet tagged on the site. According to research done at Microsoft users with similar interests tended to rank their search results similarly. The assumption I would make, is that high frequency users of a specific SharePoint site would classify the documents the same. If these users are then also asked to supply more information about these documents than just the classification level, you can start creating richness in the tagging such as type of document: Health information, financial information, hr information etc. This could also be done automatically if you know what department t he most frequent users belong to. If the automated tag turns out to be wrong, a feedback opportunity to change should be presented to users. An example where this is done in a similar fashion for searches on Ask.com where users are presented with information telling them about the soundness of the site they are about to visit using tools from Symantec.

2009-02-03T22:15:00.000-08:00

Study Finds Consumers Want Control over Data
Consumers try to protect their privacy, but don't fully understand how privacy and security technologies work or what protection is being provided, according to a new study.

2009-02-02T12:10:00.000-08:00

I belive the issues surrounding compliance will follow us into the cloud. Here is a great link that explains the cloud taxonomy and cloud ontology: http://news.cnet.com/8301-19413_3-10152106-240.html

2009-01-29T00:23:00.000-08:00

NIST and DLP vendor opportunities

NIST has published a draft guide for protecting PII and it will affect best practices and technology choices in years to come when the draft becomes a full standard. The NIST guide provide guidance to organizations on how they should manage PII stored or processed in their systems based on the level of sensitivity.

If the draft become a released standard, organizations will be using it to prove or disprove the ability to comply with best practices. Therefore mapping technology and policies to the standard is important, and it is important to understand that not one product can solve all of the issues. However a set of complementary products can solve it. DLP products does help in many ways, and it would be good for DLP vendors to start defining best practices that spans beyond DLP such as including Identity Management, Storage, Policy, Policy management, Encryption and risk management. The statement from NIST that not all PII is to be treated the same, is very telling, as a classification and tagging of the data would here help to apply the right set of controls for the high value items, and not overdo the controls for lesser value data.

Some observed issues with the NIST publication is that it defines PII but does not provide an exhaustive list. For example, for the Census Bureau, there may be additional types of PII that they specify are stricter.

NIST recommends that each organization Create Policies and Procedures, Conduct Training, De-identify PII, Employ proper Access Enforcement, Esure Transmission Confidentiality, and Audit Events.

So similar to PCI, DLP might not be the full answer to the story but can provide insight that helps to enable compliance for some of these areas. For de-identifying PII, DLP help by discovering PII. It is then it's up to the organization to de-identify it. This is of course not a straight forward process, and will need some thought before being implemented. With DLP, the organization gains understanding of the business units or groups that are having the most issues and concentrate or focus training activities. Likewise for create policies and procedures - this falls into the realm of understanding the PII inventory and what the priority levels are.

The new collaboration between RSA and Microsoft for DLP solutions coupled with DRM is clearly a step in the right direction.

2009-01-29T00:10:00.000-08:00

Regular search does not consider the fact that sensitive documents are typically found in clusters. If your DLP search engine has found one sensitive document in a location such as a file share or laptop, the probability of there being more is very high, however they are found to be false negatives. For example if a sensitive document is found in a file share, there is a high likely hood that there are other documents of equal sensitivity that are not covered. The usage scenario could be an HR professional storing documents in a folder for a specific task. If the filter only finds one, the current assumption with DLP is that there are no other files in this folder that are sensitive. This is a false assumption based on my observations of real incidents.

How to remedy for this?
A manual review can be done for the rest of the folder and folders in the tree
The folder can be marked sensitive, and all documents in this folder is then considered sensitive
The folder can be automatically reviewed by a broader capture filter (filters used are usually tuned to reduce false positives leading to a higher number of false negatives)
Finger printing (full or partial) can be used to see if these documents resides elsewhere
Pattern creation can be used to improve the search patterns
Etc.

The true solution to this is a combined approach using manual inspection, machine learning, and making the assumption that the likely hood of one single sensitive document residing in a repository is low, and that the likely hood of more than one document is sensitive is high, and mitigate the risk of the cluster by classifying, tagging, and protecting the cluster instead of a single document.

2009-01-26T21:46:00.000-08:00

Content protection should be tied into access certification. It seems that companies are now improving their compliance by implementing provisioning technologies according to the Burton Group. Considering how hard it is to control whom should have access to what, I believe that a coupling of provisioning tools and DLP is the next logical step.

The content custodian should be notified of the type of content by the DLP system, and the choices should be presented to the custodian for protection measures and marrying this with provisioning systems would lessen the burden on the custodian.

2009-01-26T21:07:00.000-08:00

Not long after the public notification of the breach of Heartland Payment systems attorney firms such as Girard Gibbs LLP start their investigation into the breach, and solicit individuals that may be affected by the breach. This may have been the largest breach ever. The numbers may reach tens of millions of credit and debit card transactions according to this article in Washington Post,

2009-01-25T11:42:00.000-08:00

President Obama embarks on wide reaching changes in the regulatory environment according to New York Times. This should translate into busy times for any IT department managing regulatory and compliance issues for their companies.

2009-01-23T21:23:00.001-08:00

Researchers have found a relationship between word choices in communications and how well a relationship is functioning. In other words, content in communications can be used to establish the overall health of a relationship: http://www.msnbc.msn.com/id/28814669/

If the choice of words can be used to determine the strength of a relationship based on frequency of certain words, it is not a far conclusion to be drawn that foul play could be found by the same type of study. The choice of words would be different of course, but if there was a large collection of communications that could be mined between criminals, it should be possible to use pattern recognition to ferret out such communications in network traffic.

2009-01-23T14:03:00.000-08:00

According to Network World, Forrester research predicts big opportunities for Tech Firms with the Obama Cyber security plan.

2009-01-21T12:24:00.001-08:00

Interesting link to coverage of data breaches in 2008: http://www.insideidtheft.info/breaches.aspx?gclid=CNrSt4epnpgCFSMSagodjCXQmg

2009-01-21T12:23:00.001-08:00

According to an article in Washington Post, Heartland Payment systems may have had the largest breach ever. The numbers may reach tens of millions of credit and debit card transactions.

2009-01-16T12:58:00.000-08:00

Two areas for concern for 09 will be sensitive information going into virtualized environments, and into the cloud.

According to this article in WSJ, The Center for Strategic and International Studies report points out the trend towards greater industrial espionage: Quote from WSJ article "Supposedly confidential corporate information, the report warns, is almost certainly being hacked. As more individuals and companies rely on "cloud computing" -- storing information and services such as email remotely on supposedly secure servers -- foreign intelligence agencies and commercial snoops may have access." This is a troubling statement.

According to CIO magazine, CIO's are looking towards virtualization and the cloud for 09 to reduce operating and capital expenses. If these are the areas of investment, this is also where the criminals will spend their resources to wrestle valuable information from the rightful owners.

Internet News is running an article on this subject today

2009-01-16T01:24:00.000-08:00

Using models from nature to identify sensitive information

One interesting hypothesis would be to evaluate sensitive information with a predator-prey model by realizing that information within an organization is bound by its physical and social networks, in other words there is a topology that can be mapped, and using differential equations, the contours can be described, so the topology of interest is mapped with a modified trophic web for the dispersal of information of value. The challenge of course will be to create a nonlinear system with the right set of variables. The question is what is the driving factor for these variables, and what would be an anomaly versus a genuine change point?

Time is of course the great equalizer. A patent expires, so does copy right, however the length of time it takes for the value of a copy right item to decay is much longer than a patent. Same goes for financial information. A 10Q or 10K’s value drastically is reduced upon publication which happens quarterly or annually, respectively.

2009-01-15T22:37:00.000-08:00

Social Networking, DLP, and Identity Management opportunities

A new area that may lend itself well to understanding the flow of information is social networking theories such as power law distributions, Mandelbrot statistics etc. The problem now of course becomes an issue of information overload. The amounts of data in such an analysis becomes quite large quickly, and the problem is inspection of findings. To make such a system scalable, the system should create local accountability.

With local accountability, I mean that either the individual will have to sign off on a compliance statement on a regular basis, or the manager, as they would be the closest to know whether the access is appropriate, or excessive.

Another interesting concept would be to look for change points, and flag these for further inspection. If change suddenly occurs, it should be possible to capture this change. Inspection of file share access, SharePoint access, Line of Business access etc, should be able to reveal a change in behavior such as the example from the data theft at Boeing.

So, what is needed to evaluate if access is appropriate or if it is misused?

To begin with, each individual with access to the network must be managed, and their access monitored. However, since most information is not confidential, access to it can be ignored if sensitive information is identified and cataloged.

To catalog the information, you will have to search across your repositories for sensitive information. I believe that the information as it is found must also be tagged. A tagging using the alternate file stream is interesting, but this tag is lost in most cases when the information leaves the network. A second approach is to tag the metadata of the file itself. This does not get lost when the information leaves the network.

An interesting approach would be to create a hash of the file as it has been classified and tagged. However if the tag also holds the hash, the hash of the file is altered if it is placed in the meta data of the file. It is not a problem with placing the tag in the alternate file stream. However if you create a hash and place it in the meta data, you could then just sign the file.

If these hashes are stored in a central repository, the hash can then be used to evaluate if copies of the file exists elsewhere. If copies exists, they should be tagged according to the first file found. This process could also be used to remove the copies.

2009-01-15T21:32:00.001-08:00

New emphasis on SEC's role in policing the financial markets is on its way.

The Obama's SEC choice wows aggressive action according to this article in MSNBC: http://www.msnbc.msn.com/id/28674370/. What will this do to DLP? I believe it will be a boon to the industry, as this will require much better detection technologies for fraud and misuse of sensitive financial information

2009-01-15T18:11:00.000-08:00

Information protection, DLP, Identity Management, outsourcing and vendor management, what is in store for the Enterprise for 2009 and future?

Information gleaned from several surveys gives a dismal outlook for data breaches.

In a survey by Enterprise Strategy Group, 50% of their respondents said internal breaches were the direct cause of loss of confidential data, while 19 % were caused by external attacks and 11 % were a combination of external and internal attacks. 14 % of the respondents said data loss came as a result of losing a device containing confidential data.

In a 2007 study by the Ponemon Institute, "the notification cost for a first party data breach is $197 per a record lost and for third party data breach is $231 per a record lost. (A third party organization includes professional services, outsourcers, vendors, business partners and others who possessed the data and was and responsible for its protection.)"

In a November survey by SailPoint Technologies of Fortune 1,000 companies shows that most of them are grossly unprepared to manage information technology (IT) security risk. They polled IT managers and directors and found that out of 116 respondents, 44 percent said that they could not “immediately remove all access privileges for terminated employees” if the company had a massive layoff. More than 65 percent reported that they would not be able to “present a complete record of user access privileges for each employee” if the company’s chief information officer wanted it that same day. And 46 percent said their company “failed an IT or security audit because of a lack of control around user access” in the past five years.

The good news is of course that DLP vendors have started to integrate with identity management systems help, but there is a long way to go before the problem is solved. The not so good news is that most enterprises do not have a good understanding of who has access to what information. This means that a loss could go undetected for a long time, and cause a higher cost to the enterprise. With the current financial situation with large layoffs, this becomes even more critical to solve.

The approach I would recommend to solve this issue, is to start cataloging and classifying information and information systems, and tying it to identity management information. Then as the business processes are understood, the principle of least privilege access should be used to manage these systems.

Even though this case is a stand alone case, former Boeing Employee charged in data theft case, it shows that actively monitoring who has access to sensitive information, and evaluating whether this is appropriate access is paramount. It is an established best practice for fraud prevention, and is a requirement for SOX compliance for financial systems. The issue is of course that enterprises today, do not safeguard critical business information in the same manner as they safeguard SOX information.

This of course leads one to look at Governance, Risk, and Compliance, to see how risk management can be streamlined for all sensitive information, not just information required by law or regulation to be safeguarded. This will drive down the cost of compliance, improve governance, and reduce the overall risk of loss of information.

2009-01-15T16:45:00.001-08:00

NIST has published a draft guide for protecting PII

The NIST draft uses the work done by OMB (Office and Management and Budget) Memo from 2007: “information which can be used to distinguish or trace an individual’s identity”. NIST Provides a practical guide for organizations on how to handle PII, by distinguishing the varying levels of sensitivity of the PII as well as how it should be protected: http://csrc.nist.gov/publications/drafts/800-122/Draft-SP800-122.pdf

2009-01-15T16:35:00.000-08:00

While looking at new players in the DLP space, I ran into Illumant. They have two interesting documents for downloads if you are in the market for DLP: http://illumant.com/Global/Solutions/DLP.php?gclid=CO6atfmJipgCFRsRagodRAO_DQ. There is both a white paper describing what should be considered when evaluating DLP vendors, as well as a matrix of vendors and their capabilities. The white paper could have been much more in depth, but is a good overview before starting to look in earnest. Both Forrester and Gartner provides a much more in depth coverage, and it is well worth the investment to purchase both companies' reports prior to investing in a DLP product.

2009-01-12T14:27:00.001-08:00

Using the information already provided by the users to make assumptions about who should have access after protecting the document with DRM.

If a file share owner has granted read, read write, and admin access to a share, a group could be created dynamically that would include these members, and the rights could be created according to the original ACLs on the file share.

This would allow a group owner (the share owner) to add and remove users from a document, or sets of documents after they leave the file share. This would solve the problem around managing DRM rights. Currently, it is hard to manage granular sets of rights, as these are not readily automatable. However, with this approach, groups can be built on the fly based on sensitivity of the information and whom has access already. For example, certain PCI information is currently available to a PCI group, in this scenario, DRM rights would be granted to this PCI group on the fly for any document extracted from the central repository

2009-01-12T14:24:00.000-08:00

Banks falling behind in protecting customer financial data according to a study done by PwC: http://security.cbronline.com/news/banks_falling_behind_on_data_security_090109

2009-01-12T09:45:00.000-08:00

California Senator Dianne Feinstein (D-Calif.) is again proposing data breach legislation to the US Congress. The bill is Bills S.139, the Notification of Risk to Personal Data Act and S.141, the Social Security Number Misuse Prevention Act. This is her second attempt at creating a federal law setting requirements for handling of personally identifiable information. It would require federal agencies as well as business to notify both media and the private person whose information was lost.

http://www.internetnews.com/government/article.php/3795191/New+Data+Breach+Privacy+Bills+in+Congress.htm

2009-01-08T11:03:00.000-08:00

Plenty newsworthy items this week in the DLP space. According to Network World, CA will by DLP vendor Orchestria: CA to Buy Data-Leak Prevention Vendor, and ByteandSwitch publishes an article on DLP vendor and DRM partnerships:
Partnerships Spark New Life into Enterprise DRM. Of course, there are data breach news as well. Us Businesses reported close to a 50% increase in breaches in 2008:
Data Breaches Rise Almost 50 Percent in 2008, and CheckFree has to warn 5 million customers.:
CheckFree Warns 5 Million Customers after Hack

2009-01-01T12:37:00.000-08:00

Considerations when building queries for DLP products

Term weight is normally reduced the longer the document is. This may be counter intuitive to the need for scanning a document for compliance issues such as PCI, as a document with reoccurring terms may lead to a higher risk, than a document with fewer items. So when searching an inverse index, it is important not to reduce the scale either by adding one plus the log, or using the cosine on a vector based search.

However by doing this, the terms in the query becomes more important. A term that has a high occurrence in both a set containing sensitive documents, and its corresponding set of non sensitive documents will lead to a high occurrence of false positives. Because of this, an effectiveness of terms must be calculated and stored over time. A term with low effectiveness should either be eliminated from the query, or should have a lower weight.

Several solutions may be available here, one is to combine highly effective terms with less effective terms in a larger pattern. The question though, is if the distribution of terms in sensitive documents take on a Gaussian property with a bell curve, or if there are power law distributions in terms. To this question, I don’t know the answer yet, but I have noticed in practice that the distribution of documents follows power law distributions. This can be used in a query strategy, where an initial query with a high false negative rate is used initially to ferret out areas with a high probability of containing sensitive documents. When this approach is used, a broader query can be used in this space.

When considering a space, it can be a geographical space such as a site, it can be a logical site such as a file server supporting the HR department, or it can be a space in time. Most likely it is a combination of the above, and may even have more vectors such as user identity, frequency etc. So far, this is a trial and error based approach. To improve on this approach, large data sets would need to be collected and analyzed.

2008-12-15T17:38:00.000-08:00

In the data loss news:

Symantec who owns Vontu (a data loss prevention solution) lost sensitive information in a laptop theft. The same fate befell HP according to this PC world article:
http://www.pcworld.com/article/155372/hp_symantec_warn_employees_after_laptop_thefts.html

Sony disclosing children's private information without parents consent: http://www.iht.com/articles/2008/12/11/technology/sony.php

2008-12-12T12:23:00.000-08:00

looks like DLP is becomming a commodity. Now a firewall vendor, Palo Alto Networks, will offer limited DLP for free as part of their firewall technology: http://www.darkreading.com/security/perimeter/showArticle.jhtml?articleID=212300545

2008-12-12T08:42:00.000-08:00

It has been quite some time since I have updated this blog. However, the collaboration between Microsoft and RSA does need mentioning. http://www.microsoft.com/presspass/press/2008/dec08/12-04EMCRSAPR.mspx It marries Data Loss Prevention with Digital Rights Management. Not to be outdone, Liquid Machines and McAfee follows with this anouncement: http://www.pcworld.com/businesscenter/article/155185/liquid_machines_mcafee_partner_on_dataloss_prevention.html

2008-07-31T12:16:00.000-07:00

Government risk for loss of sensitive information still high:

According to an article in computer world http://computerworld.com/action/article.do?command=viewArticleBasic&articleId=9110983&intsrc=hm_list, only 30% of the laptops containing sensitive information are encrypted.

Since it is taking the government such a long time to encrypt, I would suggest they deploy encryption based on sensitivity of documents stored on laptops. They should start searching using DLP, and make some assumptions around employee roles and mandate encryption

2008-07-28T15:47:00.000-07:00

What were they thinking? I understand the need to provide the court with adequate evidence (I am not a lawyer), but you would think the prosecutor would at least ask the court to conceal the information when it exposes an entire city's network.

San Francisco DA exposes the city's network passwords:http://computerworld.com/action/article.do?command=viewArticleBasic&articleId=9110758&intsrc=hm_list

Maybe it is time to run documents provided to court through a review for sensitivity before actually submitting documents to court? In my own experience, I know that documents containing health information and information about children becomes sealed, and the court has the discretion to seal any information it finds necessary to seal as long as it does not violate the public's right to access of information. Clearly, the public does not need to know San Francisco's network passwords, and the tax payers clearly does not need to see their hard earned money being used to reset all these passwords.

2008-07-18T13:05:00.001-07:00

I have earlier described pattern matching, and "smart" information retrieval by first looking at broad groupings of information to create a set, then search the resultant set with a finer granularity in search terms.

If we use the neo cortex processing as an example, lower levels of information is detected by our sensory organs and processed at a lower level, and a fraction of this information is actually processed in a higher level organ. If we were to process information this way, we could do the following: For each search term, key words being the lowest, we could assign probability of this documents relevance, and then search the resultant set with bigrams. This result set would then be searched with trigrams. These resultant set would then be assigned with a probability of relevance. The finest search using complex patterns would only be used on the final set.

For each of these searches, a registry (data base) would then serve as the index of this information, and it should correlate to a taxonomy. This taxonomy would then be used to create meta data that would be assigned the document. With this, the opportunity to search for hidden patterns would be possible via data mining techniques.

2008-07-14T16:37:00.000-07:00

One concern I have heard against using the CLR regex support in SQL server 2005, is performance. One way to overcome the cost of expensive regex queries is to do the search a bit smarter. One could start with the LIKE operator, or equivilant in other systems, and then do a sampling of rows in a table that returned results from the LIKE operation. After obtaining a sample rather than the entire table, one could then perform the operation on a separate system, or in a separate thread on the same system. With this approach, very complex patterns could be searched for, and one could create a separate repository from which chuncking could be used. This would work for not only text, but also images and other information as long as the parser can read and understand the format.

2008-07-14T15:00:00.000-07:00

Symantec releases Data Base support for sensitive information: http://biz.yahoo.com/iw/080624/0409691.html
For further thinking about DAM, database access management and scanning data bases for sensitive information, see: http://securosis.com/

2008-07-14T14:00:00.000-07:00

How to go about crating a better mousetrap (DLP)

If we go through the questions to ask: Where is it, What is it, Who has access, and how is it protected, we can see there are answers in each one of these four questions that can be used to answer others with a high probability.

If we think about the where is it. If we look at one particular user, that user will use a limited number of resources to create and store information. She might have a local lap top used for daily work, a hand full of SharePoint sites she visits, a few file shares and maybe two or three data bases typically accessed via a line of business application, and finally and very important, instant messaging and email.

If we expand the view of this person, and try to define that person in a network, we can look at organizational/hierarchical views of this person, and we can see frequency of communication via SharePoint, file shares, email and IM. With that information, we can create a social network of nodes between her and her co-workers and contacts. If we know that she frequently uses information of high sensitivity, we can apply a higher probability of her network also working on highly sensitive information, or has a greater opportunity to receive sensitive information. Each node going further out, will have a reduced opportunity of receiving sensitive information, unless they also work on sensitive information. Of course a highly connected node will have higher probability than a lesser connected node.

With this, we can create network models and base probability of each one of the nodes accessing, or have the potential to access sensitive information. This network diagram would be created by correlating information from email systems, logon events etc, and then correlate this to known repositories of sensitive information. Of course this approach will take several iterations as one would assume that in the beginning, few of the repositories would be classified and catalogued.

Now, if we start looking at Alice, and what information she receives, we could chunk the sensitive information she receives from let say a data base, and then see if there are hits on these chunks in email, IM, or in documents she creates. If it is, we can then assign a probability of whether the information is sensitive or not. If we have enough information so the probability is higher than a preset threshold, we could then automatically assign the appropriate classification, annotate the information with the appropriate meta data, and assign the correct protection using for example DRM or other encryption technologies, or just set the appropriate access control list permissions on the document.

Assigning rights to a document or repository then becomes a bit easier as you can glean information from previous transactions. With entitlement monitoring on repositories and in AD, you can then see if Alice should still have this access or not. A further development could be done to create a view into the social network to see if there is an increase or decrease of communications between nodes. If there has been a decrease, the organizational chart may not have been updated, but the node's work may have changed, and therefore may no longer need access to this information. In this case, if Alice owns one or more of these repositories, she could then be notified and queried if this node, Bob, still needs access. This system could of course also be used to monitor for abnormalities and anomalies.

We can also make assumptions about sensitivity of information based on protections on the system hosting the information (this may not hold true for end systems, but will generally hold true for financial systems and HR systems etc). If it is encrypted, or have other security measures in place, its probability of containing sensitive information may be higher, however this is a weak assumption in many cases, especially before a program has been put in place to safeguard sensitive information in an organization.

2008-07-10T16:08:00.000-07:00

It has been a while since I have updated the blog, but here is an article from MSNBC news I found stressing the need for inspection of information leaving your network: "Last year, a Virginia investment firm employee decided to trade music or a movie on the file-sharing network LimeWire on a company computer. He inadvertently shared his firm's files, including personal data of clients, one of them Supreme Court Justice Stephen Breyer" Seems that no-one including our Supreme Court justices are safe against loss of PII.

2008-06-19T09:06:00.000-07:00

The DLP industry is adding encryption capabilities to their offering: http://www.darkreading.com/document.asp?doc_id=156738&WT.svl=news1_1

I have long been a proponent of adding encryption to sensitive information. I do believe the best approach is to not only enable encryption, but also enable digital rights management to sensitive documents as you would then have a much fuller control of the document lifecycle.

Furthermore, DLP should be used in conjunction with a retention policy in the business, and become part of the overall information management of the organization. A tighter integration into storage systems for retention is the next logical step.

2008-06-06T22:22:00.000-07:00

Has credit card information been exposed at CompUSA stores?

I picked up a copy of the 2600 magazine today, and lo and behold, on page 23 is an article on how to log on to systems in the stores to retrive credit card information. The article describes the logon procedures using credentials not tied directly to a user, but rather a common name (store name) and the password is the same as the logon ID.

If this is truly the case, this might be a breach of PCI that could potentially impact many of the customers who have shopped at CompUSA. Maybe the bargain price equipment came with a hidden price in loss of customer information?

2008-06-04T22:53:00.000-07:00

Couple of thoughts I have on DLP

1. It should not be considered a security solution, but more of a compliance solution to information management.
2. It should facilitate retention policies, eDiscovery, and regulatory/policy compliance

2008-06-04T11:00:00.000-07:00

link to the Gartner event: http://agendabuilder.gartner.com/sec14/webpages/SessionDetail.aspx?EventSessionId=914

2008-06-03T10:15:00.000-07:00

It's been a while since my last post. I am currently at the Gartner event in Washington DC, where I had the great opportunity to speak to the audience on how Microsoft manages sensitive information. I will post a link to the PPT shortly.

2008-04-07T14:12:00.000-07:00

Information Loss at Antioch University:
Failure to patch a Solaris server caused 60,000 users records to be exposed at Antioch University, including social security numbers: http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9075098&intsrc=hm_list

2008-04-07T12:16:00.000-07:00

Go skiing, loose your PII: http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9074339&intsrc=hm_list Credit card information stolen as cards were swiped. Maybe it is time to revisit credit cards with a built in smart card chip? In this instance, 46,000 cards were exposed from the Okemo Mountain Resort ski area in Vermont

2008-04-01T17:55:00.000-07:00

PCI compliant, what does that mean?

Does compliance by an organization to PCI mean that credit card information is safe? According to a news article by informationweek: http://www.informationweek.com/security/showArticle.jhtml?articleID=206904986, this might not be the case as Hannaford Bros, lost 4.2 million credit and debit card numbers, while stating on their website that they are compliant to the industry PCI standard.

2008-03-27T01:47:00.001-07:00

What strategies to follow after you have implemented a DLP solution

If you deployed a DLP strategy, you have probably deployed it in your high risk areas, and if you have become somewhat mature in your current DLP deployment, the next is how to grow the deployment so that you can secure more areas. As you are becoming more successful, your management, or clients within business groups who is not currently enjoying the protection a DLP solution can give, will ask you to protect their areas as well.

So, the question becomes, how do you grow both horizontally and vertically? You can grow horizontally by putting in place in place more monitors, but you will quickly find yourself in a situation where your current rules/policies does not meet the needs of the additional areas where you are now scanning, or maybe the business model you deployed for the corporate roll out does not meet the needs of the business unit you are now supporting in addition to the corporate roll out.

Do you invest in data in motion along with data at rest? Do you invest in end point protection? How about managing different departments ranging from your HR department, to your credit card processing department to your research and development arm. For each one of these, different business problems arise, and different solutions must be put in place. For HR, your main concern is probably the loss or disclosure of personnel data, from your sales organization, customer PII, and from your R&D department, loss of your future bread and butter.

So the discussion becomes the one of head count, and centralized versus de-centralized. Which model is right, and how to ensure comparable results between them? It is a discussion which will be had in many organizations in the upcoming years. Many IT security shops will have the idea that you should have a centralized approach. This will become increasingly difficult for several reasons. One, only the users/business owners in the respective areas will have an understanding of what is valuable, and needs protection, and what doesn’t. Then you have the issue around different IT departments controlling collaboration and messaging. Each one is important for securing your information. I think the right answer is a mix between centralized/decentralized, where information security runs the majority of the tools, but the business owners and IT collaborates on how to identify IP and business secrets, and create and manage policies dependent on roles.

There is one undeniable fact. The amount of information is growing, in fact according to IDC, it is growing by 60% a year, with new regulatory requirements means that IT will have to invest more in managing the information for disclosure, protection and retention.

Demand for storage capacity has grown by 60% per year and shows no signs of slowing down, according to research company IDC. New disclosure laws, which require more data to be preserved and retrievable, also are making storage management a bigger job. http://www.networkworld.com/news/2008/032108-storage-revolution-jobs.html

2008-03-13T17:03:00.000-07:00

New concerns regarding health care information misuse. In an article from MSNBC: http://www.msnbc.msn.com/id/23392229/ they highlight the impact an impostor can have on your health when your information is abused.

This should bring attention to the need for medical facilities, and anyone keeping medical information, to be prepared to ensure the accuracy and integrity of the information, as well as protecting it from loss.

A shift from paper based information management to electronic management, enables greater efficiencies of information management, including sharing of information, but also enables loss of information at a much greater level than anytime before in history.

Organizations which have not moved to encrypted storage for sensitive information should do so as soon as possible, and improved authentication and authorization models must be put in place where they are lacking.

Systems must be put in place that ensures that the identity used is that of the person receiving health care, and that only the information needed is available to personnel who provides care, or otherwise handles the information.

According to FTC, 3% of identity theft victims have had someone else use their medical benefits. With identity theft growing, and medical care becoming more expensive, leaving more out, and the move towards electronic health information management, we are poised for the perfect storm.

2008-03-10T21:02:00.000-07:00

Information loss prevention and operational risk management

An operational risk framework which would take input across the organization, which also manages exceptions to policy would be a huge benefit to overall risk management. As business users demand web 2.0 applications, easy to use cell phones with dual use capabilities (read using as email client for work purposes and view video and listen to music for personal use), and exceptions given to systems regarding patch level and security reviews.

Roll up operational risk summaries would be the only way to measure the aggregate operational risk in the organization. This married with information flow views, which outlines what objects access what information would make the risk decisions easier to make. If you knew who had access to what information where and when on what device, it would be easy to see what the true risk was, and if a request for an exception came in, it would be easy to determine if the additional risk was substantial, or minimal. It would be also easy to envision a self service model , where the user would be allowed to accept some risk, but if the risk moved above a threshold, a manager or security operator would have to grant it. Each business leader could then set an acceptable threshold within the organization, and its policy would then flow down to the individual users.

2008-03-10T20:59:00.001-07:00

It has been a busy few days, and for information loss prevention, a few areas are worthy a highlight. iPhone 2.0 is still questioned if it meets the regulatory requirements for data protection: http://computerworld.com/action/article.do?command=viewArticleBasic&articleId=9067319&intsrc=hm_list. Furthermore, here is a link to an article discussing how BlackBerry servers are ripe for the hacking. Yet another concern for IT security personnel who needs to protect sensitive information on all devices serviced by the organization: http://techworld.com/security/news/index.cfm?newsID=11663&pagtype=samechan.

2008-03-09T23:14:00.000-07:00

Information control

Maybe I should rename the blog from information protection, as it is just as much about information control. DLP products along with DRM products, firewalls and other security controls are mere solutions in place to control the flow of information. It is put in place to prevent flow of information to systems or personnel who should not have this information, and allow the flow to systems or personnel who should have access.

DLP tries to identify the type of content, and based on rules, apply various protection mechanisms to the information. In some areas, context is also evaluated. However one area which DLP has not fully gone into is the area of mapping social graphs to ensure that information does not flow from a highly trusted source to a trusted albeit less trusted than the first source downward in the hierarchy towards an untrusted source.

Clear areas of such downward flow can be stopped by reducing the access to broad access groups, however human nature is such that obstacles to sharing information usually is overcome, especially if it is easier to circumvent the control than it is to obey it.

Willful loss of information can only happen if technology, processes and people (the majority) is aligned. The processes much be such that they enable secure sharing to the proper objects, and people must buy into the idea that the value of protecting certain types of information is higher than the cost of loss caused by reducing sharing.

This can seem contrary to many, as we want to communicate, and we will fail in most of our
endeavors if we do not collaborate, at least within the group we belong. The problem is of course that most people belong to many groups, based on work, ideology, hobbies, neighbourhoods, etc. This means that just looking at the objects who have, had, or can access the information is not enough. You also need to look at who these objects are connected to, and who they are in turn connected to. You need to map out objects that form hubs versus spokes (power law distribution), and where these again lead to.

One trick used to track such information is to use a 1x1 pixel, to see who receives certain information. This is however not included in most information as it traverses networks, storage areas, end points, data bases, applications etc. Only when you can marry a map of all objects, and their interrelatedness, and where the information actually moves to and from can you truly understand the risks and or possibilities the organization have in sharing information within and across boundaries.

Today's DLP solutions create classifications in varying degrees, and and some store the result set in a data base, others persist the information within the meta data of the document. Either directly within the document, or in an alternate stream. These can of course be stripped off, and until DRM becomes pervasive, it will not solve this issue either. Actually DRM has another problem, in that if information is presented on a screen, it can be copied and the controls are stripped off as a consequence. However DRM will increase the effort necessary to improperly distribute information to objects who should not have access.

In order to support better protection, identity management is another dimension that must be solved. I will not go much into depth in this posting, other than just saying that roles based identity management is hard, and identity management between organizations are even harder, and is a contributor to the problem.

2008-03-05T03:24:00.000-08:00

According to a survey by Pursuant, http://www.pursuantresearch.com/, 32% of surveyed government IT personnel do not think they will become compliant with requirements such as HSPD-12, FIPS 201, and FISMA. This article: http://www.informationweek.com/news/showArticle.jhtml?articleID=206901345 states that government IT personnel believes national security trumps privacy

2008-03-02T23:25:00.000-08:00

Confluence of HIPAA security audits and increasing attacks from the Internet creates pressure on health care organizations to protect their patient information: http://www.networkworld.com/news/2008/022708-healthcare-cyberattacks.html

The four important questions to ask for any custodian of sensitive information should be:

What information exists on my systems
Where is it located
Who has access
How is it protected

I believe the only way to find out what information exists, cataloguing and classification is a necessity. To find out where it is, the repositories containing information must be scanned, and content then classified based on this scan. To ensure that only users who need access, has access, entitlement management is key. The information that is classified should then be protected.

This cannot be achieved with technology alone. People, Process and Technology all go hand in hand to solve this problem.

2008-03-02T21:43:00.000-08:00

Selection Criteria for an ILP solution

Here are the high level selection criteria I would use for selecting a DLP solution

· Accuracy (I would be willing to trade speed for accuracy if needed)
· Speed (can all high risk areas be scanned efficiently without a high bandwidth cost)
· Scalability (can all high risk areas be scanned efficiently)
· Remediation capabilities (if a scanning solution is deployed without proper remediation, it leaves the organization with a much higher risk than prior to scanning)
· Upfront cost of application
· Upfront cost of services needed to deploy application
· Cost of ownership
o How many headcount are needed to manage incidents and systems
o What is the annual support cost
o What is the total life time cost of the application (3 years)
· Risk reduction provided by application
o How is it measured
o Will result set stand up in court (can I prove due diligence when using these tools)
o Can new regulatory requirements or new corporate policy be set up within a standard framework
o Does the reporting meet the following needs
§ Overall risk reduction
§ Specific risk reduction for business unit/regulatory compliance/regional compliance
§ Can ROI be demonstrated
§ Are executive reports easy to understand
§ Can executive reports be rolled into a CIO scorecard
§ Does the reports for the operations team allow for improving efficiency of team and rules (this drives TCO)

2008-02-28T21:58:00.000-08:00

Can you buy PCI compliance, a good article from Information Weeek: http://informationweek.com/security/showArticle.jhtml?articleID=206800868

Of course, you can get solid advice from vendors, but technology is just one part of the equation. First, you should evaluate if you have the right skill set in your organization, then you should evaluate your current processes, and re-engineer if needed. Only when you have evaluated both people and processes, should you start evaluating technology

2008-02-28T21:51:00.000-08:00

Password database of stolen passwords found by Finjan: http://www.eweek.com/c/a/Security/Finjan-Finds-Database-of-8700-Stolen-FTP-Credentials/

Passwords should be treated as highly sensitive information as passwords are often reused by users, and can lead to the loss of all types of sensitive information within information systems. However, passwords can be hard to search for unless you already have a database of passwords. In the case passwords has to be stored electronically, they should at all times stay encrypted

2008-02-17T19:13:00.000-08:00

New study from Symantec

IT organizations are now reporting back to Symantec's survey that work on regulatory compliance is either comparable to other projects, or more important than risk mitigation efforts: http://www.infoworld.com/article/08/01/31/Study-reframes-IT-risk-management_1.html

This should be good news for information loss prevention programs, as PCI is definitely a driver for improved controls on how and when information is shared and to whom.

I believe the future trends will be divestments in some security strategies historically undertaken by an organization, such as extranet solutions, firewall deployments etc, and that the major investments for the future is in a blend between identity management and entitlement management. If you look at current encryption solutions, they usually stop at the enterprise egress point, as most organizations are not able to convince their partners to agree on a federation model.

It is time to divest in underperforming security initiatives, and invest in areas where you can find a better return on your investment. Today investment in compliance can provide better ROI than just merely investing in security controls. If you combine your investment so that you improve uptime, enable business, and can prove compliance, you find much more value than just investing in security controls.

http://www.infoworld.com/article/08/01/31/Study-reframes-IT-risk-management_1.html

2008-02-09T00:29:00.001-08:00

Data bases and DLP

Quote from article in eweek: http://www.eweek.com/c/a/Security/DLP-DAM-Share-Common-Data-Security-Objectives/ "Most every security monitoring technology would benefit from DLP content awareness, which is the ability to recognize sensitive content on the fly," said Paul Proctor, an analyst with Gartner."

I completely agree, I believe DLP vendors need to address data bases along with repositories email and endpoints. Furthermore, such solutions should also protect any sensitive information leaving the data base

2008-02-09T00:21:00.000-08:00

Amendments to Federal Rules of Civil Procedure, FRCP, creating opportunities for content management solutions: http://www.byteandswitch.com/document.asp?doc_id=144806&WT.svl=news1_6

Some solutions sit on email, and use keywords and phrases, others enable retrieval from tapes and other media.

At some time in the not so distant future, eDiscovery solutions and ILP solutions will probably merge, as they are both solving much the same problem.

2008-02-08T23:33:00.000-08:00

Eli Lilly legal documents wrongfully sent to New York Times in a Billion dollar lawsuit

Eli Lilly could probably have been better protected if they had in place a federated trust with their law firm, Pepper Hamilton, and had the opportunity to protect their confidential communication with their outside counsel. This is truly the case for where Digital Rights Management could really protect their information.

http://news.cnet.co.uk/software/0,39029694,49295453,00.htm

This case of information leak is enlightening in several aspects.

One, Eli Lilly could potentially have lost ground in a serious legal matter

Two, this is an understandable mistake by the outside counsel, albeit one could argue that more care should have been taken. Awareness is key, and an awareness program can reduce the risk of such incidents.

Three, when conducting business with partners, just having legal agreements in place on how information is to be handled is not good enough. Contractual obligations should be audited against. This email could potentially have been stopped at the email server if an information loss prevention solution had been in place

2008-02-07T21:38:00.000-08:00

An interesting book from the CEO of Kaiser Permanente, George Halvorson: http://www.healthcarereformnow.org/

In the second hard truth, Mr. Halvorson discusses care linkage deficiencies, of which he describes how medical doctors creates paper based medical records for their patients.

It is commendable that a person like Mr. Halvorson which has so much influence, is actively driving for digitizing health care records. If these records are made easily available to care providers as well as care recipients, great efficiencies can be created.

Digitizing medical records does come with some security concerns, which should be addressed. Only authorized personnel should have access. Anecdotal evidence which I have seen and heard points to the need for improving the culture in the health care industry in regards to safe guarding patient information. An awareness campaign is needed among care givers to educate them on how to best secure such information. Furthermore, tools needs to be made available to the health care professionals which allows them to continue to provide healthcare without being bogged down with security measures hindering them in their work.

These tools should address the who, what, when and where in regards to access to highly sensitive information such as patient records, while enabling the health care professionals to spend more time caring for patients. So these tools must enable secure collaboration so each professional who needs access to information readily has this information, however is restricted to only this information and not all information of all patients.

2008-02-07T21:10:00.000-08:00

An article discussing learning to address High Business Impact, HBI, in the enterprise in the SC magazine written by Joel Christner with Reconnex: http://www.scmagazineus.com/Learning-applications-Revolutionizing-data-loss-prevention/article/105073/

2008-02-07T20:44:00.001-08:00

Entitlement management

Entitlement management is important not only for your security posture, it is also important for your compliance efforts for SOX and PCI.

The problem with entitlement management is of course to know who has access to what. You probably know who unless you have too broad of an access policy on your information. How would you know if you have to broad of an access? You need to scan for large user groups, and global groups. These groups should not be allowed for sensitive and highly sensitive information. Do you know all the instances within your organization of sensitive and highly sensitive information? You can of course use DLP to scan for these information types. The problem is of course that the DLP solutions do not map back to who had access when.

With these questions/problems, what are you to do?

One, you should scan all your information, and identify where you have highly sensitive and sensitive information.

When this has been identified, you need to keep a persistent classification of the information, so a classification solution must be deployed and implemented.

When you have applied the classification, you need to ensure that the large groups and or global groups do not have access to this information.

For information where you need to validate that users who should have access have access, and users who should not have access does not have access, custodians of the sensitive information are required to validate the users who has access. By forcing the validation at the lowest level possible, you can effectively address the biggest problem in organizations today, which is entitlement creep. Entitlement creep happens when employees move from one job to another, or the job changes over time, and access needs change with them. Most often, when this happens, the employee gets access to the new areas needed for their job, but the old entitlements are not removed. By clearly assigning custodianship at as low of a level as possible, this can be taken care of if the custodians are reminded periodically to validate who should have access, and that they are aware that they are also audited agaist their accountability

In other words, the full solution is to map your scanning of sensitive information to your identity management systems, as well as a classification and remediation solution

2008-02-06T22:26:00.000-08:00

According to the Ponemon institute, 69% of employees have access to too much information. This validates the need for tigther entitlement management: http://www.informationweek.com/news/showArticle.jhtml?articleID=206104613&subSection=News

2008-02-04T20:17:00.001-08:00

An article by Rich Mogull about selecting the right DLP solution for your needs: http://www.networkworld.com/columnists/2008/020408insider.html

Amongst his most important criteria is to identify your key stakeholders within the organization, then agree on what problems to solve and how, then choose the right solution. I very much agree on this approach.

2008-02-04T17:41:00.001-08:00

Vontu gets coverage on CNNMoney.com for winning a contract protecting health information at The Mount Sinai Medical Center. It seems that Mount Sinai chose a desktop/laptop solution to protect their information: http://money.cnn.com/news/newsfeeds/articles/marketwire/0356611.htm

2008-02-04T17:35:00.000-08:00

Agent versus no agent what is the right answer?

When looking at DLP as well as other security products such as patch management, anti virus etc, the question comes to mind, is an agent on the end point the answer to the question?

It is neither yes or no. Agents have two main problems, reach and failure rate. For reach, you have to either force an agent out via a systems management systems solution, GPO, script, or distribution via a portal. To have a 100% reach for a large usually becomes either too expensive or outright impossible if your network is segmented into areas of different management segments, such as lab versus production.

The right answer is a mix, where you use agents on high risk desktops, laptops and mobile devices, applications or appliances on email servers and data center servers such as repository systems line of business applications and data bases, and applications/appliances on network ingress/egress points. It is also important to note that if you need to transport sensitive information between organizations, you need to ensure contractual obligations are put in place and met between the organizations.

There are several good ways to deploy agents. One is to use Group Policy Software Installation, GPSI, another is to use System Center, Tivoli or other agent management systems. You could of course also use a portal such that if a user went to a portal (Line of Business) to retrieve sensitive information, they would have to download and install an agent before they were allowed access to the information. The benefit of using an agent management system is of course the breadth of information these systems provide of installation metrics, health metrics, reach etc.

In my opinion, the perfect agent would be installed seamlessly via an agent management system, and control what the user can do with the information without impeding productivity. So for example, blocking USB might not be the answer if the user has a genuine need to transport information using a USB key. A better solution would be, if information goes on a USB, is it sensitive and is it protected? If the information is sensitive and it is not protected, the solution should interact with the user and make it easy to do the right thing. The same goes for emails, and any other communication where the user may divulge sensitive information. For file transfers, a transfer would either be approved or disapproved based on the content sensitivity and where it is going, and protected appropriately.

2008-02-01T14:52:00.000-08:00

Omnibank customer information stolen leading to the creation of false ATM card which criminals then used to obtain cash: http://breachblog.com/2008/01/28/omni.aspx

According to news stories, the amounts lost were small, but there was clearly an inconvenience to the customers of the bank.

Unfortunately, these types of attacks will continue to occur.

2008-02-01T13:22:00.000-08:00

Britons working for the UK government are now banned from removing laptops from their offices unless they are encrypted: http://www.personneltoday.com/articles/2008/01/22/44056/laptops-containing-protected-data-banned-from-leaving-public-sector-offices.html

The real question is, is this an enforceable policy? It migth be, but then it begs the question, can current productivty among civil servants be sustained? The answer is no, unless there is a effort put in place to enable civil cervants to encrypt their laptop content easily.

This issue highlights two important areas for compliance. First of all, do you have effective policies addressing your areas of risk? By effective, I mean, are they clear and understandable, and are the users governed by the policies aware of them. Second important area, is of course compliance to policy. How do you effectively enforce, monitor and audit for compliance to your policy?

The hard part is of course to balance policy/compliance with business needs. If your policy and compliance efforts impede your business, then you face loss of productivty and probably profits. So a balance between business needs and your security/compliance needs must be obtained.

The best way to achieve this, is of course to evaluate your current risk profile, and decide if the current risk is something you are willing to accept or not. If you are not willing to accept your current risk, then you must put in place mitigations that moves the risk level to where you are comfortable.

2008-02-01T12:53:00.000-08:00

Gartner predicts that users will move to pocketable devices by 2012: http://gartner.com/it/page.jsp?id=593207

This means that we need to start thinking about content management on mobile devices. There are already systems available that enables full encryption on these devices, but they are not broadly deployed yet.

A different way of controlling sensitive information on these types of devices would of course be to give information persistent protection at the aggregation points such as email servers, and for line of busines applications at the web interface. DRM is a good solution for this space. You can control who has access when, and to a certain point where, compared to just letting the information get to the devices unprotected.

Here is a link to what Symantec has to say about mobile phone security: http://www.symantec.com/about/news/release/article.jsp?prid=20060404_01

2008-01-31T19:40:00.000-08:00

Bold and commendable move by IBM

IBM is deploying PGP to more than 350,000 employees enabling all these employees to keep their sensitive information confidential even if they should loose their laptop: http://techworld.com/security/news/index.cfm?newsID=11272&pagtype=samechan

2008-01-30T17:21:00.000-08:00

Blogging and DLP

Should you worry about loosing IP or sensitive information through your employees use of blogs? Well, according to intellectual property attorney Stephen M. Nipper says that employees are more likely to leak closely held data through casual e-mails than through carefully thought-out blog entries. Quote is from the book Naked Conversations.

I assume it is the same Mr. Nipper who has these blogs, and there is some really interesting reads on IP on these blogs: http://inventblog.com/ , http://www.rethinkip.com/ and http://www.shapeblog.com/

On the other hand, it would also be prudent to search your public presence for sensitive information if you have the capability

2008-01-30T17:01:00.000-08:00

Why companies and organizations need to think about SharePoint and protecting information within SharePoint.

According to Forrester, SharePoint Leads Way to Enterprise 2.0. With its capabilities for storing documents as well as providing a collaborative environment with wiki's and other social networking capabilities, comes the issues around content sensitivity, entitlement management, protection, discovery retention and audits.

Independent Software Vendors are also jumping on the bandwagon enabling SharePoint increase use in the enterprises and other organizations. Further driving the need for securing content on SharePoint: http://www.crn.com/software/205801189

2008-01-30T08:31:00.000-08:00

Here is a link to several good thoughts on various laws and their implications from a DLP perspective: http://hack-igations.blogspot.com/search/label/credit%20card%20law (credit card laws), http://hack-igations.blogspot.com/search/label/data%20breach%20notification (breach notification)

2008-01-29T22:22:00.001-08:00

In the data loss news:

58 year old Greek mathematics professor steals data causing losses of $ 361 million:
http://news.smh.com.au/greek-authorities-accuse-man-of-selling-stolen-dassault-software/20080126-1o9j.html

Choice Point settles to the tune of $ 10 million:
http://www.consumeraffairs.com/news04/2008/01/choicepoint_settle.html

7 Citibank employees in Singapore is arrested after taking customer data with them to their new employer UBS:
http://www.ft.com/cms/s/0/83d71216-caab-11dc-a960-000077b07658,dwp_uuid=e8477cc4-c820-11db-b0dc-000b5df10621.html

Laptop theft leaves unencrypted healthcare information and customer data unaccounted for at an HMO,and a retailer.