Putting Security to Work
Data Loss Prevention (DLP)
One of the most significant advances in data security is data loss prevention. It protects data in motion as well as at rest.
Because it is content-aware, DLP monitors data flow and identifies unauthorized data sharing and other potential breaches. It also tightens controls and, as a result, improves the odds of keeping enterprise assets secure.
Using content discovery, file system protection, network protection and GUI/kernel protection, DLP offers a comprehensive defense. In addition, central policy management and reporting tools, built into DLP solutions, vastly improve the ability of IT and security managers to track data flow.
Among other things, DLP can block the transfer of content from one application to another. It can thwart the use of encryption when it is not appropriate. And it can also limit cutting and pasting, screen captures, page printing and transferring data across media.
By combining multiple layers of security and taking the focus off individual computers, servers and devices, DLP slices though complexity. The technology provides a unified way to oversee policies, workflow and data motion.
Another key security component is encryption. The ability to lock and scramble documents — e-mail messages, text files, spreadsheets and more — and to keep databases and other information under lock and key goes a long way toward constructing a secure enterprise environment.
PGP’s 2009 Annual Study, “U.S. Enterprise Encryption Trends,” remarkably found that 41 percent of respondents do not recognize encryption as “very important.” In addition, nearly one-third of the firms surveyed haven’t yet launched any type of encryption initiative.
Encryption is mostly used to prevent data breaches and comply with privacy and data protection regulations. Still, PGP reports that businesses are increasingly tapping it with the aim of preserving their brand and reputation.
Over the last few years, full-disk encryption (also known as whole-disk encryption) has garnered a good deal of attention. It offers nonstop disk protection for multiple platforms, including Microsoft and Apple OS X and across desktop PCs, notebooks and removable media.
An effective encryption tool built directly into Ultimate and Enterprise editions of Windows Vista and Windows 7 is BitLocker, which provides on-the-fly whole-disk encryption for documents and folders. The latest version of BitLocker, found in Windows 7 and Windows Server 2008 R2, offers the added feature of flash-drive encryption.
It’s no secret that e-mail remains one of the weakest links in the enterprise security chain. Every day, thousands — in some cases hundreds of thousands — of messages flow in and out of enterprise computers and smartphones.
As these messages cross the corporate firewall and land in employees’ inboxes, the potential for abuse is significant. Viruses and other malware have indeed grown more sophisticated, but social engineering techniques have become more prevalent and successful.
According to MarkMonitor, a San Francisco company that tracks domain-name abuse, more than 150,000 phishing attacks took place in the second quarter of 2009. In some cases, cybercrooks are using a more focused approach.
Incidents of Spear Phishing, which targets a very narrow group of recipients or even an individual, are also on the rise. Once an individual clicks a link or opens an executable file, a malicious application installs on the computer and, in many cases, it spreads rapidly across the network.
Client- and network-based malware applications intercept viruses, spam and spyware as they enter the enterprise through e-mail or instant messaging. Furthermore, these applications now block phishing sites — including those accessed via e-mail — and stop spam and fraudulent messages. Some also update virus definitions as often as every five to 15 minutes.
In this way, a new virus appearing in the wild can be detected and eradicated before it causes damage. Some of these applications also incorporate encryption and protections for web browsers.
Finally, there’s the use of e-mail encryption. It ensures that information flowing in and out of an enterprise is protected.
Web Content Filtering
The ability to connect to a seemingly endless array of websites is both a boon and a curse for businesses. On one hand, it allows workers to tap into a vast reservoir of knowledge and uncover information quickly. On the other hand, questionable and sometimes dangerous sites are only a click away. Here, identity and data theft became very real possibilities.
Content filtering uses a blacklist to block access to undesirable or dangerous websites. Some also rely on algorithms to detect suspicious patterns.
Although these applications don’t stop hacks or an array of other attacks, they do prevent employees from downloading malicious code from websites. They’re able to sniff out malicious code because they inspect every packet passing through a firewall, caching device or proxy server.
It’s possible to implement content filtering through software or a hardware appliance. Content filtering tools usually provide a web-based console for configuring computers and other systems.
These tools can be set up to function in a standalone mode or incorporated into a firewall or proxy server. Software products often provide greater power and flexibility, but appliances are simple to set up and manage.
Most organizations host vital data and applications at the server level. Threats in this area can compromise the company as a whole. Tools for effective server security include Network Access Control (NAC), clear and comprehensive security policies, and patch management policies that safeguard the integrity of the network at all times.
NAC can provide an identity-based approach to securing endpoint devices such as notebook PCs, netbooks and smartphones along with the data they hold. It allows a firm to unify endpoint security and create a common interface for managing a disparate array of systems across a network.
Moreover, today’s NAC solutions provide a high level of flexibility. If a security policy changes, an organization introduces a new application, or the need for guest access occurs, it’s possible to make changes and have them take effect instantly.
These applications also allow organizations to adapt policies to specific risk levels and integrate network access controls with identity services and other remediation controls. In most instances, NAC serves as an additional protection against viruses, worms, Trojans and other malware that spreads easily across a network.
Yet protecting servers requires more than NAC and antivirus software. An organization must have clearly defined security policies and a strategy for managing patches and essential updates.
The former requires collaboration and discussion among business leaders, security experts and IT. The latter course requires IT to apply security patches and updates in a consistent and regular manner in order to address security flaws, bugs and vulnerabilities. Larger patches, or “service packs,” address a number of issues simultaneously and play a key role in reducing risk.
Virtual Private Networking
Another essential security feature is virtual private networking. It’s no newcomer to an effective risk prevention strategy, but the technology has become more sophisticated in recent years.
In fact, some organizations are migrating from older Internet Protocol Security (IPSec) VPNs to more advanced Secure Sockets Layer (SSL) VPN solutions. These provide more robust security and more granular policy and access controls.
A VPN creates an encrypted tunnel between devices or systems. Once a user logs in, a private connection is created. VPNs are particularly valuable for organizations with widely distributed offices and facilities.
VPNs offer a way — using the existing public telecommunications infrastructure — to create a secure connection to virtually any user in any part of the world without incurring the expense of establishing and managing a WAN.
In recent years, VPN technology has become more scalable and flexible, particularly SSL VPNs. It also has gained capabilities such as clientless remote access and support, integration with mobile and wireless devices, and the ability to establish granular policies based on users and devices.
Although DLP, content filtering, VPNs and other tools drastically reduce the risk of lost data, it’s also essential to install antivirus software, a local firewall and other protection at the client level. Moreover, an enterprise must know which applications reside on computers and other endpoint devices.
Some client security solutions now address the spate of challenges head on. They provide Active Directory support which can control client access, remote access and other functions that aren’t specific to the client platform.
These can include password managers that autofill a browser and other forms, policy management tools, along with full-disk encryption and integrated fingerprint readers.
In some cases, users can also set up personal questions for retrieving forgotten passwords. They can also use enhanced spyware and fraud detection systems.
In addition, many IT and security officers are also taking a closer look at client security due to mobility. This is leading organizations to embrace full-disk encryption built into notebook PCs. Firms are also turning to software-based solutions such as Microsoft’s BitLocker, which is built into Windows Vista and Windows 7.