Genie in a Bottle

John Thielens, Chief Architect, Cloud Services, Axway

“I’ve seen some organizations go to real extremes, where they lock down laptops, they turn off USB ports, there’s no CD burning. The only folks I’ve ever seen really do it effectively was the CIA, where they took your memory sticks away when you walked in. There was a guy with a machine gun by the door. And, by golly, data that they didn’t want to get out of that building wasn’t getting out of that building. But falling short of that, most folks don’t really do a very good job of applying lock and key to security when they really should be thinking about data security and access control.”

It Must Come with Enabling Tools: A commentary on the Bloomberg BusinessWeek article “The Age of Data Privacy”

Taher Elgamal, CSO, Axway

To read the original Bloomberg BusinessWeek article, click here.

An Ounce of Data Loss Prevention, A Pound of Whitelisting Cure

by Paul Keane
Senior Product Manager
Axway

Jordan Wiens writes in a recent InformationWeek article, “Objectionable-content filtering is closely aligned with data loss prevention.”

When Wiens says “objectionable,” I’m assuming he means material that has legal ramifications that may be slanderous or libelous. Items like that may not have intellectual property value, but they can negatively impact an organization’s reputation among their customer base or among their partner base. So, while there is no inherent IP value in it, there is a name-brand value, and items like that can get impacted. It is different from traditional DLP of intellectual property and risk management, but it still has a value of its own that would be aligned with DLP. It may not have the same type of value as DLP, but it has value from a company’s perspective, and it can be protected in the same manner as sensitive corporate data, such as intellectual property.

Wiens continues: “Outbound controls typically include at least some form of basic DLP, such as blocking credit card patterns or Social Security numbers. If you expect to implement full DLP functionality within your e-mail security budget, however, be prepared to open your wallet a bit wider.”

That’s true. Items such as credit cards, social security numbers—they’re all the minimum expectation nowadays. It may be the case that some vendors are not as adept at blocking more sophisticated items as others. It may be that the product just doesn’t do it rather than they have to pay more for it. Having said that, those that can do it are probably charging more for the overall solution anyway.

“Tread carefully,” writes Wiens, “if a vendor tries to sell you on e-mail whitelisting techniques. While positive security models do provide stronger defenses and are a much more promising long-term solution to malware than desktop antivirus, they simply don’t apply to e-mail.”

This is probably a good point in that prevention is better than cure. Whitelisting is a bandage; it’s saying “definitely allow these guys through” but, depending on how good your solution is, it may also allow other bad messages through. So it’s kind of a bandage. The better solution will be prevention, where an intelligent decision can be made at the edge so there is no need for whitelisting in the first place. Having 100 percent accuracy is never going to happen, but having a highly accurate solution at the edge, which is prevention, makes it so we don’t have to worry about whitelisting because the solution at the edge would be intelligent enough to let through those who you would whitelist anyway, while preventing all others from coming through. It’s a fair statement to make.

How Do We Virtualize Security?

Willy Leichter, Director, Product and Solutions Marketing, Axway

The Day the Legislation Got Its Teeth

by J. Kirk
Sr. Product Solutions Manager
Axway

For those companies responsible for data loss, a spate of punishments is coming down the pike. But as Dan Raywood of scmagazineuk.com notes in his article this week, “Proposals to unveil harsher punishments for data loss will lessen the problem but not be a silver bullet.”

He may be right. But is that a temporary or permanent condition?

Let’s take a look at some legislation already out there (or, at least, soon to be out there).

On July 1, 2003, the personal privacy law known as California Senate Bill 1386 was enacted, and to this day, it affects anyone who has personal information within the state of California. It states that if there’s any personal information that’s breached—whether it’s somehow lost in transit or in storage (e.g., stolen laptops, misplaced thumb drives, etc.)—the company responsible for the breach must notify all individuals involved and make a public announcement.

This certainly bruises the company’s reputation, but it’s not really a punishment. To be certain, it’s a bad thing for the company, but it’s an intangibly bad thing for the company, and teaches the company about as much as a five-minute detention teaches a misbehaved child.

Whenever you get a letter from a company apologizing for losing your data and offering you a free credit report, you experience the consequences of toothless, unintimidating legislation like this.

But things are changing. In October 2008, in Nevada, a statute called NRS-597.970 went into effect. It states:

A business in this State shall not transfer any personal information of a customer through an electronic transmission other than a facsimile to a person outside of the secure system of the business unless the business uses encryption to ensure the security of electronic transmission.

While no penalties are identified in NRS-597.970, the statute’s specificity exposes companies to virtually unlimited liability should they not abide.

Finally, in January 2010, just weeks from now, in Massachusetts, a law known as 201 CMR 17.00 goes into effect.

Under this law, if there is a data breach at a non-compliant business—e.g., lost driver’s license information, social security numbers, credit card information, or any combination associated with personal contact information—the Attorney General of Massachusetts can assess a maximum of $5,000 per violation. Plus, anyone affected by the breach can also recover legal and investigation costs, and that’s to say nothing about what kind of lawsuit the Attorney General may file, or what degree of punitive damages the courts will order.

Now that regulation’s got teeth.

So Dan Raywood is right: harsher punishments will not be a silver bullet in the short term. But in the long term, you can count on this: once a few firms are impacted—and in the matter of data breaches, any company who ignores the law will be impacted—society will recognize just how devastating this legislation can be. On that day, the bullet of harsher punishments will take on a decidedly more silver sheen.

When You Really Start to Have Business Interaction Networks

by Paul French
VP, Product & Solutions Marketing
Axway

You’ll need a vendor that can reliably combine traditional data security (e.g., management, governance, and DLP) with something with a more increased level of security like DRM, a vendor who can know how to combine these things together to secure data in whatever form, for whatever type of connection, and between whomever is on either side of that connection.

You’ll need a vendor that can reliably combine traditional data security (e.g., management, governance, and DLP) with something with a more increased level of security like DRM, a vendor who can know how to combine these things together to secure data in whatever form, for whatever type of connection, and between whomever is on either side of that connection.

This week Adobe and McAfee announced that they’re going to combine some of Adobe’s digital rights management (DRM) and McAfee’s DLP technology.

If you’re a data security company, consider this a harbinger. Given the speed with which the market is changing, the speed with which the connections and points of collaboration are evolving, and the speed with which co-innovation occurs, your business interaction networks will have to expand. This will force you to mash up previously unrelated technologies, whether you do it yourself or acquire a vendor who can do it for you.

You’ll need a vendor that can reliably combine traditional data security (e.g., management, governance, and DLP) with something with a more increased level of security like DRM, a vendor who can know how to combine these things together to secure data in whatever form, for whatever type of connection, and between whomever is on either side of that connection.

Customers really need to understand that their data security processes and policies can’t possibly evolve as fast as the changes that are occurring. In order to get the most out of the technology that exists today, to make yourself really agile, to expand your communities to be as effective as possible, to gain as much revenue turnover as possible, to take as much cost out as possible, and to leverage the technology that’s available, you have to plan for how people actually work. And that means implementing complementary technologies like DRM and data loss prevention.

That’s when you really start to have total data security: when you start to have a secure data transmissions platform. That’s when you really start to have business interaction networks, not just point-to-point collaboration.

We’re past that.

(Photo by lumaxart: http://www.flickr.com/photos/lumaxart/ / CC BY-SA 2.0)
(thegoldguys.blogspot.com / CC BY-SA 2.0)

The Next Frontier in Content Filtering: Large Files

by Willy Leichter
Director, Product & Solutions Marketing
Axway

While many people bristle at the idea of their web surfing being filtered, IT needs to have some control over what’s coming in and going out through the corporate firewall. Which brings us to what is often an IT black hole: FTP.

While many people bristle at the idea of their web surfing being filtered, IT needs to have some control over what’s coming in and going out through the corporate firewall. Which brings us to what is often an IT black hole: FTP.

It’s pretty well established that corporate email should have some types of content filters. Everybody uses them for inbound spam, and despite those who cry “Big Brother!”, there are many important (and legal) reasons that organizations need control over outbound content. For example, if your company deals with credit cards or social security numbers, you have an obligation to make sure they are not casually, or accidentally, sent unencrypted or to the wrong recipients.

Most organizations also have a legal responsibility to prevent harassment claims by keeping employees from surfing inappropriate or dangerous websites. While many people bristle at the idea of their web surfing being filtered, IT needs to have some control over what’s coming in and going out through the corporate firewall.

Which brings us to what is often an IT black hole: FTP. Many organizations allow completely unmonitored FTP, and quite frankly, those organizations don’t know what’s going on with the files leaving their networks, since even legitimate traffic can be a conduit for sensitive information or malware.

For instance, large files are regularly sent for business purposes between banks and partners with lots of personally identifiable information, and often banks will send more information than necessary. When going through FTP or other file transfer protocols, there is typically no visibility into file content.

My company was involved with a project with one of the largest banks in the world, and they were specifically concerned about PCI compliance. They needed to make sure that credit card numbers or social security numbers were not included as part of large file transfers. But, more importantly, they absolutely did not want traffic to be stopped if there was a possible violation. With all these security issues, stopping traffic, a move security purists are hasty to advocate, even for the most righteous of reasons, will make heads roll.

To solve this we developed a system to strip out specific, personally identifiable information from files, on the fly, based on policy rules, without stopping the entire file transfer process. While this type of filtering has become an accepted best practice for email, applying this technology to file transfers is groundbreaking.

The next time you consider content filters and whether your company is using them in the most efficient, holistic manner, ask yourself: are the filters just looking at the subject lines and bodies of emails, are they simply comparing a URL to a blacklist and making a quick decision? Or are they taking everything into account—the content of the attachments to the emails and the data within the files being transferred? Whatever solution you choose, it must be practical, keep business flowing, and protect you against liability.

(Photo by thebadastronomer: http://www.flickr.com/photos/badastronomy/ / CC BY-SA 2.0)
  • Calendar

    • November 2017
      M T W T F S S
      « Feb    
       12345
      6789101112
      13141516171819
      20212223242526
      27282930  
  • Search