Axway CSO Taher Elgamal stars in spoof of Intel’s “Sponsors of Tomorrow” TV spots
Data Leak Prevention is Going to Grow Into a Set of Tools That Enforce Policies
Insight from Taher Elgamal, Axway’s chief security officer.
The Next Frontier in Content Filtering: Large Files
by Willy Leichter
Director, Product & Solutions Marketing
Axway
While many people bristle at the idea of their web surfing being filtered, IT needs to have some control over what’s coming in and going out through the corporate firewall. Which brings us to what is often an IT black hole: FTP.
It’s pretty well established that corporate email should have some types of content filters. Everybody uses them for inbound spam, and despite those who cry “Big Brother!”, there are many important (and legal) reasons that organizations need control over outbound content. For example, if your company deals with credit cards or social security numbers, you have an obligation to make sure they are not casually, or accidentally, sent unencrypted or to the wrong recipients.
Most organizations also have a legal responsibility to prevent harassment claims by keeping employees from surfing inappropriate or dangerous websites. While many people bristle at the idea of their web surfing being filtered, IT needs to have some control over what’s coming in and going out through the corporate firewall.
Which brings us to what is often an IT black hole: FTP. Many organizations allow completely unmonitored FTP, and quite frankly, those organizations don’t know what’s going on with the files leaving their networks, since even legitimate traffic can be a conduit for sensitive information or malware.
For instance, large files are regularly sent for business purposes between banks and partners with lots of personally identifiable information, and often banks will send more information than necessary. When going through FTP or other file transfer protocols, there is typically no visibility into file content.
My company was involved with a project with one of the largest banks in the world, and they were specifically concerned about PCI compliance. They needed to make sure that credit card numbers or social security numbers were not included as part of large file transfers. But, more importantly, they absolutely did not want traffic to be stopped if there was a possible violation. With all these security issues, stopping traffic, a move security purists are hasty to advocate, even for the most righteous of reasons, will make heads roll.
To solve this we developed a system to strip out specific, personally identifiable information from files, on the fly, based on policy rules, without stopping the entire file transfer process. While this type of filtering has become an accepted best practice for email, applying this technology to file transfers is groundbreaking.
The next time you consider content filters and whether your company is using them in the most efficient, holistic manner, ask yourself: are the filters just looking at the subject lines and bodies of emails, are they simply comparing a URL to a blacklist and making a quick decision? Or are they taking everything into account—the content of the attachments to the emails and the data within the files being transferred? Whatever solution you choose, it must be practical, keep business flowing, and protect you against liability.
Compliance is to Security as Laws are to Morality
(Note: The following is a repost of a blog entry that appeared on http://twitblogs.com/axway earlier this summer.)
By Taher Elgamal
Chief Security Officer
Axway
July’s big security breach saw hundreds of thousands of account numbers compromised despite the fact that the host was compliant. Same thing with the Heartland breach that happened months ago. They were also compliant. And you can actually find a few dozen of these, smaller ones perhaps, where people spent millions of dollars with PCI and still had data breaches. Philosophically, where I stand on this is this: We invented compliance as a tool for businesses to be able to tell how well we are doing with our security. That’s the purpose of compliance. But somewhere down the line, compliance became the goal, not the tool. Our sole goal now is to merely be compliant with something! And, as it turns out, when you do that, you actually forget what you wanted to do in the first place—prevent leakage of account numbers, not just be compliant.
This applies in a lot of different areas, not just PCI. But I think PCI is a very good example of these issues. So people go through the PCI checklist, and there are twelve areas, and each area has several things, and they walk down one at a time and say, “Yes, I did this” and “Yes, I did that,” and they get a certificate. And, of course, two months later, half of the machines change configurations. New people came in, old people left. And you end up with a network that looks very different from the one that got certified.
But you can’t certify someone every day. The cost is already very high. There’s no way you can do anything more than the annual thing. And it turns out it’s becoming a pure cost, because people get certified and they still suffer through the breaches. But when you get one of these big breaches, you pay a lot of fines and fees, and it’s a very expensive proposition.
We need to start a conversation that says, “What we need to do is achieve a better level of security in our important networks.” And that implies that we understand what it is that we need to do, and that day-to-day management of important systems, machines and applications has to be implemented correctly. We’re not going to PCI certify every single thing all the time, but we need to basically carry the ideas from these compliance regulations in our daily activities because that’s how we manage correctly.
Honestly, that’s the only way you can achieve any level of security to survive.
Unfortunately, traditional security thinking here demands that we look at PCI and other standards as cures, silver bullets to fix things. And the entire industry is now thinking that that’s the wrong thing to do, because there’s not ever going to be a single silver bullet. It’s really about day-to-day management of things. We need to steer people away from thinking that “Maybe PCI is the wrong thing. Let’s look for the right thing.”
There is no such thing. The right thing is to go back to basics. Have the right security policies in place. Make sure you have a team and a head of security that understand the issues. Do day-to-day management. Self regulate. Have the team validate what they’re doing. Forget about the silver bullet. There will never be a technological solution that fixes the security issue. Ever.
And the security issue changes constantly because the ways hackers breach these systems actually change with time. It’s not about closing the old hole so that people can find new holes to get through. It’s how you build an ongoing scheme.
What do you think? Are the big breaches of 2009 anything less than quintessential examples of organizations trying to do the right thing but forgetting that the tool and the goal are actually completely different issues? Can’t it be said that compliance is to security as laws are to morality?
Axway 