When it comes to protecting data, there isn't one end-all, be-all solution. That's truer now than ever, when your most likely threat is your own employees. As more workers blur the line that surrounds the workday and bring their laptops, smartphones and other devices home, they are potentially putting their companies' data at risk. In a recent CIO survey, 34 percent of respondents had a security breach where their own current employee was the culprit.

Data loss prevention tools provide ways to identify risky data-handling activity and enforce a remediation action, says Jonathan Penn, VP of security and risk management at Forrester Research. Currently available software to prevent data loss addresses three levels of security: protecting networks from rogue devices, protecting systems from inappropriate access and protecting data itself. A modern strategy to keep data secure should involve a bit of each, says Penn.

Block Unknown Devices

Deputy CIO Jeff Kuhns needed to protect the networks of 24 campuses within the Pennsylvania State University System against rogue devices - that is, any device not expected to be on the local area network (LAN). To address this challenge, the university's CIO deployed software from Mirage Networks.

The software offers a traditional approach to protecting data by keeping outsiders at bay. Once installed, the Mirage system locates connected devices.

The IT department can set up access policies for each device and for individuals or groups of users. The system protects data by blocking unauthorized devices from accessing prohibited data, thus ensuring that data is safe.

Such 'agentless' solutions are good for organizations that have little control over the devices that their many end users choose, says John Kindervag, a senior analyst at Forrester.

Unlike agent-based solutions, which require software on the device itself, agentless solutions reside on an enterprises' network. However, as with any security tools, they can't stand on their own. "Agentless [technology] has been the primary way data loss prevention has been deployed," says Penn, "but few vendors have rich agent functionality that is unified with network scanning and remote discovery."

At Penn State University, says Kuhns, Mirage software is part of "a defense-in-depth deployment of multiple systems and strategies." These include traditional security devices and software such as firewalls and anti-virus technology.

 

From Devices to Databases

With limits to network-based protection in mind, some organizations and their CIOs have turned to tools that ensure legitimate users don't access data improperly. That's the problem that Nick Ray, CEO of expressHR, wanted to address and fix.

ExpressHR helps companies in the UK manage temporary workers. "Our whole business is this application of sensitive data," including Social Security numbers and passport information. "If there was a security breach, it would be terminal," says Ray, describing a scenario that makes headlines. Before heading up expressHR, he was co-founder and CEO of Prevx, an Internet security company.

"The biggest potential risk was from someone on the inside abusing the system and using the information for something other than work," he says. ExpressHR has tens of thousands of users (including recruiters and hiring managers) who access their database.

Ray deployed software from Secerno, which provides activity monitoring of databases. "It could learn what were normal requests from the database," says Ray. With the information the Secerno product gathered, the software could automatically build rules to prevent unauthorized usage of expressHR's sensitive data.

 

Ensuring Usability

The software allows systems administrators to define rules that reflect their particular database's activity. The software learns how the customer's application talks to the database - such as how many times a day a file is accessed or whether it's ever printed. Those typical queries become the basis for access policies. If data is accessed in an unusual way, the system notifies IT managers and automatically executes policies for containing the problem (such as quarantining users or locking down the data).

Ray says the biggest downside to a rule-based solution is the potential to block a legitimate transaction if a rule is improperly specified. Ultimately, he says, the risk of blocking a normal transaction is negligible.

 

Ensuring Usability

Once you've given someone access and have established access polices, then what? There are granular questions to ponder: Who can edit the data? Or print it? And who can distill it into a different format?

Those are normal workflow questions, so it's important to figure out how people use the data when trying to implement security and usage policies.

"You could make your organization extremely secure, but it'll probably be at the expense of the workflow," says Ed Gaudet, senior vice president of corporate development and marketing at Liquid Machines, a provider of enterprise rights management software.

Companies such as Goldman Sachs and Dow Chemical use Liquid Machines software to protect intellectual property by defining not only who can use the information but also how they can use it. The software is typically used to encrypt all corporate data and lets systems administrators create access and usage rights to protect against misuse.

When unauthorized users access data they don't have rights to, they get a message telling them the file is protected.

Controlling information at the data level allows different policies to be set for individual users who travel with the data, even when it leaves the network. This level of control allows security policies to be based on the type of job a person has to do.

That approach maps well with collaborative workflow, says Gaudet, because role-based controls can change as workflow changes. Whatever tools you use, effective data loss prevention requires you to classify your data, a step many organizations often skip, notes Kindervag.

"Until companies classify their data correctly," he says, "all data loss prevention efforts will fail."

 

 

 

What's Your Risk Appetite?

 

The whole concept of risk appetite is an understanding of an organization's desire to take on risk when weighed with potential reward. For most companies, this stays at an implicit level. But companies that are leading the way from a risk appetite perspective are trying to make it explicit.

Risk decisions range from how an organization invests capital, to budget considerations, to how to implement a strategy, to whether a strategy even fits within the overall risk appetite of an organization.

The most urgent need right now is for companies to reconsider what their appetite for risk is in light of the huge changes in the external environment. Based on organization's position, strengths and overall ability to take on risk, do they need to make some adjustment? For some companies that are strongest in their space, this might be a good time to buckle down and take more risk. The opportunity on the upside could be tremendous. Other companies that are border line, or are potentially on the verge or major problems, might really need to dial down risk taking activities to stabilize the organization.

 

What's Your Risk Appetite?

Risk appetite isn't an explicit tool. Very few companies are so good at it that they can use a programmatic approach to market conditions like we've seen in recent months. So, for most companies, it's been a very ad-hoc-type approach.

Risk appetite and how often a company considers it is really tied back to how much change is going on in the environment - whether its change that is driven by external factors, like in the market today, or if its change being driven by an acquisition, merger, or major expansion. That level of change in and around an organization is what drives the frequency with which you might reevaluate your risk appetite.

Mark Carey is a Partner in the Deloitte & Touche Governance and Risk Oversight practice.