15 October 2013 - by Thom Hooker
Securing Your Data Part 1 - Protecting from data leaving your site
Following on from my last blog entry about the risks of off-shoring your data I thought I'd follow up with something positive this time. The good news is that, despite the risks of using modern communication tools such as email, you can take steps to ensure the security of your data.
In the first of a 2-parter about securing your data in the email world I'll talk about minimizing the chances of the wrong people getting access to your documents sent via email through the implementation of data loss protection (DLP) rules.
SMX helps a multitude of companies secure their email communications everyday. We achieve this by taking a multi-layer approach to the problem, utilizing complementary filters and technologies from different vendors to provide a secure service covering many different types of attacks, probes and general annoyances that are commonplace on the public Internet these days. (And yes I do mean these days - I remember working for a certain large ISP in the mid-late 90's where we would hand-code rules on the mail platform to stop individual spam runs, open mail relays were standard practice for any business running their own mail server and all us admins had our very own Internet route-able public IP address on our desktops... ah those were the days :))
We take this multi-layered approach to securing our customer's outbound traffic as well, however this is an across-the-board approach which can only ever catch the common cases such as spam, viruses, trojans and phishing attacks. If you have specific data security needs the good news is that it is possible to ensure your data doesn't leak out to the public Internet. In order to protect an organization's confidential data we need to take a specific look at their requirements and build up some rules to firstly detect the type of data they're trying to protect and secondly alert appropriate staff that a data breach has occurred.
The best way to perform the detection stage is with pattern matching algorithms, AKA regular expressions (regex). Using this technique it's relatively trivial to compose regular expressions based on business rules that will detect the data you're trying to protect. In SMX's case we do this in conjunction with our customer's technical & HR teams and, through an iterative process, we establish a rule set with certain pattern matching algorithms to meet their individual needs. For example, we have a number of financial institutions on the SMX service who have PCI DSS (Payment Card Industry Data Security Standard) requirements. Based on the fact that most credit card numbers are between 13 & 19 digits long and begin with certain known prefixes we can construct regular expressions that will look for patterns (numbers) that look like credit card strings. We then apply some qualifiers to improve the accuracy and to reduce the likelihood of false positives (incorrectly detecting a string as a credit card number; for example some meeting invites sent from Outlook contain strings that could falsely trigger credit card detection algorithms).
The same techniques can be applied to different types of data. For example, detecting patient data leaving health board networks can be achieved by creating regexs that look for patient's unique National Health Index (NHI) numbers.
Metadata to protect your confidential information
Stamping documents with hidden metadata also provides a further layer of security at your site and makes it harder to subvert your rules by just changing the name of a document. Metadata (or meta tags) are hidden fields embedded inside documents. This metadata is not normally visible to users and therefore not editable by them. However savvy organizations can utilize these hidden fields to stamp ownership, trademark or copyright statements on their data. In this way owners of confidential data can create custom patterns that can then be detected as emails pass through the outbound message filter.
Dealing with a data breach
Once a data breach has been detected by your filters it's important to inform the right people. Some of our customers allow the email to go out as normal but BCC the email to their admin mailbox, other customers block the email outright with a very clear warning to the user, logging the result along the way, while others redirect the email to a sideline mailbox and alert the admin team that there's something to investigate. Having a good audit trail of all data breach attempts, successful or not, is also extremely handy in these circumstances.
The type of data you're wanting to secure will vary from other sites as will the way in which you deal with a data breach when it occurs. However, the important point here is that the technology exists today that allows you to confidently & easily prevent confidential data from leaving your site. If you're not protecting your confidential data with some simple DLP rules then you can't be sure your data is secure.