Sharing enterprise data has never been easier. Employees can attach files to emails, collaborate on documents in the cloud, copy gigabytes of data to flash drives and access network resources from around the world. The upside to all this is an increase in productivity and job flexibility. The downside is that IT has a more difficult time protecting sensitive data, especially from malicious insiders. Organizations should consider using endpoint data loss prevention tools as part of endpoint security management.
Beware the insider job
This spring, Victorinox is coming out with a new Swiss Army Knife that will include a jump drive that can store up to 1 TB of data and support 150 MBps write speeds. With devices such as this, malicious insiders of any organization can walk off with entire databases for revenge or profit.
According to the Identity Theft Resource Center, organizations across the U.S. reported 56 incidents of insider thefts in 2011 -- 13.4% of the total number of reported data breaches.
The easiest way to transfer a large quantity of data is to copy it to a Universal Serial Bus (USB) device, but an employee intent on stealing information can also download files to CDs, DVDs, tablets, laptops or any removable media that can be easily carried out of the building.
But endpoint security management is not limited to data on removable devices. A disgruntled but determined employee might reveal confidential information through Web-based applications, social networks, text messages or email attachments. Malicious insiders have also been known to use rogue wireless access points, such as 802.11 wireless LANs, Bluetooth personal area networks and broadband wide area networks.
DLP tools to the rescue
In most organizations, IT has taken great pains to protect sensitive data from external attacks. Even malicious insiders have been mitigated through best practices such as controlling permissions, managing network accounts and updating human resources policies for hiring and termination. IT has not always been as diligent, however, when it comes to preventing endpoint data loss, partly because of the complexity involved in trying to monitor and act upon potential threats.
That's where endpoint data loss prevention (DLP) security comes in. A comprehensive system should address the risks associated with employees storing and using sensitive data at their workstations and on their mobile devices. DLP tools can scan endpoint hard disks and identify where confidential data resides and which data presents the greatest risks. They can also take action specific to certain types of data. For example, data loss prevention software might quarantine sensitive data, move it to a secure network location or encrypt it.
DLP tools can also monitor data usage at the endpoint. Any events that involve sensitive data -- such as copying files to jump drives or sending an email with a file attachment -- can be tracked.
Monitoring is only part of the endpoint security management equation. For instance, a data loss prevention software system might prevent files from being copied to USB devices or sent via email. Or, rather than preventing these actions, the system might encrypt confidential files.
More on endpoint security management:
Don't ignore mobile security effects on enterprise desktop management
Endpoint management FAQ for desktop admins
Targeted malware attacks, social engineering schemes threaten desktops
Deploying DP systems: Four DLP best practices for success
Training mobile employees on protecting data and device security
A comprehensive data loss prevention solution could also issue notifications to IT or quarantine data. It might disable the endpoint device, as well, and apply other custom responses to check suspected data loss.
Two examples of endpoint DLP tools available on the market are Symantec Data Loss Prevention for Endpoint and Websense Data Endpoint. Although Websense doesn't share Symantec's visibility, the two products offer similar features, and each is a comprehensive package for monitoring and protecting sensitive data.
Symantec is perhaps stronger in defining and managing policies and has proven effective in detecting and preventing unauthorized activity. Websense, on the other hand, receives plenty of kudos for its ease of installation and administration, as well as its comprehensive reporting. Plus, many IT pros consider Websense a clear winner when it comes to return on investment. In addition, there are other data loss prevention products.
Regardless of which DLP tools you choose, employees are not likely to respond well to having their productivity encumbered unless they're educated on the importance of protecting sensitive data. If, for example, employees understand why they are prohibited from downloading files to their jump drives, they will be more cooperative than they would be if restrictions are sprung on them when they're trying to transfer files.
The limits of DLP tools
Using data loss prevention software can greatly benefit endpoint security management, but no system can do everything. For instance, DLP tools must be installed on every network endpoint to be fully effective, yet current applications don't work on mobile phones. They also don't help when users access the network with outside devices such as home PCs or laptops in an Internet café.
Endpoint DLP tools can still help mitigate data loss, but they should be part of a multilayered approach to security. Symantec's Data Loss Prevention for Endpoint, for example, is only one part of the Symantec Data Loss Prevention Product Family, and Websense Data Endpoint is a single component in the Websense Data Security Suite. Both product families are designed to prevent data loss not only at endpoints, but also anywhere it is stored or travels across the network.
To best protect confidential data, data loss prevention software should be part of a comprehensive approach to endpoint security management that includes other technologies, such as access control and malware detection. The Websense Data Security Suite provides configuration options to integrate with firewalls and antivirus applications.
Data loss prevention and DLP tools can complement other data security measures by filling in the gaps. An antivirus program or firewall, for instance, cannot prevent malicious insiders from downloading files to a jump drive. An endpoint data loss prevention system can. No application can eradicate all risks associated with data loss, but DLP tools that are part of a comprehensive endpoint security management strategy can help in reaching that goal.
ABOUT THE AUTHOR:
Robert Sheldon is a technical consultant and freelance technology writer. He has authored numerous books, articles and training material related to Microsoft Windows, relational database management systems, and business intelligence design and implementation.
This was first published in June 2012