As a fast growing company that has developed its business around proprietary technologies, WebEx faced the same dilemma. We needed to prevent intellectual property (IP) and other sensitive information from leaving the company via the corporate network but didn't want to change or disrupt our working environment. We initially tried to handle network security and stem information leakage by communicating security policies to employees, but this approach gave us no way to monitor network usage or to enforce our written policies.
Security solutions that focused on prevention were not attractive to WebEx because they don't allow "business as usual." Every department handles different information, and it's unlikely you'll know all of the business relationships and confidentiality agreements in place with other companies such as suppliers or customers. This makes it problematic to simply block certain data from ever leaving the network. If the CEO needs to send sensitive information to departments around the country and he's blocked from doing so, he's not going to be happy.
Of course, it's possible to create groups that are allowed to send certain sensitive information outside the enterprise, but such groups can grow to include so many people that the purpose of the prevention device is subverted. In addition, some tools are stronger on the network side and weaker on the endpoint side, which also makes it easy to get around restrictions. In general, I believe employees who are prevented from transmitting sensitive information will just find ways around it. Those without malicious intent will see bypassing the restriction as "getting the job done," and since no technology offers perfect protection, it's unlikely you'll be able to prevent someone with malicious intent from going around the system.
After eliminating other options, WebEx purchased an integrated solution that includes a content-registration and monitoring appliance from Reconnex. Content registration lets users register sensitive or proprietary content in multiple ways. The solution stores these ‘digital fingerprints' in a database, where they are forwarded to the monitoring device, which passively monitors all data flowing over the WebEx network and identifies security risks. A risk discovery capability captures and temporarily stores all inbound and outbound data from employee LANs for later analysis.
Because registration, monitoring and analysis happen behind the scenes, we can have an open network that all employees can use. In effect, our network security enables "business as usual," and employees don't have to change the way they use the network. Yet we're not compromising security because we can see what information is being transmitted and where it's going. Being able to see and analyze this information has helped us understand why sensitive information is leaving our network and enabled us to change our processes in ways that will help prevent similar leaks in the future.
Analyzing monitored content led WebEx to realize that we could improve upon the security of our IP by improving the way employees label sensitive documents. For example, we found that salespeople sometimes responded to a customer's request for information with proprietary material — and we found that not everyone was labeling newly created documents as sensitive. Now we can track documents previously transmitted over the network to find and correct IP labeling problems.
We have also found that many leaks occur because employees didn't understand our procedures. Thus an important key to preventing future releases of sensitive data is to get everyone to understand the importance of security. We now incorporate information about our security system into awareness information that we distribute to all new employees. This openness has helped us gain the trust of employees and reassures them that we don't monitor everything — only what is necessary for our investigations. This openness also triggers conversations about information protection, and a number of employees now approach us with questions, concerns and requests for assistance in protecting their information.
As WebEx has grown and needed extra help, the company has made greater use of contractors, which adds another layer of risk. Contractors may need to bring in their own laptops, or they may need to access our network. Our solution lets us monitor their outgoing traffic, and we have agreements with our contractors making them aware of our policies.
In addition, we've used information gathered from our information security solution to update and enhance the presentation we use to improve understanding of our policy on confidential information. We use this real-life information to show how we found people who were violating our policies — although we don't name names. The story might be about how someone sent a document containing sensitive information via webmail to his personal account so he could work at home. We've found that it's one thing to talk about the process, but it's another thing to share stories; they have more impact. An employee might think, "Oh, I've done that," and now understands that it poses a security issue. In addition, we give employees who need to connect to our network from outside WebEx the tools they need to maintain security. We'll teach them about encrypted and clear text, and teach them how to use encryption tools. Or we may give someone who frequently works from home a corporate laptop.
Most people have their hearts in the right place, and simply aren't used to the idea they shouldn't send certain information out of the company's control. Because we've enhanced our security awareness training to reflect the security lapses uncovered by our content registration and monitoring solution, we now see few security violations on the part of our employees. And it's still business as usual at WebEx.
-Randy Barr is CSO of WebEx