Peter Stephenson, technology editor, SC Magazine
Peter Stephenson, technology editor, SC Magazine

There are several types of data leakage and we are seeing a sort of codification of what data leakage actually means, says Technology Editor Peter Stephenson.

This month we look at data leakage. This is an area that has been maturing over the past few years. There are several types of data leakage and we are seeing a sort of codification of what data leakage actually means. That has resulted in two distinct types of products: endpoint and network. Data leakage prevention is an interesting example of how security products evolve.

Initially, data leakage was seen as a network-based problem, or at least that is how it was viewed from the product perspective. Data leakage prevention, sometimes called extrusion prevention, consisted of watching data being sent out of the network by email, file transfer, bots or any other way that data can leave the network. But it did not take into account that the easy way for an insider to steal sensitive data is to copy it to a CD or thumb drive. The folks that make endpoint security products realized that and made solving that problem set the core of their offerings.

As a result we have two distinct types of products: those that address the network and those that address the endpoints. We look at both this month. The endpoint products still retain much of their endpoint security personalities, while the network products have evolved into some very sophisticated areas, such as data leakage caused by malware.

The bottom line is that this market is closing in on data leakage at all levels. That's a good thing because back in 2008, Cisco did a bit of research on data leakage that resulted in an interesting – and disturbing – white paper. It found, for example, that 39 percent of the IT professionals polled were more concerned about insider threats than threats from outside. That is interesting because over the years most surveys have indicated that between 70 and 80 percent of all data loss is from insiders. The two numbers are inconsistent.

Second, perhaps in support of that inconsistency, Cisco found that 27 percent of IT professionals admitted that they did not know about the trends in data loss. There are some other facts that have come out of these reports. For example, much data is leaked through employee negligence. That is no surprise if the awareness level is low. That implies that an important part of data leakage prevention (DLP) involves keeping honest people honest and preventing user errors. The tools we look at this month can go a long way in that regard. They tend to be reasonably transparent to the user, and that is a key benefit because users will try to circumvent controls that cause serious inconvenience.

The one area that is tough to address – and is a major problem – is theft of equipment. It is hard to protect data that sits on a server that is exposed to outsiders and is stolen wholesale. A few years back, an employee in the marketing department of a financial institution downloaded the organization's entire customer database to her desktop computer. Her workplace was an open cubicle in a publicly accessible part of the institution's main offices. A thief walked in the front door, picked up the computer and walked out with the customer database of over 100,000 names and full personally identifiable information for each. If that machine had endpoint protection and full disk encryption, the thief would have gotten a computer and nothing else. As it turned out, however, a large portion of those 100,000 names had to be notified and their credit reports monitored for a year – a very high price indeed given the far less expensive alternative of protecting the computer and educating the employee not to download the customer database to a desktop computer.