IT organizations have learned the hard way that leakage of confidential information, whether it trickled out inadvertently or passed through in a calculated fashion, can levy heavy damages against market share and brand reputation, and potentially give rise to civil lawsuits and punitive fines.
The danger of data leakage is clear and present. Research conducted by InfoPro says 72% of enterprises surveyed report that internal security threats pose an equal or greater problem than external risks. An ability to prevent disclosures, or at least manage them, is critical to complying with industry and governmental regulations and guarding brand reputation.
IT executives must take a more proactive approach to monitoring and securing all data in motion. Not only e-mail but all forms of electronic communications must be monitored - instant messages, peer-to-peer, Telnet, FTP traffic, automatic faxes, posting to discussion boards and online business transactions.
Enter a slew of new and reconditioned products geared toward blocking sensitive data from leaving the corporate network. Vendors in this market include Fidelis Security Systems, Intrusion, Palisade Systems, PortAuthority Technology, Proofpoint, Reconnex, Tablus, Vericept and Vontu (see Excel product chart).
These vendors have developed network-based products that can monitor data in motion and in some cases, data at rest. This lets an organization identify data-flow patterns, such as a human resources department distributing unsecured employee information via e-mail. Policy-violation alerts can be sent to administrators, the sender and/or the user.
These products can quarantine suspect data before it leaves the network, so it can be appropriately reviewed before going on to its destination. Suspicious activity, such as an employee e-mailing marketing plans to her Hotmail account or another employee accidentally copying someone on an e-mail containing customer information, can be blocked immediately.
In a nutshell, these products help shield an organization against breaking local or federal privacy laws, violating corporate policies, ignoring e-mail best practices, losing intellectual property and exposing customer information. In addition to providing a final security checkpoint, these products can be used as a training tool to teach employees how to protect private, sensitive data and as the means of providing evidence that a company is serious about data privacy.
On the flip side, these products register false positives, miss some legitimate policy violations and - with the six-digit price tag they often carry - can be difficult to cost-justify.
Savvy companies realize that proactively managing and protecting intellectual property and customer data is like putting money in the bank, says IDC security analyst Brian Burke.
"It not only reduces the possibility of legal and financial risk but also helps to protect and safeguard an organization's future revenue," he says.
The market
One of the difficulties with these products is that the industry doesn't quite know how to classify them.
Gartner analyst Paul Proctor refers to these wares as "content monitoring and filtering" tools. IDC analyst Dan Yachin calls them "information leakage detection and prevention" products, while in military deployments they are referred to as "extrusion prevention systems."
Despite the confusion over the product category name, Proctor predicts this market will double each year for the next two to three years. He expects an increase in shipments from both start-ups and well-established security vendors.
"The market for these solutions is relatively immature, as the adoption . . . relies on organizations' growing awareness of the inside-out threat," Yachin says.
The key function of these products is to help organizations comply with data privacy law. Their niche is to guard against both the intentional and accidental leak of sensitive data. The underlying technology won't provide an all-encompassing answer to data privacy, but it's a key ingredient to be coupled with user education, encryption safeguards, access-control mechanisms, physical security, and incident response and reporting processes inside an information security infrastructure.
Some users view these products as potential employee-monitoring tools, providing ways by which an employer could infringe upon the privacy of people sending and receiving information. But vendors are quick to say that spying on employees is not a prime objective.
"Our tool is not used as Big Brother monitoring but as a tool to educate employees about what's occurring on the network," says Kevin Cheek, vice president of marketing at Reconnex, maker of the Reconnex inSight Platform.
Still, it would be wise to investigate whether these tools violate any labor, civil or criminal laws in the country where they are implemented.
The Inner Workings
Most of the vendors in this space primarily attack the data-leakage issue from the network perimeter, as their products are designed to sit as the network's edge and scan multiple communication protocols used for applications such as e-mail, Web browsing, IM and FTP to determine whether sensitive content is wrongly communicated outside corporate network boundaries. A monitor that typically hangs off a network switch captures traffic and passes information about it back to the administrative console for analysis and storage purposes.
In addition to its primarily network-focused monitoring, Vericept offers a client-based approach that lets network policies created in its Vericept 360° Risk Management Platform be selectively pushed down to the desktop. PortAuthority and Tablus also get kudos for having both network perimeter and desktop enforcement features built in to their products.
Most organizations initially install these products and run them for several months in a simple monitoring mode (instead of immediately blocking threats) to watch employee work activities, so they can identify trends that will assist in establishing appropriate policies. Many products offer policy wizards that help define the keywords or patterns to look for in addition to monitoring for specific user behavior, such as altering certain documents. When these attributes are used in conjunction with policy rules, administrators reduce the risk of false positives.
Once an administrator has imported specific data formats, such as Social Security or credit card numbers, into these products, he can create policies that will notify him whenever data has left the corporate network with those numbers.
For example, an employee sent two e-mail correspondences: one with Social Security numbers in the message body and one with employees' names and SSNs in an Excel file. Using pattern matching, these products should capture the illegitimate traffic and send the appropriate alerts.
Several products also have built-in and customizable domestic regulatory compliance and security policies that can be modified to fit specific business environments. However, not all products have predefined regulation templates for Canada's Personal Information Protection and Electronic Documents Act or European regulations.
Vendors claim bragging rights based on the number of document types supported, but this can be misleading. The majority of our respondents give between 250 and 400 supported file types, while others say they support as few as 73 file types. The higher counts may occur because vendors count Microsoft Word Versions 98, 2002 and 2003 as three individual decoders while others consider them to be one.
When it comes to discovering and protecting sensitive data at rest - such as data sitting on laptops, desktops and in-file servers - PortAuthority, Reconnex, Tablus, Vericept and Vontu all support this feature.Real world deployments
How a company uses data-leakage prevention products is unique to the internal culture of the organization, the industry it plays in and what it ultimately hopes to gain from using these products.
MedAvant, the nation's second-largest provider-based healthcare technology company, uses PortAuthority Technologies to ensure that data for more than 450,000 healthcare providers, 30,000 pharmacies, 500 laboratories and 100,000 payer organizations is secure within the MedAvant network. MedAvant's most important use of PortAuthority is monitoring and enforcement for compliance, and it is using the product to block the sending of sensitive information. According to a MedAvant representative, a key factoring in choosing the PortAuthority product is that it can block the sending of sensitive information via any communication channel with false positives of less than 1%.
Boston College went with Fidelis's DataSafe product. "It gives us the ability to implement granular policies to protect our sensitive information without compromising the information sharing critical to an educational institution," says David Escalante, BC's director of computer policy and security.
Mark Moroses, senior director of technical services at Maimonides Medical Center in Brooklyn, N.Y., says that its built-in features to help the hospital comply with HIPAA regulations and its ability to do pixel analysis for identifying pornographic content were deciding factors for the hospital's choice of the Reconnex suite of products comprising iGuard, iController and iManager. Moroses says the choice was also an economical one as Reconnex representatives priced the product within the hospital's budget. In addition, the Reconnex 48-Hour e-Risk Rapid Assessment network-monitoring evaluation provided Moroses with an assessment of the insider risks and exposures that might require additional investigation.
Sharon Finney, information security administrator at DeKalb Medical Center in Atlanta, says a deciding factor for her choice, ProofPoint, was that its tool ships preconfigured with a specific set of current procedural terminology codes for the healthcare industry.
Audit logs and the courts
Extrusion-prevention technology should be one component of an overall internal and external auditing process, as it keeps an eye toward improving operational efficiencies by identifying internal policy violations; providing more accurate financial reporting; limiting exposure to class-action lawsuits; and complying with applicable industry, local and federal regulations.
But can the audit logs generated by these products help in legal situations involving employees who criminally violate company policy?
While noting that the privacy laws have not really been tested in the courts yet, Gartner's Proctor says the logs and reports generated from these data-leakage products indicate that a corporation is taking effective, efficient actions to maintain privacy practices required to avoid the courtroom.
Kit Robinson, Vontu's director of corporate communications, notes that while Vontu's product logs may trigger an investigation into suspicious activity, its real purpose is to prevent data from being leaked. For real forensic analysis on the data collected by Vontu's product, Robinson points to his company's relationship with Guidance Software, a leading vendor of forensic tools.
To illustrate her belief that these products help with the audit process, Vericept spokeswoman Nina Piccinini points to one Vericept customer that faced a sexual-harassment case brought by one of its employees. The employee claimed her boss was leaving pornographic material on her desk and sending her sexually explicit e-mail. By using Vericept's 360º Risk Management Platform, this customer was able to determine the employee doctored the evidence herself. When the captured information was reviewed with the employee, she dropped the suit and left the company, Piccinini says.
Paying the price
In general, these products are costly. Pricing varies greatly, but most vendors will charge per user/workstation, per appliance or per the exit points at which information can leave the corporate network, such as through e-mail attachments, IM and data uploading to an FTP server.
Organizations in highly regulated industries can more easily justify the investment in products that monitor outbound content. But taking into account the financial damage associated with the loss of intellectual property and governmental fines, the vendors report that even small and midsize businesses (SMB) are showing interest in these products. An SMB may be able to keep the price tag at less than $100,000, but an enterprise-level system supporting thousands of users will easily run between $200,000 and $500,000.
While the vendors we surveyed offer professional services to assist with project implementations, we believe most organizations should be able to install them with minimal assistance from the vendor. However, you'll likely have to pay service and support dollars when it comes to policy creation, troubleshooting network performance and integrating the data-leakage monitoring into custom applications.