Data Protection is Impossible

By Richard Stiennon

(Back to article)

Preventing data loss is one of the biggest challenges facing any CIO today. The problem is that data protection is impossible. From the moment data is generated it is at risk of being misused, falling into the wrong hands, being sold to industrial spies, or simply falling off the back of a truck—literally. Protecting all data, from inception to final back-up and storage is not just  difficult, it’s not feasible.


That is not to say it is futile to install procedures, and technology to protect data. You should just be aware that, ultimately, there will be a data loss incident and you will have to deal with it. At the same time, you can only spend so much to protect data. At some point, the return on investment in terms of better protection run afoul of the loss of productivity introduced by more and more draconian measures.


The first issue facing the organization is determining which data to protect. Everything is not an acceptable segmentation. Most organizations start with personally identifiable information (PII) which includes names, addresses, birthdates, social security number, employment records, and health records of customers, employees, or the general populace. It is the loss of these records that has given rise to the current spate of public disclosures of data loss. A California law (1386) passed in 2001 requires notification of every individual whose PII is lost, be it through theft or just a CD left in the pocket of an airline seat by an over-worked auditor.


Check out this site (http://www.privacyrights.org/ar/ChronDataBreaches.htm) for a continuously updated list of major data losses by U.S. companies, universities, and government agencies.


Just protecting something as simple to find and segregate as PII is a daunting task. Best practice is to encrypt just the columns in a data base that contain SSNs, credit cards, and other PII. That avoids the mass theft of data as in the infamous TJX loss of 90 million credit card records. But what about when someone accesses the database? Can they write a script to systematically mine the database to pull that info? Can they subscribe to that database as some Nigerian entrepreneurs did to Choice Point, the credit agency?


What if the data is more than PII? Plans for a new missile for instance? Or internal financial discussions about an upcoming acquisition? Chemical formulae? Trade secrets? Quarterly results? The crop report? Salaries of executives?


I mention the last because when Lee Iacocca was negotiating major concessions from the UAW, a union janitor in the data center happened upon a greenbar print out of all of the top executive’s salaries. It put Iacocca in a very uncomfortable position when those high figures where made known.


Once you have identified the information you want to protect how do you prevent it from leaking? There are vendors who provide products that search your internal network, find certain types of critical data, tag it, and then block it from leaving via the network. That plus a huge hole. Just make sure you have deployed gateway filters over email, IM, file transfer, Web forms, and VoIP.


What about small storage devices like USB thumb drives, hard drives, PDA’s, even cell phones and iPods? There is the case of the Indian IT worker at the secret intelligence agency who delivered stolen data to a U.S. embassy on USB thumb drives. There are solutions that can monitor USB devices and even block all but approved types. Or you could order PC’s from the manufacturer with no USB ports. Either way you introduce friction to the everyday task of moving information around.

Laptops are the biggest threat because they contain all of the files, emails, and data that an individual has ever worked on. Full disk encryption is becoming more and more feasible but few organizations have effectively enforced this. Besides, what if the owner of the laptop is the one stealing information?


So here you are. You have found all of the critical information that needs to be protected, you have encrypted it everywhere it is “at rest” or stored. You have installed gateway filters at every network connection point. You have encrypted every hard drive on every laptop. You encrypt all of your back up media. You control USB devices. You control and record every print job. You have deployed industry best practices for data protection.


Along comes a disgruntled employee set to leave your organization. He wants your customer list which resides in a convenient spread sheet format. He cannot print it out, he cannot email it to his gmail account, he cannot put it on his iPod. So, he simply brings it up on his desktop and uses the camera on his phone to take screen shots and send them instantly to himself.


How do you stop that level of determination? You don’t because you can’t. Data protection is impossible.

Now a consultant, Richard Stiennon was most recently chief marketing officer for Fortinet, the largest privately held security vendor. Prior to that he founded and served as chief research analyst at IT-Harvest. Before IT-Harvest, he was VP of Threat Research for Webroot Software.

He is holder of Gartner's Thought Leadership award for 2003 and was named "One of the 50 most powerful people in Networking" by NetworkWorld magazine.