Practical Data Loss Prevention
(Week 3 of 4)
by Michael McKinzie, CISSP
Last week we talked about data classification and policies and restrictions. My conclusion is it is very difficult for organizations to fully implement a broad restriction of access to personal use sites such as social networking sites, webmail, blogs, YouTube etc. Although, many tools exist to help enforce this policy on the LAN, or corporate network, users may simply be able to use their Internet enabled phone/Smart-phone to access these sites undetected by IT security.
If the organization allows synchronization of email, calendars, notes, documents, files or maybe even hosts an extranet service like a CRM application which is accessible by the mobile sales force, it is important to know the type and class of the data being shared. Mobile Phones may introduce a new risk to compromise sensitive data, which may not be as easy to control as implementing a gateway system or access control list. Should the organization have access to control personal devices or restrict what users can do on these devices? It probably is not realistic to tell users they cannot bring their mobile phones to work in the event they have a personal or family emergency, or if they want to make a personal call during a break or lunchtime. Perhaps an approach of limited use would help provide better controls to monitor use versus users turning to alternatives such as their smart-phones. I attended a concert recently where they said no cameras allowed. I wondered how it would be enforced since virtually all new generation phones have an integrated camera; they did not confiscate my phone. Maybe if I tried to march in with a high end SLR, I would have had a problem. What type of risk does this present to organizations? (Maybe another entire discussion)
As a former security consultant, I used the following trust and operations model.
1) Relied on Managers and Human Resources (HR) for employee background checks, and screening.
2) Provided network and data access based on job roles and responsibilities; enabled higher level of auditing/logging for first 90 days for all new users to monitor activity
3) If a user had a high level of access to customer records, financial data or HR, verbose logging was enabled on the systems and reports were provided to the user’s manager on a periodic basis for review.
4) Implemented security infrastructure and polices, and used BS17799/ISO17799 as a guide; all users would sign a computer use (Zero tolerance) agreement as part of the hiring process.
5) Promoted awareness/best practices through emails, meetings, and lunch-n-learns. Encouraged users to report suspicious behavior.
6) Ensured a balance of security and usability. i.e. user visits a site considered non-work related (webmail), a warning message appears to notify them, they are being monitored, but can click through to continue. A simple but effective reminder to not spend too much time on non-work related sites.
So simply, establishing a trust baseline, but restricting users from roaming servers and data in which they had no reason to access. You would think most Admins would naturally do this, but after countless audits and vulnerability assessments there would almost always be case of users having access to resources which were not necessary.
I believe this is a result of IT not having intimate knowledge of department application servers, initiatives which did not involve IT or job changes, promotions etc and the user is “grand-fathered” in with the original access rights and new permissions are added. Smaller organizations tend to have a flat and open system where many users have full access. The receptionist may handle the book-keeping and customer service and their IT department, most likely an independent computer consultant who wants to ensure productivity while security is sidetracked. In my opinion the small business owner’s data is no less important than a larger organization’s data, so security should be weaved into the any IT deployment of hardware, software, and assignment of users’ rights.
I am interested in hearing your thoughts on:
1. How do you segregate resources? Roles, Responsibilities, other?
2. Do you think of soft policies/reminders is an effective approach for non-work use of IT resources? Any experiences you can share?
3. Should organizations have a policy over personal devices such as smart-phones, personal voice recorders etc. How would you enforce it?
You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.
I see both sides of the soft policies.
As a user I find it good.
Because I’m an intelligent user I think that I can decide for myself which Content I am able to see and which not.
At my company we have a strict policy for the internet.
Everything with marked content is blocked and logged.
It’s okay but a few websites contain useful information for me but through the advertisements on the website they are the victim of the proxy and I only get “Access Denied” with the reason why I’m not allowed to see the content.
The soft policy or reminders would help me to decide whether it’s okay or not.
Same for the worktime. If I would be reminded with such information I would think twice whether I browse a bit or do some work.
But on the other hand I see the administrative horror.
You want to make the best choice between administration, security and freedom.
The problem is that you can’t do all.
Either you give the employees freedom and risk that the systems got abused or infected / damaged from something or you are administrative and don’t allow the users to risk to damage something.
If you give them the freedom with soft reminders the problem is that you simply can’t control the system.
I can’t share any experiences about a soft policy system but I can say that I’m a normal employee and I see the administrative difficulty to handle that thing correct. Maybe it’s because I learn the job as a network administrator and see the things different.
For the part of the personal devices I can simply say:
No they shouldn’t have access or control of them.
It’s ‘just’ Work.
They don’t control my life so they shouldn’t control my personal devices.
Of course the usage of mobile phones and other stuff like pda’s or netbooks is in some cases extreme and not okay but I think that a simple policy should restrict it and that the administrative heads of the company’s should act when they see a massive usage of these devices at the worktime.
At my company it’s allowed to use a mobile phone or the internet for personal use but it is recommended to don’t do this and use this only if you have to and can’t prevent it.
This is okay because everybody is just human and can’t work from 8 up to 10 hours (or longer) a day like a machine. In cases of extreme work and litle time you can’t cut off the work and use a mobile for a talk to your wife about your marriage.
It’s simply not okay. If you have work, you have to do it and that’s it.
Usage of private devices at work should only be okay when you have the time and have done your work.
German saying:
“Erst die Arbeit, dann das Vergnügen.”
translated:
‘First you have to work work, then you can have freetime / fun.’
You want to know how I would enforce such a policy?
Well … I don’t really know how to enforce such a thing.
Alex G.
There is no way to enforce any kind of security police using only authority and rules. It’s all about education and marketing. You have to create a security awareness throught the company.