DLP & the Mega Plug

It is every professional organisations desire to keep their valuable IPR safe, secure, and beyond the reach of compromise. To achieve this, many invest in some form of DLP application to assure security is accommodated. However, it is here where the creeping disease of over dependency on applications, and a security strategy that leverages the out-of-box-fix-all security approach, can kick a very big dent in the organisational security DLP objective.

Let’s take it from the ground up. Post a Security Assessment, the Risk folk identify that there is a potential threat around valuable data, and IPR finding its way out on the company door, into the hands of some waiting unauthorised person, or persons.  They take this new risk to the Information Security Department who agree that such a risk represents exposure to the organisation. The next step is to consult the CISO, who is outraged it has never been located before this point in time, and an instruction is issued to investigate a fix. The culmination of all this work is, a paper is probably originated, presented to the Executive, and the required funds are released to make this hole disappear – job done.

The problem is, as observed on many occasions, that the mushing disease of ‘application dependence’ can inflict the security mission with a sense of false wellbeing that cannot only manifest in waste of company resources, but more importantly, can leave the organisation in a sublime state of ignorance of fact! As I have seen so many times, the symptoms of the brain-mushing disease of ‘application dependence’ can cause blindness, confusion, and above all can inflict a sense of over confidence and achievement.

Here it is the everyday operational levels of exposure to Data Leakage that tends to get missed, say as a consequence of the Mega-Plug – A USB drive that can size from say 1MB, up to 10TB, and more. A USB drive that comes in many logical forms – a USB drive that is in the shape of the ‘Internet’. So let’s explore some of the common issues that can exist in a number of organisations.

This Mega-Plug can leverage insecurity on a wholesale scale. Number one on the list is Office 2010. Question is, if your organisation has deployed it, have they taken steps to lock down the options to ‘Send & Save’ allowing direct access to Cloud based storage? Has the ability to save into SharePoint been removed, along with the functionality to directly Blog out from the Office 2010 application? If so, well done, and give yourself a pat on the back, as this is something that, on numerous occasions has been overlooked. Sticking to the Microsoft theme, consider Office 365 with its Cloud based Services, which can include SharePoint – here, if this has not been considered, you could have some users gaining direct access to their own SharePoint instance direct from your own LAN, sending up, storing, and accessing data as and when they desire – and of course, this may also be interfaced from the office based on-system Office 2010 applications.

Let us move on to some of those great zero cost, or low cost Cloud Storage solutions. Take a look at the Tonido solution (www.tonido.com) which will allow anyone to run their own personal cloud, along with NAS like Home Office based services, which support from Corporate to Home Office replication of files. And then there is the Pogoplug option (https://pogoplug.com) which again provisions the user with cost effective, personal cloud space. In fact, I have set up a few of these for test purposes, fully enabled with security, SSH, connected to a moderately sized 1TB hard drive sitting on-line, providing always on, bidirectional storage, and retrieval. And then there is the opportunity to set up a dynamic URL, which allows direct access to something like a HP Home Server, thus again, allowing an out-of-band opportunity for illicit transfer and storage of some company asset. And of course this not to mention Google, Amazon, and Microsoft Clouds, not to mention Windows Live Messenger.

But do the aforementioned risks present surfaces of attack in the real world, or are they just figments of the imagination of a bloggers mind? That, I guess, I will leave with you to decide, but in the meantime, it may be a good idea just to go check what DLP really means in your organisation.

Comment on this blog