When it comes to preventing a WikiLeaks-type scenario, clearly a multi-level approach is needed. The best information security practice combines people, processes and technology. There is no single solution.
The first step is to review your information security policy. If your organization doesn’t have such a policy, now would be a good time to get one.
At the most basic level, an information security policy must define different classes or types of information, and it must prescribe how the organization needs to handle that information to keep it out of the wrong hands. Take a cue from government intelligence agencies, which only distribute information on a “need to know” basis. In your organization, people who need access to customer contact data are probably different than the people who need access to financial data, and different than the people who need access to source code.
The second step is to segment information resources in a logical or physical way. This helps you design and manage security controls over that information. If you do not know where your organization’s data is stored, then now would be a good time to begin an audit. This process can take a long time – as much as a year if you have a large, complex organization. Don’t let that discourage you from starting the process now. Information discovery tools are available from multiple vendors to help discover, identify, and classify the types of information you will find.
The third step is to enforce your information security policy at the application layer. Audit all of your information systems, such as your email servers and internal document repositories. Ensure that logins, distribution lists and public folders control access to sensitive data in accordance with your information security policy.
The fourth step is to enforce your information security policy at the network layer. Sophisticated, role-based network access control can be used to provide an additional layer of security on top of application security. For example, your policy might say that only members of the finance department and certain key executives should have access to corporate financial data. If your organization implements role-based network access control, only authorized personnel can see (or access) the servers on which this financial data is stored. To everyone else in the organization, the servers simply don’t seem to exist.
Role-based network access control is effective, and it can be surprisingly easy to deploy. Look for a product that lets you define policies based on group memberships in user directories. Some of the more advanced network access control products are able to update access control lists on your existing switches and routers, for the ultimate ease of use. In this scenario, the network access control device functions as a large brain, applying command and control over your existing network infrastructure.
Finally, enforce your information security policy at the desktop. Does your policy prohibit use of unauthorized applications such as password crackers, remote login, or instant messaging? If so, then you need to enforce it. Does your policy prohibit the use of removable media, such as USB drives and CDs? Once again, if so, then enforce it.
Many approaches are available for desktop policy enforcement. Some products are based on software agents, others are based on network appliances. Unless your organization has a very large IT security staff, look for products that combine multiple security functions – for example, network access control AND desktop policy enforcement.
A US Army private is alleged to have been responsible for some of the information published by WikiLeaks. Purportedly, he used a simple USB memory stick to remove the sensitive data from the US Army network. By limiting the use of these devices in your organization, you can help prevent (or at least minimize) the massive loss of data recently befell the US government.
Gord Boyce is CEO of ForeScout, a provider of network access control and policy compliance solutions for large government organizations and global enterprises. A high-tech veteran with over 20 years of industry experience, Boyce has been with ForeScout since 2006 and was named CEO in 2010, where he oversees all of ForeScout's operations and advanced development decisions. Prior to ForeScout, Boyce held several senior management positions within the Nokia Internet Communications group and, most recently, as vice president, sales and marketing, for the America's Enterprise Solutions business group. Prior to Nokia, he held sales management positions with VoIP pioneer, Vienna Systems, which was acquired by Nokia in December 1998, as well as other telecom and datacom sales positions. Boyce has a bachelor’s of engineering and management in electrical engineering from McMaster University in Ontario, Canada.