Data Leakage: Catching Water in a Sieve

Sam was stunned.  Three desktop systems were stolen along with a large amount of sensitive information.  With all the network and server controls he had in place, he still failed to prevent data theft. 

The situation above actually happened.  Along with lost or stolen laptops, PDAs, or other devices capable of storing data, desktop theft can identify a huge gap in data protection controls.  The gap is not caused by improper user behavior.  Users are only putting data in places and formats more amenable to how they work.  They store data on a variety of devices at home.  Why not do the same thing at the office?  The answer is… because it results in the leakage of data from secure locations.

Data Leakage

Data theft and data leakage are not the same.  Data leakage is the incremental movement of information from areas of high trust to myriad office locations with little or no protection.  It makes theft a little easier every day.  Most managers don’t realize that it threatens regulatory compliance and customer confidence.  Let’s use the following diagram to examine how data leakage happens. 

In the center of the diagram is the core of an organization’s data security efforts.  It includes database security controls, access controls, and secure application configuration.  Many organizations stop here, assuming they have adequately protected customer, employee, and intellectual property data.  The problem starts when users begin taking data from this controlled environment, placing them into places with far less levels of trust.

One of the biggest problems is the taking of information from applications and placing it into spreadsheets, PDF files, and other distributable formats.  In some cases, organizations actually distribute reports in these formats, expecting users to adequately safeguard them.  In addition to user-created files, sensitive information is often found in temporary files, print queues, and swap files created by operating systems and placed in local storage.

In addition to what might be found on desktop and laptop hard drives, data leaks to may other locations.  Our diagram includes the most common, including email, thumb drives, CD/DVD, the trash, and smartphones.  And data leakage extends beyond electronic storage to paper copies left on faxes and printers.

The layers of security surrounding primary data storage are a good start.  Without a comprehensive data leakage policy, however, preventing data theft is as easy as catching water in a sieve.

Stopping the Leaks

Stopping data leakage is not easy.  It requires behavior changes and often results in redesigning reporting and other business processes.  However, organizations that fail to stop data leakage are only kidding themselves--and the auditors--about the safety of sensitive data.

Each business is unique.  How data leakage is prevented or controlled depends on strategic and operational requirements.  The following list, therefore, is just a guide to help start internal assessments of an organization’s vulnerability.

  • Does the organization prohibit storage of files on desktops?  Does it redirect file saves to network storage devices (e.g. file servers and network attached storage)?  If Windows is used on the desktop, is the My Documents folder redirected to network storage?
  • Do reporting or data warehousing solutions allow the distribution of sensitive data to end-user devices?  Do they have to?  Is there another way to provide this information (e.g. Web portal)?
  • Does the organization encrypt sensitive data stored on mobile storage devices, including laptops?
  • Does the organization have a solution in place to monitor for and alert on instances where sensitive data is moved to or stored in areas where security controls are not adequate?
  • Do policies exist to govern the safe use of printers and faxes?
  • Does the organization provide secure receptacles for discarded paper forms, reports, and other hardcopy formats containing sensitive data?  Is secure disposal governed by policy and enforced by management?
  • Does the organization have a process for disposing of electronic or optical media?  Is secure disposal governed by policy and enforced by management?
  • Does the organization “manage by spreadsheet”, keeping large amounts of sensitive data in shared or distributed files that are not backed up or safeguarded from theft?
  • Is email monitored for content, alerting on potential sharing of sensitive data via insecure media?

 The Final Word

My experience is that data leakage from approved or accepted business practices is a significant security vulnerability.  Until it is addressed, other data protection controls are just a good start.

Copyright © 2010 IDG Communications, Inc.

22 cybersecurity myths organizations need to stop believing in 2022