Joshua Mauk of the University of Nebraska says data loss prevention software keeps him aware of when sensitive confidential information is compromised.

Oct 01 2010

Gaining Visibility Into Data Loss Resources

Colleges and universities say data loss protection software helps them better understand their networks and guard against costly data breaches.

Colleges and universities say data loss protection software helps them better understand their networks and guard against costly data breaches.

Joshua Mauk, information security officer at the University of Nebraska, had a vision for what it takes to build a secure network. For him, the first step was understanding the risk environment.

"When I got here four years ago, we didn't have visibility into our network in terms of data," Mauk says. "We really didn't know what was coming in or leaving the network."

That's all changed, thanks to data loss prevention software from Symantec that sends Mauk alerts when bank account and credit card information, Social Security numbers, medical data and driver's license information leave the network.

Today, Mauk receives daily, weekly and monthly reports on the four business-critical information types that the DLP software tracks.

"If someone sends an e-mail over the Internet that includes a Social Security number or bank account information, the software flags it as a risk and sends the person an e-mail that says 'You have sent an e-mail that may have contained confidential information, please contact the security office,'" Mauk explains.

"The Symantec tool can be turned on to block certain ­behaviors, but since we are a university and have a tradition of openness, we have opted not to do that," Mauk adds.

Mauk says the Symantec tool is now in place at three of the University of Nebraska's campuses: Lincoln, Omaha and Kearney. As an added protection, the university has tools for encrypting sensitive e-mail, and university-issued notebooks that may contain sensitive data are locked down with PGP encryption software.

"It became very clear to us early on that e-mail was the primary way people send out confidential information, so it just made sense to implement tools to encrypt e-mail and notebooks," Mauk says.

Content Awareness

Eric Ouellet, vice president of secure business enablement at Gartner, refers to the kind of software that the University of Nebraska uses as "content-aware" DLP software.

Ouellet says content-aware software can determine what information is contained in a specific file, folder, application or other data store, and whether that information is at rest, in use or in transit. He says the early adopters of DLP software didn't fare so well, mainly because they didn't fully understand what these tools are good for.

"You had what I call the Christmas tree effect: False positives filled the logs with events, making the management screens blink incessantly," Ouellet says. "The early adopters tried to track everything under the sun, and that simply didn't work. It's much more effective to do what the University of Nebraska is doing in modifying the rules based on very targeted sets of data."

Ouellet says the main ROI case for DLP software is as a preventive tool. The thousands of dollars an organization may spend on a software deployment is minuscule compared with the cost of a data breach, he reasons.

DLP software is also the perfect educational tool. "There's really no tool like DLP software that can train a user on security policy," Ouellet says. "What we're seeing is a real maturity, where people finally understand what these products can do."

Tammy Clark, chief information security officer at Georgia State University, in Atlanta, agrees.

"Presenting information in terms of informing-educating as opposed to admonishing or sanctioning goes a long way in the higher education sector, especially with faculty members on campus," says Clark, who plans to fully deploy the McAfee Total Protection suite early next year.

"With DLP, if a user is storing unencrypted confidential information on their systems or doing something that violates our information security policies, you can find out what is occurring through DLP scans, then work with users to educate them and correct it as opposed to making it seem that they did something wrong."

Protecting Apollo

Another organization that is deploying DLP using McAfee Total Protection is the Apollo Group, the parent company of the University of Phoenix.

Less than 3%

The percentage of total data resources in an organization that, on average, are properly classified and protected

Source: Gartner

Scott Carlson, a principal security engineer at Apollo, says his organization supports 450,000 students, as well as 35,000 desktop endpoints.

He says the McAfee suite is used for three purposes:

  • Endpoint protection: Whole-disk encryption locks down all of the organization's notebooks.
  • USB device encryption: Apollo wants its employees to use only hardware-encrypted USB thumb drives with McAfee antivirus software. The idea here is to prevent the staff from using insecure drives that the IT department can't centrally manage.
  • Content awareness: A DLP agent on every machine scans for attempts to move confidential financial or Social Security information across the network. Users will be prevented from copying information, such as credit card numbers, to USB devices or insecure websites such as webmail portals.

"What happens is that sometimes users won't even realize they are sending confidential information, or they'll just mix personal and work information. But then all of a sudden, their confidential credit card information could be exposed," Carlson says. "Our goal is to make sure we are doing what's right for students, staff and faculty, and that we're protecting their information. That's our utmost concern."

The University of Nebraska's Mauk says once faculty, staff and students see the DLP tools in action, they quickly understand the value.

"The president of our university has seen some of the notices and has told us he's very happy to know we are taking those kinds of precautions," Mauk concludes.

Deploying DLP

Gartner offers tips for deploying DLP software at your organization:

  • Pinpoint the software's use. Determine whether a DLP deployment is intended primarily for compliance or intellectual property protection. This criteria will lead you to a DLP solution that makes sense for your organization.
  • Apply only the most important policies. This is especially true during initial deployments. Scale upwards in terms of deployment and capability complexity as the organization's experience with the software increases.
  • Take into account the performance impact on local resources. Schedule scanning activities during low-activity periods, or establish discovery as a low-level process during peak hours.
  • Be judicious about when you enable blocking. Recognize that blocking is an advanced feature that should be enabled only after the organization has experience and confidence with the DLP software. However, if your organization has significant intellectual property requirements, you might want to enable blocking at an earlier stage of deployment.
  • Consider dedicated solutions in special cases. If your organization has a unique requirement – encryption, for example – it might make sense to consider a dedicated solution. However, most organizations with typical requirements will opt to obtain tools from their primary security providers.
  • Think about the total security picture. Continue to take a holistic approach to security that includes identity and access management, encryption and other security services in tandem with DLP software.
<p>Bryce Bridges</p>