When attackers gained access to personal information on 19,000 students at Carnegie Mellon University last April, business and network administrators there began a systemwide review of data policies. As a result, the university drastically reduced its use of Social Security numbers (SSN) and implemented new security-management controls around its Oracle databases. But when it came to protecting data extracted from a database, Joe Jackson, system architect at the school, was at a loss.
"Controlling the utilization of unstructured data is incredibly challenging, because once that data's out of the database, controls don't work," he says.
Centralized database security management and auditing is a good first step. But organizations should also protect the safety and integrity of data at other points.
"You've got to look at the who, what, when, where and hows of data protection: Who's using it, what they're doing with it, when and how are they accessing it, how it's being used, when it comes back, and how it's securely stored and archived," explains Gary Clayton, CEO of Privacy Compliance Group, a data privacy consulting firm. No holistic approach exists for protecting information from cradle to grave - that is, as it traverses desktops, the database, the network, on to remote users and business partners, then resting in backup and storage, analysts and users say. Those enterprises tackling the problem of data life-cycle protection are doing so in ways as unique as the organizations themselves.
Examining data life-cycle protections
One of them is Houston-based Halliburton, which started looking at data life-cycle protections in 2003. In the light of publicity around data leakage at Microsoft and other Fortune 500s, Halliburton executives began asking how to control the organization's vast information resources. They questioned how much information the company had, where it resided and for what it was being used.
They quickly realized the task's complexity. "Data goes far beyond the database, particularly when you're looking at document and content management. Not only does it fall under management for internal users, but how are you separating controls for documents and files accessed from the Web or being sent in e-mail?" asks Mark Johnson, chief information security officer at Halliburton.
The Halliburton team has since investigated a variety of data-protection tools for e-mail, desktops and storage. These include Symantec's Enterprise Vault e-mail storage archiving software (available because of the Veritas acquisition) and Microsoft's Rights Management Services, which encrypts protected information on the desktop in Office applications and Exchange, and on file and print servers.
But Halliburton decided not to implement any of the tools it evaluated. It found the tools were not comprehensive enough, required too much intensive custom development to integrate into its enterprise infrastructure, and called for extensive retraining and education of employees, Johnson says.
Instead, Halliburton took the interim step of commissioning an outside firm to monitor the organizational networks and identify what information needs to be protected - primarily being intellectual property, customer and marketing information. Then they isolated those information sources to heavily-secured LAN segments where they monitor what's coming to into and out of them to determine anomalous user behaviors. In addition, they're currently installing a digital forensics tool, EnCase, to help them search for intellectual property violations among user computers.
"It's a shot in the dark, and there's a limit on things you can search without violating employee privacy. But we're trying to be creative in determining if something's going outside of the controlled workgroups," says Erin Buxton, global IT strategist and architect at Halliburton.