Offline Information Security: Little Exceptions that can Result in Big Holes in an Enterprise Information Security System.
Written by Simon and Daniel
How is it good policy to turn off security when it is needed most? It’s not.
When introducing a strong internal information leakage prevention system into an organization, a common complaint is that it hinders their efficiency. Therefore, many organizations aim to establish a transparent system where employees are virtually unaffected by the information security system.
Under a transparent security system, everything is done through a network where the manager can monitor employee actions. If any confidential files need to be sent out of the office, it will need to get approval from a manager and if using a hard copy, a watermarked version will be used. So it seems that data can be fairly well controlled from within the office.
Outside the office, however, it becomes exceptionally more complicated when trying to manage confidential data. If, for example, an employee were to leave on a business trip, there are a numerous uncertainties and factors that need to be taken into consideration such as: Will it be acceptable if they bring a laptop with the data stored inside? What if the laptop is lost or stolen? Is password encryption enough to stop potential hacking attempts? The list can go on and on. Also, if the laptop is not able to connect to the internet and therefore is not able to connect with the security system, either the laptop or the security system might not work. Generally, if a device that is being controlled by a security system cannot communicate with the system through a network, it will render the laptop unable to run in stand-alone to prevent data leakage. If not, then the laptop wouldn’t have any form of security which puts the data at risk.
In this type of scenario, many organizations often make ‘exceptions’ for employees going on business trips by stopping the agent program that enforces security policy on the installed PC for their internal information leakage system and only allow them to bring the laptop out of the office once signing additional security or non-disclosure agreements. Of course this is not the best approach and it is best to just not let them take the laptop altogether.
By making these types of exceptions, the overall authority of the security system is then crippled. This can often lead to questioning the ability of the security system and these security exceptions are a recipe for internal data leakage. How is it good security policy to turn off security when it is needed most? It’s not. These “little exceptions” are leaving big holes in an enterprise’s security system and merely having employees sign one more non-disclosure agreement will not prevent data leakage; at best it will only discourage it.
Exceptions should not be made for a common reason such as a business trip or taking files out of the office. These are times when data leakage risks are at their peak and, if anything, more security should be put in place. Unfortunately, more limitations results in less efficiency. It is difficult to get around this tradeoff between security and efficiency but in the case of these exceptions, some sort of information security system is necessary. The best case would be a security system that can work both online and offline which would result in more trust in the security system as well as cover up these large holes when taking data in an offline environment.
In order to fill these security holes, there are products from SECUDRIVE (www.secudrives.com) that provide internal information leakage prevention solutions for such offline situations. SECUDRIVE utilizes hardware encrypted USB flash drives for sending internal confidential data when out of the office. One unique line of products from SECUDRIVES are their copy protected USB flash drives that block all copying functions so that files that are stored in the USB cannot be copied out. This will allow the security manager to block copying, printing, and screen capture of files before they are sent out of the office.
SECUDRIVE USB Office is a copy protected USB solution for organizational business files such as Microsoft Office files while SECUDRIVE CAD is also a copy protected USB that is meant for computer aided design files such as Adobe and Autodesk files. Also, the USBs can be managed using SECUDRIVE USB Management Tool and SECUDRIVE USB Management Server which will allow the administrator to control password and security policies, as well as record USB activity in the program’s log.
Internal information leakage prevention systems need to be able to function both online and offline as well. Business continuity should not be sacrificed for internal leakage prevention and internal leakage prevention systems should not be disabled to retain business continuity. Products such as SECUDRIVE will help to create balance between the two and make these security holes disappear.