1, the first reason is that with the continuous expansion of enterprises and information applications, a large number of confidential data will be generated in the process of enterprise information applications. With the continuous expansion of enterprise informatization application scale, the network structure becomes more and more complex. In addition, notebook computers, PDA, smart phones, USB flash drives and other mobile storage devices, as well as the application of WIFI wireless, make the enterprise information application structure more and more complex. When the confidential data of these enterprises are constantly flowing in the complex information system architecture, it will make it more difficult for us to control the use of confidential data, thus increasing the risk of losing confidential data accordingly.
2. The second reason is that there are more and more security threats in the network environment where enterprises are now located, such as hacking, Trojan horses, network sniffing, etc. The attack level and destructive power of these security threats are constantly improving. Moreover, enterprises are now facing a more serious problem, that is, the traditional security equipment originally deployed by enterprises can only be used to prevent security threats from outside the enterprise, and now the main reason for enterprise data loss comes from inside the enterprise. This is because the employees in the enterprise are already in the enterprise network, they have certain rights to access the enterprise network resources, and they know what equipment and where the confidential data in the enterprise are mainly distributed. Moreover, they have a certain understanding of the security precautions that have been deployed within the enterprise, and it is easier to know where the dead ends of their security precautions are, and it is easier to find a breakthrough to obtain confidential data of the enterprise.
This problem is more obvious during the economic crisis, mainly because some enterprises began to lay off employees on a large scale, and these resigned employees have a lot of confidential data related to enterprises. Once the enterprise can't properly handle the accounts and permissions of these resigned employees in time, the confidential data in the enterprise may flow out to competitive enterprises or public places such as the Internet through the resigned employees.
The last reason is that enterprises are now in the period of economic crisis, and in order to survive, they are trying their best to reduce various costs. At present, the original security measures of many enterprises simply cannot meet the requirements of protecting data security, which means that enterprises need to increase the corresponding security investment. Increasing investment will also increase the cost of enterprises, which not only conflicts with the recent development strategy of reducing costs, but also may affect the current business when adding data protection measures. This will push enterprises to a dilemma: whether to increase investment in safety or maintain the status quo?
Although there are still many problems in the process of preventing data loss, fortunately, some enterprises have successfully deployed solutions to prevent data loss in their information structures and achieved good results. Therefore, we can learn from the successful experience of these enterprises in protecting data security and provide corresponding practical guidance for us to prevent the loss of confidential data of enterprises.
The successful experience of preventing the loss of confidential data in enterprises mainly includes six best practices: knowing what confidential data are in enterprises and classifying them according to their importance, knowing where the confidential data reside in enterprises and in what equipment, identifying the source and nature of risks leading to data loss, formulating data control strategies suitable for their own needs, and centralizing management control and security audit. Below I will explain in detail how these six best practices to prevent data loss should be completed in detail.
First of all, understand what confidential data are in the enterprise and classify them according to their importance.
From a security point of view, all confidential data in an enterprise will not be of equal importance. Therefore, in order to prevent the loss of confidential data, the first thing to do is to know which confidential data is the most important in the enterprise, or it can be understood as which data is the most important to the business of the enterprise and the most likely to be threatened by security. By determining the most important confidential data in the enterprise network, different protection levels can be stipulated in the data protection strategy according to the importance of the data. So, how can enterprises classify all confidential data in the enterprise network according to their importance?
To answer this question, we first need to understand the business structure of the enterprise and investigate the whole business process of various departments and enterprises. , but also to understand whether the data of various departments in the enterprise need to comply with a data protection law where the enterprise is located. For example, the financial data of some domestic enterprises listed in the United States must comply with the Sarbanes-Oxley Act, while the sales department may need to comply with another act, such as the PCI Act abroad, and must also comply with the relevant laws formulated by our country, such as the upcoming basic control standards for enterprises.
Once we know the data protection laws and regulations that all departments of the enterprise need to abide by, then we can divide the data of all departments into three categories: the highest restriction level (such as financial statements of enterprises, new product research and development materials, etc.). ); Sensitivity level, such as the sales plan of the enterprise; And the general sensitivity level, such as the distribution location of suppliers and product freight.
The next step is to determine the specific category, content and ownership of each data. This requires us to divide the data according to its importance to the enterprise business and compliance requirements. For example, the basic information of suppliers can be used as restricted data, and at the same time, it is necessary to make clear what specific contents these basic information include, such as the supply price of raw materials. Then, it is necessary to know which specific employee in which department in the enterprise is responsible for generating and maintaining these restricted levels of data, that is, to determine the owner of its operations. We can build a concrete table for these data, which can explain the category, content and ownership of the data in detail.
It should be understood here that this form we have formulated should also be properly protected as restricted confidential information. This is because the table contains information such as the type, content and specific operator of all confidential data in the enterprise. Once these data fall into the hands of attackers, they can learn about the distribution of confidential data in the enterprise from this table and know which employees keep these data, and then they can carry out corresponding social engineering attacks or other intrusion means against the weaknesses of an employee.
When we investigate the confidential data of this enterprise and classify the protection level, we should also formulate a specific specification for operating these confidential data. In this specification, it should be clearly defined which employees in the enterprise can access these confidential data and their access rights, as well as how, when and where to access them. For example, for restricted data, only a few core employees can access it. These employees have different access rights, some are read-only and some are write-only. You can also specify a specific time period for accessing this data. For example, confidential data with restricted level can only be accessed by people with special rights from 10 to 1 1 and from 15 to 17 in the afternoon. Moreover, it is clear that employees can only access these data through specific workstations, not directly.
Second, understand the location and equipment of confidential data in the enterprise.
For this question, some readers may think it is easy to answer: "It is not obvious where the confidential data in the enterprise resides. Of course, it is stored in a database server or a file server. " This answer is also correct, but the content of the answer is only a small part of the possible location of corporate confidential data.
The confidential data stored in the enterprise database is only a small part of the confidential data of the whole enterprise at best. Especially in today's enterprise 2.0 and WEB2.0, various mobile storage devices are widely used in enterprise information application environment, resulting in a large number of confidential data may reside in mobile storage devices such as notebook computers, smart phones, PDA, USB flash drives, and applications, file servers and collaborative office servers that access these data, and may also reside in email servers and WEB servers. Of course, confidential data can also exist in the form of data packets in the internal network transmission media, Internet transmission channels and WIFI radio waves, and it is more likely to be stored in online blogs, wikis, social networking sites and Twitter of enterprises or employees.
For many locations and devices that can store confidential enterprise data, what methods should be used to discover the confidential data stored in these locations and devices?
It is not easy to answer this question, but it is a task that must be completed in detail. Therefore, for most enterprises, it takes a certain amount of time to conduct a comprehensive journey of discovering confidential data, so that enterprises can identify all the locations and devices where confidential data may reside, and draw the corresponding schematic diagram of the location structure of confidential data.
However, some enterprises now, because they are unwilling to take the time to solve this problem, usually handle confidential data in the enterprise in the following three ways:
1. Protect the security of all data in the enterprise. This practice is unrealistic in reality, and even if it is really realized, it is quite expensive. Most enterprises don't have so much budget and technical strength to complete this impossible task.
2. Leave all data in the enterprise unprotected. This method is quite common in many small and medium-sized enterprises in China. They don't know how to protect data security, don't think about how to protect their own security, and don't want to spend money to do such a thing. However, once the confidential data related to enterprises are lost or leaked, the blow to these enterprises is often the most fatal, which may make them depressed from now on.
3. Protect some data in the enterprise. This method exists in most domestic data enterprises. Enterprises use an incomplete data protection method, such as applying a data encryption product to protect the security of some data in a device in the enterprise, and then thinking that the confidential data in the whole enterprise is safe. This kind of data protection method often makes enterprises feel lucky, but it often completely ignores other security threats that threaten the confidential data of enterprises, making this lucky data protection method vulnerable at some time.
In order to prevent enterprises from using the above methods to deal with confidential data in enterprises, we must go beyond the previous wrong data protection methods and use a complete confidential data discovery process to answer the following series of questions before implementing specific data protection solutions:
Is there any confidential data stored in the 1. database? If yes, do these confidential data exist in data tables, columns or fields?
2. Is there any confidential data in the * * * state? If yes, do these confidential data exist in the * * * shared folder or are they provided as separate files?
3. Are highly confidential data stored in portable devices (such as laptops)? If so, who are the users of these mobile storage devices such as notebooks with confidential data?
4. Is there any highly confidential data that needs to be transmitted inside the LAN and on the Internet? For example, e-mail, if so, are these confidential data encrypted or protected in other ways during transmission?
5. Is it possible that highly confidential data will be stored on the Internet, such as web servers or blogs? If so, is the storage location of these confidential data provided by the enterprise or by the employees themselves? How does it exist? Is it protected?
Next, we also need to know how the confidential data in the enterprise is being used at present, and what other behaviors of employees in the enterprise violate the data security operating rules. For the current enterprise, we must focus on investigating the following violations:
1. Investigate whether employees in the enterprise talk about topics related to enterprise data security in public places, and whether confidential enterprise data are unintentionally leaked to public places such as the Internet. For example, some employees of an enterprise talk to the people present on the phone, instant chat software or bar about how good the security system of their enterprise is, what kind of security products are used and how powerful the security system is, which may be intended to improve their right to speak and get everyone's attention. But the speaker has no intention, and the listener has a heart. It is possible to disclose information such as the type of security equipment and security structure used by enterprises to attackers, which also makes it easy for some attackers to understand the security system of enterprises.
2. Investigate whether some confidential data are easily copied to portable storage devices such as laptops, USB flash drives or PDA without being audited, and also find out whether such devices often leave the protection scope of enterprises and enter public places.
3. Investigate whether the customer information in the enterprise is sent to other places from the database or file server in an unsafe way, or can be opened and read by any user at will?
4. Investigate whether the confidential data in the enterprise will really reach the designated backup storage medium at the predetermined location unimpeded during the backup process, and whether it can ensure that the whole backup process will not be disturbed.
Through the process of data discovery and processing, we can establish the distribution map of enterprise confidential data, which can be used as an important basis for formulating data protection strategies. The process of discovering confidential data is quite complicated, and it will be unbearable for us to use manual means, and we may not get comprehensive results. Therefore, at this stage, we can use some free or commercial software. For most anti-data loss products, data discovery function has been included as an important component in the products, and this function is also one of the functions that we need to consider when selecting the corresponding products.
Moreover, we should understand that data discovery is a long-term and continuous process, which should correspond to the whole life cycle of data, not a one-time event. Because data is not always static in its whole life cycle, with its use, it will exist in different locations and devices in different types and ways.
Third, determine the source and nature of the risk of data loss.
Compared with understanding the distribution and use of confidential data in enterprises, it is equally important to understand the security risks faced by enterprise data and their nature. Only by understanding the current security risks faced by enterprise data can we know what to guard against and how to deal with it? At the same time, it is also necessary to understand the extent of the losses and impacts that may be caused to enterprises after the security incident of data loss, and whether these losses can be borne by enterprises.
At present, the types of security threats against data are published on some security websites every day. We can order mailing lists from these websites and then receive the latest security threats, vulnerabilities and patch updates from these websites every day. The websites that provide these mailing lists are/,and so on. In addition, some investigation agencies conduct specific investigation and analysis on the sources of data security risks every year. We can also read these investigation reports on the websites of these investigation agencies to understand the main external and internal threats at present. This website has http://www.sans.org/..
What we should understand here is that the biggest security risk is not from outside the enterprise, but from inside the enterprise. For example, the misoperation of employees, or deliberate attacks, and so on. The losses caused by these internal security threats are much greater than the risks from the outside, and the success rate of these threats is much higher. Therefore, it is equally important to investigate the violations of employees in enterprises in the above way.
However, not every enterprise has the same security threat. This is because the network structure of each enterprise is different, and the purpose of network application is different, so the equipment and software used in the network will be different, and the safety awareness and loyalty of employees in the enterprise will be different, which determines that the types and quantities of data security threats in each enterprise will be different. Therefore, we must combine the actual situation of the enterprise and refer to the corresponding security threat investigation report to get the type, quantity and nature of the risks that the enterprise may face.
Of course, being able to accurately understand the data security risks that enterprises may face can enable us to be targeted and save the cost of security investment. However, threats will continue to emerge, and it is impossible for us to make a completely accurate prediction. Therefore, when considering the data security threats that enterprises may face, we should kill one thousand by mistake instead of letting one go. We can also build a risk model to analyze the type, quantity and nature of risks that may be faced by confidential data of enterprises.
The following are the most common data security risks:
1. The data storage medium is lost or stolen. These storage media include disks, tapes, laptops, PDAs, USB flash drives and other devices. The reason for the loss may be that the employee accidentally lost it, or the attacker deliberately stole it. The lost place may also be the employee's business trip, or the place where these devices are stored, such as the employee's home, the hotel on business trip, the computer room where backup media are stored, and the storage room inside the enterprise. If these lost devices contain confidential data, attackers can sell them for illegal benefits.
2. Employees intentionally violate. Employees of some enterprises, especially privileged employees who have a lot of confidential information, such as database administrators, network administrators and even marketing personnel of enterprises, have a lot of customer information. They may send the confidential information in their hands to the competitors of the enterprise, or they may directly sell it to hackers for illegal benefits. For example, this year's CCTV 3. 15 party was exposed, and employees of mobile companies in some places sold users' private information, which is a very obvious behavior that employees used their privileges to violate enterprise data protection regulations.
3. Confidential data is not intended to be made public. For example, an employee of an enterprise inadvertently sent an email containing confidential information to an unauthorized user without encryption, and some employees inadvertently posted some confidential information of the enterprise to their online blog or wiki, or posted it to the public network environment through Twitter or instant chat.
4. Hacking. Internal hackers use some access rights they already have to obtain confidential data of enterprises through some unconventional means. For example, using network sniffing, man-in-the-middle attack and other means to obtain confidential data transmitted in the enterprise internal LAN. And directly copying the confidential data into the removable storage device through physical contact. In enterprises using WLAN, internal attackers can also build an illegal wireless AP in the form of wireless network cards and software to trick some internal employees into connecting their wireless devices to this illegal wireless AP. Some external hackers can also benefit internal employees through social engineering, or use phishing to trick internal employees into infecting Trojan horses, and then invade enterprise databases or file servers from the inside, or use network sniffing to obtain confidential data. In WLAN, it is easy for external attackers to obtain WEP encrypted confidential data by using wireless sniffing software.
5. Direct physical contact attack. Most of these attacks also come from within the enterprise. This is because the employee in the enterprise is already in the enterprise, and he may directly contact the location of the equipment storing confidential data through some small moves, and obtain confidential data by copying, printing, taking photos, copying, sending emails, and even directly removing storage media. Some external attackers can also deceive enterprise security personnel and internal employees to believe that he is a certain identity through social engineering, and then he can directly enter the enterprise to steal data. I have seen such scenes in some movies about spies and intellectual crimes, such as the famous ocean's eleven series and prison break.
Fourth, establish a data control strategy suitable for your own needs.
After we have completed the tasks in the above three steps, the next thing to do is to formulate a data security risk control strategy based on the above contents, which should include the specific operation process of data security control and the security technologies and products used.
A specific data protection strategy should consist of two main parts: one is the control mechanism, that is, the specific control type; The other is the control point, that is, the specific objects to be controlled, such as storage devices, databases, file servers, applications, network devices, terminal devices, etc.
A comprehensive deep data security protection system should consist of the following three parts:
1, access control
Access control includes two aspects: authentication, that is, through a verification mechanism to prove that the user who accesses data is declared by the user himself; The other aspect is authorization, that is, the authority granted to the user when he passes the authentication, which stipulates what kind of operation the user can perform on the data. Nowadays, many security products and applications adopt this access control method, such as WEB access, two-factor authentication and so on.
2. Data control
Data control is to control the data itself from being infringed. Data control includes corresponding technologies and products, such as application data encryption and encryption key management, data loss prevention (DLP) products and enterprise information rights management (RMS).
3. Audit
The purpose of the audit is to provide a feedback mechanism to ensure that the data protection strategy and the implemented data protection solution really operate in the way we set. Now this method is also called Security Information and Event Management (SIEM). Audit control function may be included in some corresponding data protection products, or it may exist in the form of independent products. They provide a feedback and recording mechanism for our data usage to ensure that all data operations are carried out within the expected control range.
Now, more and more enterprises begin to deploy application data encryption solutions or data loss prevention solutions among enterprises to prevent data loss. This is because both data encryption and data loss prevention products can provide a method to protect confidential data, whether it is static, mobile or stored in terminal equipment.
Data encryption can protect data from being leaked during transmission, and can also prevent confidential data from being leaked after the storage device is lost. Data loss prevention products not only include data encryption function, but also provide other data control methods to ensure data security. For example, network-based DLP products are usually deployed at the exit of enterprise gateways. They can detect all data leaving the enterprise according to policies, content and context, so as to prevent emails or instant chat messages containing confidential data and other information from leaving the enterprise without authorization and encryption protection. It will record information such as which host sent the data, when it was discovered and where it was sent. However, some host-based DLP products will take security precautions for all data on the host system running it, including various products that can be used in the host. For example, a host-based DLP product can monitor the types of interfaces that can be used on the host, such as a USB interface, and the removable storage devices that can be used on the USB interface. Unauthorized counterpart devices do not work when plugged into this interface. When the device is authorized to use, it also records which user used it and when, and what confidential data was copied. This is the main reason why more and more enterprises use DLP solutions to protect their confidential data and comply with data protection security regulations.
Verb (abbreviation for verb) centralized management control
Compared with any other factors, the management control mechanism will directly affect the control efficiency and the total cost of ownership of enterprises. But now many enterprises mistakenly disperse the whole management control mechanism into several different control mechanisms, which has brought the following consequences: (1) the security prevention strategy of enterprises has lost its original role; Make the management cost of enterprises rise continuously; Connection with enterprise business.
In order to avoid these problems, the first aspect that needs centralized management is that enterprises should centralize data security control to ensure that security prevention strategies can be fully implemented from top to bottom. In this way, the implementation of security policies can be comprehensively and automatically monitored through centralized management tools, and operational events violating security policies can be prevented. In addition, centralized management control is more conducive to ensuring that all employees always abide by the data application rules formulated by enterprises and prevent confidential data from being inadvertently leaked out.
The second aspect that needs centralized management is the management of encryption keys. Centralized management of encryption keys can prevent data security risks caused by the loss of encryption keys due to human error, and prevent conflicts and incompatibilities with other encryption strategies. For example, if an enterprise uses the same encryption product in different departments or different devices, but each department carries out independent encryption management, it will bring more workload and complexity to encryption management and increase management costs. Moreover, if employees are allowed to decide what encryption method to use, many unsafe factors may arise, and the management cost will also increase.
In any case, the decentralized management of encryption keys will bring unexpected security risks to enterprises and even affect their normal business. For example, one of the employees used the encryption method, but did not deliver the decryption key to the decryption party, so that when the decryption party received the encrypted file, it would ask for the decryption key, which affected the normal business. In addition, if employees mistakenly send decryption keys to unauthorized employees, it will lead to the disclosure of confidential data.
Generally speaking, centralized management of data security control is the main way to solve the complexity of data security control, reduce management costs and save management time and manpower expenditure.
Security audit of intransitive verbs
Security audit can be used to continuously improve the existing data security prevention strategy, adjust the data security prevention scheme and the setting of security products, so as to ensure the data security at all stages of enterprise development. For any enterprise, it is necessary to provide an inspection method in the process of security prevention, so as to feedback whether the security prevention solution really meets the requirements of security prevention and understand the current protection status of security products.
The business activities of enterprises are not static, and the data security prevention work of enterprises is not static. We must use a mechanism or technology to check and track the current data security situation, and track the data security incidents that have occurred or are happening in the current enterprise, so that the enterprise can quickly and correctly deal with various data security incidents, and make corresponding adjustments to the existing security policies to cope with the changes of various security threats.
Security Information and Event Management (SIEM) system can help us analyze and report security logs and conduct real-time event analysis. SIEM system can help us accomplish the following tasks:
1, accident investigation and evidence collection;
2. Accident response and remedial measures;
3. Comply with regulations and standards;
4. Provide evidence for legal proceedings;
5. Audit and implement data security policies.