Pragmatic Steps to Manage File Data Leakage Risks

Thursday, August 18, 2016

Scott Gordon


Data dissemination and file collaboration are natural parts of most business and operational workflows; thus, security must be an integral part of modern corporate workflow to protect sensitive information. While structured data, or information contained in databases, is well protected in the confines of secure backend systems, unstructured data is a different story. Files are presumed to be secure within domain-controlled network drives and folders within enterprise content manager systems. Most IT professionals associate data and even file protection with backup and encryption technologies within their network or at the gateway.  Unfortunately, the secure access and use of sensitive, and often regulated data within files being shared both internally and externally remains a significant source of exposure within many organizations.

A recent 2015 State of File Collaboration Security report by Enterprise Management Associates (EMA) found a significant gap between file security policies and operations and the capabilities of technical controls in place at large and mid-tier enterprise organizations to monitor and enforce the policies. While the majority of these organizations have enhanced technical controls and auditing, only 16 percent of the survey respondents felt highly confident in their file security investments. The report revealed that more than 80 percent of mid-tier and large enterprise survey participants were aware of data leakage incidents in their organizations, and 50 percent experienced frequent incidents.

Given the necessity of file sharing, respective risks and obligations, and available file protection mechanisms, what is a pragmatic approach for organizations to reduce IP loss, privacy compliance liability and business exposure due to sensitive file data leakage? Here are the top five steps that your organization can put in place today:

  1. File data classification and discovery. Establish a working process to map different classes/types of files based on the information and the respective business or regulatory compliance obligations to protect the data in the file. Identify various sources and categorize different activities where sensitive files requiring protection exists, as well as the users, systems, tasks and business terms related to such activities.
  2. File sharing exposure risk and control gap analysis. Assess how sensitive files in each data classification are currently secured and subsequently shared within and outside the organization across categories of business activity. The process further examines the potential probability and ramifications of exposure in each file data class and sharing activity group. The resulting risk assessment should reveal data protection priorities and gaps. The organization can then systematically assess what additional file data protection process and controls measures are needed.
  3. Policy definition enhancement and dissemination. Examine current data protection policies to determine which policies need to be improved to better manage risk that accommodate new categories of sensitive data and file collaboration activities. These policies should be vetted with, agreed upon and communicated to those managing data sources and data owners. This way the policies can be effectively adopted by IT management and business management.
  4. Technical control application. Take the control gap analysis and policy definition processes into account by identifying where technical controls should be applied. Assess each control’s functional scope, and also consider management, implementation and cost factors. File-based digital rights management (F-DRM) platforms, such as FinalCode, allow organizations to reduce file data leakage risks through file encryption, access and usage control. As in other IT projects, once a control is accepted, deployment, training, usage and administration should be coordinated.
  5. File security management tracking. Track and report on policy adherence, control implementation, exceptions and additions, and control usage. In this way, managements can gain a management vantage point with regards to file data leakage risk reduction, and operations can establish a baseline for continuous improvement.

Alongside the task of maintaining fluid but authorized access to network file storage resources, organizations need to apply file protection that offer appropriate levels of control for the internal users and the variety of external users requiring access to sensitive content. Satisfying these challenges is necessary to protect the intellectual property of the business and its clients, and to manage the reputation and liability risks associated with confidential information obligations. An organization does not have to take an “all or nothing” approach to implement file data protection capabilities. While the steps presented above to reduce file data leakage can be an enterprise-wide initiative, the process can be successfully applied to specific business activities and collaboration projects. Most employees understand and want to protect sensitive information. The key is to make file security easy, intuitive and aligned to corporate policy. Next generation F-DRM solutions offer an effective and flexible technical control that can be applied today to reduce file data leakage risks across different infrastructure, collaboration methods, user types and business requirements.

About the Author: Scott Gordon (CISSP) is the Chief Operating Officer at FinalCode. Scott has over 20 years’ experience contributing to security management, network, endpoint and data security, and risk assessment technologies at innovative startups and large organizations. Prior to FinalCode, Scott held several senior management positions at ForeScout Technologies, Protego Networks (acq. Cisco), Axent and McAfee. An infosec authority, speaker and writer, he is the author of “Operationalizing Information Security” and the contributing author of the “Definitive Guide to Next-Gen NAC.” Scott holds a CISSP-ISSMP certification, an MBA, and earned his BA in MIS and marketing from Hofstra University.

Enterprise Security Breaches Vulnerabilities
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.