When BCD Travel began investigating what it would take to get Payment Card Industry (PCI) certification for the handling of customer credit card data, Senior VP of Technology Brian Flynn realized that he didn't really know how his employees were handling such information. That meant not only could PCI certification be denied but also the travel agency's reputation and business could be harmed. At the National Football League's Houston Texans, IT Director Nick Ignatiev came to the same realization as he investigated PCI certification.
In both cases, vendors they'd been working with suggested a new technology: outbound content management tools that look for proprietary information that might be leaving the company via e-mail, instant messaging or other avenues.
Flynn started using Reconnex's iGuard network appliance, with vivid results. "It was a shock to see what was going out, and that gave us the insight to take action," he says.
After Ignatiev examined his message flow using Palisade Systems' PacketSure appliance, he too realized that his employees needed to do a better job protecting critical data, including customer credit cards, scouting reports and team rosters.
A key point: Many CIOs and CSOs already have information security methods in place, such as identifying, restricting access to and even encrypting sensitive data within their companies. Some also configure PCs so users can't copy data onto USB thumb drives or recordable CDs. Flynn and Ignatiev were already using some of these techniques—but their tests of outbound content management tools exposed a set of wide-open exit points for sensitive information, including e-mail, instant messaging, Web-based applications and file transfer protocol (FTP).
For more on how to secure data in the age of BlackBerrys and smart phones, see "Managing Mobile Devices."
The traditional security methods may restrict sensitive data to legitimate users, but Flynn and Ignatiev found that even legitimate users were putting the data, and their companies, at risk. At BCD Travel, a corporate travel service, nearly 80 percent of its 10,000 employees work in call centers and thus have legitimate access to sensitive customer information. What BCD and the Texans found was not malicious activity but people who were unaware of security risks, such as in sending a customer's credit card number by e-mail to book a flight or room from a vendor that didn't have an online reservations system.
"Employees are just trying to get their jobs done," Flynn notes. Flynn and his peers must craft comprehensive strategies to help them get that job done more safely.
Zero In on Trouble
Vendors typically pitch outbound content management tools as automatic "reverse firewalls" to keep information in, via automated identification and blocking. But early adopters are usually wary of the automatic blocking pitch and have taken a much more nuanced strategy—primarily using these tools to identify risks, so that IT security staff and business managers can decide how to handle them on a case-by-base basis. Often, these tools can also identify areas for further user education and help investigate past breaches.
How does the technology work? Basically, the tools filter outgoing communication across a variety of channels, such as e-mail and IM, to identify sensitive information. They're based on some of the same technologies—like pattern matching and contextual text search—that help antivirus and antispam tools block incoming threats.
Tools typically come with basic patterns already defined for personally identifiable information such as Social Security and credit card numbers, as well as templates for commonly private information such as legal filings, personnel data and product testing results.
You can also have the tools analyze servers and other data stores to determine the patterns for anything a company considers important to safeguard, then set the rules for how the tools should react when such information is leaving the company. (For example, you could choose to silently block some outbound messages and warn users regarding others.)
Companies typically look for three types of information using these tools, notes Paul Kocher, president of the Cryptography Research consultancy. The first—and easiest—type is personally identifiable information, such as Social Security numbers and credit card information. The second type is confidential company information, say product specifications, payroll information, legal files or supplier contracts. While this information is harder to identify, most tools can uncover patterns of language and presentation when given enough samples, Kocher notes. The third category is inappropriate use of company resources, such as potentially offensive communications involving race.
"You don't really know what's going out of your network until you have a tool that can help you zero in," says BCD's Flynn.
With a real understanding of what information is flowing, you can develop an appropriate security strategy, Flynn says.
Security consultants advocate a multitiered strategy to protect sensitive information. In all cases, they recommend starting with basic user education so people know what behavior to avoid and what secure practices to follow—and they agree that content management tools can help identify where the risks are.
The First National Bank of Bosque County in Texas has its employees sign an information-security policy every year. "We remind them that if they send out customer information, they can go to jail. That's a pretty good reinforcement," says Brent Rickels, the bank's senior vice president.
The bank uses SecureWave's Sanctuary software to monitor e-mail and Web traffic, as well as block instant messaging completely. When a user violates a policy set in the software, the employee's manager is notified and talks privately with any first-time offenders. The company tells the staff at large about the incident (without naming names) to reinforce the need for self-vigilance. Also, employees often tell other employees of their mistakes, to help others not make them, Rickels notes. If the behavior continues, the bank does name names, as well as begin disciplinary or termination actions.
Similarly, at the Texans, Ignatiev uses the Sanctuary tool to identify potentially dangerous behavior, such as employees entering clients' or personal credit card numbers at e-commerce sites. He uses Palisade Systems' technology to identify behavior like sending e-mails containing scouting reports to unauthorized recipients. Security staff notify managers, who then talk to the employee to explain why the behavior was risky, Ignatiev says.
Telling employees that you're monitoring their communications—and why—helps reinforce desired behavior, Kocher says: "People tend to behave much better if they think they're going to be observed."
Like many CIOs, Flynn and Ignatiev are approaching automatic blocking of e-mail, instant messaging and other outbound communications cautiously. The concern: False positives could block legitimate communications and hurt customer service. Flynn, for example, would not want automatic blocking of, say, messages containing credit card numbers to cause a stranded airline customer to miss out on a quick rebooking.
Some industries, such as banking, may decide it's better to block false positives than risk the fines and publicity for releasing customer information. "A lot depends on the risk to your business," says First National's Rickels.
Another risk: "Blocking can breed lack of trust," says Mark Rizzo, vice president of operations and platform engineering at game developer Perpetual Entertainment. "I would quarantine rather than block, but then you need a large staff to look at the messages so the delay is not noticeable," he says.
As companies get a better handle on what is actually occurring in outbound communications, some do foresee blocking some communication automatically. Perpetual's Rizzo expects to use Tablus's Content Alarm NW software to block outbound communications containing business secrets, namely the code for software games that Perpetual produces. Developers job-hop frequently, sometimes taking the code they developed by sending it out before they leave, Rizzo notes.
Understand Tool Limits
With outbound content management tools, "you can build very sophisticated concept filters," says Cliff Shnier, vice president for the financial advisory and litigation practice at Aon Consulting. Typically, the tools come with templates for types of data that most enterprises want to filter, and they can analyze contents of servers and databases to derive filters for company-specific information, he says. (Consultancies can improve these filters using linguists and subject matter experts.)
But as any user of an antispam tool knows, no filter is perfect.
"A big mistake is to have too much faith in the tools. They can't replace trust and education," says consultant Kocher. And they won't stop a determined thief, he says. Even when appropriately deployed, these tools don't create an ironclad perimeter around the enterprise. For example, they can't detect information that flows through Skype voice-over-IP service or SSL connections, Kocher notes. They can also flood logs with false positives, making it hard for IT security staff to identify real problems.
That's why CIOs should look at outbound content management as a supplemental tool to limit accidental or unknowing communication of sensitive data, not as the primary defense, he says.
Galen Gruman is a regular contributor to CIO.