Wed, October 15, 2008 — CIO — When it comes to protecting data, there isn't one end-all, be-all solution. That's more true now than ever, when your most likely threat is your own employees. As more workers blur the line that surrounds the workday and bring their laptops, smartphones and other devices home, they are potentially putting their companies' data at risk. In a recent CIO survey, 34 percent of respondents had a security breach where their own current employee was the culprit.

Data loss prevention tools provide ways to identify risky data-handling activity and enforce a remediation action, says Jonathan Penn, VP of security and risk management at Forrester Research. Currently available software to prevent data loss addresses three levels of security: protecting networks from rogue devices, protecting systems from inappropriate access and protecting the data itself. A modern strategy to keep data secure should involve a bit of each, says Penn.

Block Unknown Devices

Deputy CIO Jeff Kuhns needed to protect the networks of 24 campuses within the Pennsylvania State University System against rogue devices—that is, any device not expected to be on the LAN. To address this need, Kuhns deployed software from Mirage Networks.

The software offers a traditional approach to protecting data by keeping outsiders at bay. Once installed, the Mirage system locates connected devices. The IT department can set up access policies for each device and for individuals or groups of users. The system protects data by blocking unauthorized devices from accessing prohibited data.

Such "agentless" solutions are good for organizations that have little control over the devices that end users choose, says John Kindervag, a senior analyst at Forrester. Unlike agent-based solutions, which require software on the device itself, agentless solutions reside on the network. However, as with any security tools, they can't stand on their own. "Agentless [technology] has been the primary way data loss prevention has been deployed," says Penn, "but few vendors have rich agent functionality that is unified with network scanning and remote discovery."

At Penn State, says Kuhns, Mirage software is part of "a defense-in-depth deployment of multiple systems and strategies." These include traditional security devices and software such as firewalls and antivirus technology.

From Devices to Databases

With limits to network-based protection in mind, some organizations have turned to tools that ensure legitimate users don't access data improperly. That's the problem that Nick Ray, CEO of expressHR, wanted to address.