For real protection of the critical data, organizations have to plan a more data-centric approach to their security programs. This approach will give the enterprises the possibility to protect against losses that occurs everywhere sensitive data lives. It is important to implement the same controls around data being cut/copy/pasted and e-mailed or sent out of the organization by other means, when so many places data are can easily leak out of an organization and it would be difficult to note them. A data loss point includes data transferred through any e-mail / web channel, improper or missing access controls to systems containing sensitive data, lost or stolen un-encrypted mobile devices, insecure transmission, improper destruction of information on electronic media and lack of separation of duties and access controls on databases and other shared systems.
Mechanisms for protection can be included into five major categories:
- Classic anti-malware and protections to prevent system infections
- Enforceable access controls
- Filtering for sensitive data types being sent out of the organization
As supplementary layers of protection to traditional malware defenses, encryption and access controls are very important in protecting sensitive data from insiders no matter where are data – in rest, in use or in motion. With the same importance count the ability to filter, log, and take action on outbound traffic and downloads. The last but not the least, education have to be implement by the actions of the control systems themselves. An example can be automatic encryption policies on some types of program actions (e-mailing, FTP).
In an information-centric approach to protecting sensitive data, all organizations need to:
- identify and classify their information assets;
- establish consistent policies;
- implement an appropriate portfolio of enabling technologies for encryption and key management;
- establish controls to ensure compliance with both internal policies and external regulations.