As Data Storage Gets Smaller, Plugging Internal Leaks Gets Harder
CORAOPOLIS, Penn.-Beware the mobile phones and MP3 players that every employee carries around these days.
"Flash drives, digital cameras, card readers, cell phones, MP3 players and wireless routers have become such an accepted part of the average user's life that it's easy to overlook the fact that they're potential sources of compromise," noted Ed Wood, director-information security at Clearview FCU here.
Clearview worries that employees might accidentally load member data onto these ubiquitous "endpoint" devices and that the device would then be lost or stolen, he said.
The $626-million CU isn't as concerned that its "dedicated" employees would steal data, but an internal leak is always a possibility, Wood continued. "We have a large user base with access to data. These external devices are small, easily lost and have huge capacity. Staff is well-trained and conscientious, but accidents happen."
Clearview's anti-virus and intrusion prevention deployments do not address endpoint protection, Wood said. The CU needed specific software that prevents data loss by controlling access from devices and computer ports. About two years ago, Clearview installed "Safend Protector" on each of its 461 desktop computers, said Wood. Protector looks at all endpoint device traffic in real-time across all physical and wireless connection points.
When a user connects an unauthorized device or attempts any unauthorized administrative-level activity, Safend blocks access. Unauthorized attempts at access happen fewer than 10 times per week, said Wood. "Our staff is fairly well educated on what they are allowed to use, so it's pretty rare that someone's actually blocked from access."
When Safend does block a user, the appliance sends an alert to Wood. Alerts can be sent via e-mail, the network, logs, Windows Event Viewer, pop-up messages or custom scripts.
Wood said he is impressed by the "very granular level of control in the Safend management console. It allows us to custom-fit our deployment to a diverse environment."
Wood makes the most of Safend control by establishing different policies for different subsets of the user population, he said. Policies regulate, for example, allowable ports, device types or models, storage types, file types, wireless access and encryption methodology. Wood fine-tunes the policies further by creating lists of rights and allowable activity, he said.
Beyond providing endpoint protection for Clearview's desktops, Safend encrypts some of the CU's removable devices, such as flash drives. Wood said he is not using Safend to encrypt desktops at this point because there's little risk of data leakage due to a lost or stolen desktop. Although Safend offers laptop encryption, Clearview had already begun using a different laptop encryption solution before the Safend product was made available, Wood said.
Safend Protector is part of a larger data protection suite that allows organizations to audit all connected devices; map all sensitive data stored on endpoints; monitor data leakage from Web-based channels; and produce security and compliance reports.
Clearview employs a full network data loss-prevention solution that includes endpoint protection in addition to Safend's solution, added Wood. "I feel that diversity in our tools enhances our security, and the tools complement each other."