Strategic Security: Privacy Compliance Suites

Do you know the whereabouts of every drop of personally identifiable information (PII) on employees and partners as well as customers? Not likely. PII has seeped into the fabric of enterprise business processes and systems. Protecting it has thus far meant drowning in point products that attack the problem in narrowly focused ways, with little hope of integration. It's an expensive and time-consuming response to a situation created, in large part, by expensive and poorly designed OSs and applications that play fast and loose with sensitive data.

The next step in the evolution of PII protection? Robust, enterprise-ready PCSs (privacy compliance systems) that deliver a broad array of features and data-vector coverage and provide for integration at key points with other security technologies, encryption systems in particular.

Yes, we are suggesting you add yet another layer of security. The problem of peripatetic PII is real, it's not going away, and it's costing companies of all sizes serious money. We could join the chorus trumpeting the number of records lost during the most recent large-scale PII debacle, but instead, consider this: In September 2006, National Union Fire Insurance Co. began offering small and midsize companies a "Corporate Identity Protection" policy that, in case of a data security breach, will cover legal liability expenses, defense costs, regulatory action expenses, notification costs, crisis expenses and even post-event services such as assistance and credit monitoring for customers or clients who were harmed. You know a risk is here to stay when an insurance company will sell you a policy to indemnify against it.

Today, the PCS arena is in its adolescence, lurching forward in fits and starts. As of press time, PCSs typically offered only a subset of the essential features we discuss in "PCS: Multipronged Protection". And only the most visionary of vendors have their eyes on our ideal.

We're looking at this as an opportunity. Too many promising technology concepts fail to live up to expectations, so this time, let's get out ahead of the vendors. By delineating the ideal PCS, we'll give you the know-how to ask tough questions and demand a comprehensive solution--before the PCS becomes yet another security product category that fails to adequately protect us.

Continue Reading This Story...

The Vision

Our ideal PCS is a comprehensive enterprise suite that manages and enforces the technical components of your privacy policies, including those driven by regulations. While it will help track and control intellectual property, a PCS focuses primarily on privacy-related issues. The two main variations are host- and network-based PCSs. The former, the HPCS, does endpoint activity monitoring and enforcement. It allows privacy policies to be applied to host-based data-leak vectors, such as removable storage and printers. NPCSs provide PII-focused content monitoring and filtering functionality across all common network protocols, including Web-based e-mail and IM.

The NPCS market has attained relative maturity compared with its host-based counterpart. Network-protocol decoding technology is approaching commodity status, with vendors adapting HTTP caching and e-mail content-monitoring products to the privacy compliance paradigm. In addition, NPCS products had a head start. Vendors devoted development teams to these efforts, reflecting their belief that NPCSs would attract early adopters due to their relative ease of deployment. PortAuthority Technologies, Tablus, Vericept and Vontu have emerged as early frontrunners in this market (see our review of data-leak prevention products).

Some PCSs, including those from PortAuthority, Tablus, Vericept and Vontu, can do active enforcement, shutting down a connection if it detects privacy policy violations. As IT learned with IDSs, active enforcement carries the risk of short-circuiting a legitimate transaction. On the other hand, the stakes in the privacy compliance world are often higher than those in the general security realm. A successful exploit against a low-value Web site can always be detected by a standard IDS and cleaned up after the fact. But a Valdez-like scenario in which your customers' personal records slip out through an e-mail attachment may trigger your state's breach notification requirement, a serious liability with long-term ramifications. See "The Danger of Active Enforcement" for more on this topic.

Now Where Did I Put That Data ...Knowing on which hosts PII resides and, hopefully, who maintains it, is the critical first step in developing the technical component of a privacy compliance program. A key feature emerging from several leading PCS vendors is the ability to discover, in a proactive manner, where PII is located in your enterprise. Tablus Content Sentinel lets you launch HPCS processes on hosts within your network, for example, without your having to do any installation. These processes scan for PII and may take actions, including deleting, encrypting or quarantining data. Not only will this provide a map of which users and departments are housing and using PII, it may reveal some critical instances in which a long-forgotten test server or a reprovisioned (but not sanitized) laptop retains unauthorized PII data stores.

Pulling this off without the heavy lifting of an agent deployment is attractive, and we expect to see other vendors follow Tablus' lead. In fact, this type of "PII scanner" is analogous to vulnerability assessment scanners in the information security field, and corresponding privacy compliance consulting services will likely grow up around these products.

The NPCS paradigm presents a more passive approach. You have to wait until the NPCS detects PII transfers in violation of policy. Then, depending on your network infrastructure, tying the violation back to a workstation and an individual may be a straightforward exercise ... or a chore.

Finally, the HPCS architecture supplies the most robust solution for discovery. With functionality located directly on the host, usually running as a low-level shim to the OS, the PCS has full view of data storage and network processing. However, HPCSs are typically expensive, and those in charge of workstation provisioning and deployment are likely to level you when you request a corporatewide install of an agent. Consider Oakley Networks, known as having perhaps the most powerful HCPS system out there. Its Sureview product is second to none in terms of features, but it starts at $75,000 for 100 seats; fortunately, discounts quickly kick in for larger deployments. Early versions of HPCSs are also offered by SecureWave and some of the other vendors beginning to compete in the hybrid HPCS/NCPS space, such as Tablus.

Compliance X2Tech marketers around the globe spin compliance to mean whatever will best sell product. But a true PCS must address two specific facets: regulatory compliance and internal policy compliance.

Regulatory compliance, in the privacy context, is the effort made by your company to comply with state and federal laws that govern how you gather and process PII. The relation of privacy compliance systems to regulatory compliance is obvious: If you're required to comply with these laws, your PCS must be aware of specific regulatory requirements. Standard interpretations of the GLBA (Gramm-Leach-Bliley Act), for example, impose rules regarding PII, including SSNs (Social Security numbers), and therefore your PCS should be capable of identifying SSNs within the data it analyzes.

Internal policy compliance, in the context of privacy, is the effort made by your company to adhere to its own privacy policies. For example, your HR department probably has a specific rule regarding under what circumstances an employee's electronic personnel file may be e-mailed to a third party.

Ideally, your privacy policy efforts will be centralized, preferably under a chief compliance officer; see for more details on the emergence of the CCO in the enterprise. This makes sense because regulatory privacy compliance and internal privacy compliance are more alike than different--both deal with who may see, share or store PII and under what circumstances.

The Encryption ConnectionEncryption technology is a key tool in addressing privacy and information security risks. "Encrypt the PII," for instance, is a standard action that can be performed when a PCS detects a policy violation--if you have an encryption capability in place.

Say your NPCS detects that a user is e-mailing unencrypted health-related PII to a third-party contractor, in violation of privacy policy. The PCS system springs into action and, through an integration point with an e-mail encryption product, such as those from Voltage Security or IronPort Systems, automatically encrypts the e-mail.

True, e-mail encryption vendors can perform precisely this type of on-the-fly policy-based encryption. But the value added by a NPCS is that it watches over several network protocols, triggering data encryption when necessary, letting you configure your privacy policy enforcement through one interface. As policy-enforcement mechanisms become integrated into the network infrastructure, as with Cisco's AON, for example, we expect to see these products being integrated with NPCSs, allowing, for instance, XML documents to be encrypted according to privacy policies.

The other major consideration surrounding the intersection of PCS and encryption is that, as with network intrusion detection, encryption renders network-layer inspection impossible. Therefore, if you've already encrypted e-mail or Web services, your PCS needs to offer an integration point to view unencrypted traffic (see "Developing a Secure E-Mail Strategy" at for more gotchas with e-mail encryption). Some PCS products, such as PortAuthority Protector, interface with Blue Coat's proxy product that provides decrypted SSL streams for corporate information security purposes, such as filtering for malware.

No PanaceaA PCS will attempt to enforce your privacy policy through various functions pertaining to PII: discovery, monitoring, auditing, encrypting or blocking. It will provide visibility into the current state of privacy compliance within the organization and may enforce the policy, where possible and appropriate.

What current PCS technologies will not do is stop a determined, malicious attacker, whether an employee or a corporate spy. Although vendors are making strides in covering an increasing number of data-leak vectors, this arms race is fierce. As soon as a vendor's development team figures out how to monitor, say, Bluetooth devices, another network printing protocol or mobile computing platform emerges, representing a potential data vector through which PII can flow.

As PCSs meld with traditional information security technologies, they will be able to detect not only the harried sales representative cutting corners, but also the determined and disgruntled employee attempting to evade detection. For now, though, the model focuses on enforcing privacy by curbing violations caused by ignorance or laziness. Preventing violations resulting from malicious behavior is a year or two down the road.

Decision Time

This market is picking up steam. Frontrunners PortAuthority, Tablus and Vontu have well-developed offerings. The option to deploy both host- and network-based systems in an integrated and flexible manner will be a requirement in the next few years, and visionary vendors--Tablus and PortAuthority in particular--have begun melding agent-based HPCS products with their network counterparts.Although we haven't yet seen IDS vendors positioning themselves in this market, we expect the stampede to begin as money spent in the PCS market grows over the next couple of years. After all, these vendors have built most of the necessary foundational technologies that could be leveraged into PCS platforms through incremental developments.

Maintain a focus on the encryption factor. The ability to encrypt in a flexible, policy-based manner is just as important as knowing where your PII is scattered throughout the corporate network. Enterprise encryption deployments are notoriously expensive and difficult to engineer, and you shouldn't expect your PCS vendor to create its own encryption functionality from scratch. Maintaining solid partnerships with existing encryption vendors gives you flexibility as well as the confidence of working with a mature vendor when delivering these difficult features.

Finally, the product must interface well with people--everyone from the compliance officer, CEO and general counsel to the security operations folks who'll be sitting in front of the PCS console, managing and tracking individual events.

Patrick R. Mueller is completing his law degree and a master's degree in public affairs at the University of Wisconsin-Madison, specializing in privacy and data security law and policy. He was previously a senior analyst for security consultancy Neohapsis. Write to him at [email protected].

FYI: Expectation of Snooping? Several privacy organizations recently joined with the ACLU in asking the U.S. Court of Appeals for the Sixth Circuit to extend Fourth Amendment protections to e-mail messages stored by ISPs. Currently, the government can obtain e-mail without a probable cause warrant and without prior notice to the e-mail account holder. The suit, Steven Warshak v. United States of America, is being closely watched by privacy advocates. Read the amicus brief (PDF).

What's Available Now?

NPCSS are designed to enforce privacy policies through network-level inspection. NPCS tools operate similarly to the network content monitoring and filtering model, sitting at a network choke point and watching all incoming and outgoing network traffic for data containing PII that's being transmitted in violation of your organization's privacy policy. We reviewed two NPCSs, from PortAuthority Technologies and Vontu in "Plug the Data Drain" (see nwc. com/ show Article. jhtml? articleID= 193003538). Other NPCS vendors include Proofpoint, Tablus and Vericept.

But NPCSs can see only the PII that traverses a network gateway. This means that they're not completely effective unless you take an aggressive security stance, cordoning off application and database servers and marching all network traffic through the inspection processes of a firewall and network intrusion-detection system--and can afford the overhead of a third tier to watch for privacy policy violations.

What if you're stuck with a paradigm in which your network security controls are pushed out to the edges, shielding you only from attacks emanating from your Internet and partner connections? The solution is to move the PCS code to the hosts themselves by deploying an HPCS. There are plenty of other benefits to a host-based solution, which mirror the reasons that host-based IDSs can catch threats that network IDSs cannot: Encrypted network traffic hides content, users may be completely disconnected from the corporate network, and some violations will be completely host-centric and create no network traffic whatsoever.

If you're going to get serious about technological solutions for privacy compliance, the code needs to be running on the end hosts. HPCSs are still in early stages, but Oakley Networks, SecureWave and some NPCS vendors, including Tablus, are testing the waters. Problem is, few of these products are ready for prime time. Some are unrefined, while others haven't yet begun to address specific privacy-focused requirements.Our recommendation? Start out with an NPCS product from a vendor with a vision that's rich enough to offer a robust HPCS solution down the line.Watch and Learn

How does a PCS know what type of PII to watch for? Ground-level functionality should include basic PII data primitives, such as Social Security, telephone and credit card numbers. These should be assembled into template policies focusing on the regulatory frameworks relevant to your organization. These templates should also be customizable and extensible.

Next, you should be able to write your own rules. This critical function deserves utmost attention during your evaluation and testing phases, as products offer quite different levels of features.

Essentially, three types of rules-writing features are available; few products will offer the full panoply.

First, there's the basic common denominator: keyword searching. Static and limited in nature, its utility can really only be exploited in highly structured work environments in which, for example, data classification efforts result in reliable metadata being included in documents, typically through a document management system.Regular expression rule-writing features provide much more flexibility, allowing organizations to track their unique types of data, such as a hospital's patient identifier format.

Finally, document and data fingerprinting provide the ability to track particular documents, components of documents or even individual data records from within a database. Although an administrator must undertake some up-front tasks to feed the data to be tracked into the PCS, the payback is immense. Simply put, the unique identifying features of many kinds of PII sometimes fail to be captured through keyword or regular expression rule capabilities.

For products that fingerprint structured data from relational databases, the major differentiating factor is whether it can interface directly with the database using standard protocols such as ODBC, a major advantage allowing real-time index updating. Lesser products require tedious, manual updates in which the administrator must export the database before it can be profiled for protection.The Dangers of Active Enforcement

Of course, privacy policy violations are not always resolved by encrypting data. Perhaps the customer list is never supposed to go out on e-mail, encrypted or not. Or perhaps, whenever credit-card numbers and CVVs are flowing out of the e-commerce DMZ, a network security control has failed and customer privacy is being breached.

Therefore, PCS products also allow other responses, from auditing and alerting to full-on blocking (for NPCS) and quarantining or deletion (for HPCS). The more intrusive measures open you up to the same risks as we've seen with IPSs: A false positive may impact a business process, potentially causing real losses in revenue. If the NPCS keeps zapping the time-sensitive contract your sales rep is trying to send a potential client, you're going to hear about it.If you plan on active enforcement, ensure your PCS vendor allows you to tune the sensitivity of the PCS, a critical feature when it's time to go from auditing to blocking as a response to violations. As with IPS products, budget plenty of time and resources for extensive testing and custom rule writing before you flip the switch.