Information Leakage Protection
By stern on Jan 23, 2008
Yesterday morning Sun co-sponsored a seminar on Information Leakage Protection along with our partners BatBlue and Reconnex and speakers from a major investment bank and a media company. It was my job to set the tone for the morning, somewhere between projecting an imminent crisis and treating this as a theoretical exercise.
The "classical" view of information leakage protection (ILP), or data leakage protection (DLP), is that you want to keep your data safe in your databases, prevent emails from trickling out to the wrong sources or from being intercepted if they contain sensitive data, and avoid the theft of laptops, PDAs and desktops filled with confidential information. The "networked" view is that we have dozens of transmission vectors that provide partial information, and with enough compute power or time to join this data to other publicly accessible sources, we run the risk of second and third order information leakage. I started by paraphrasing a study done at the University of Washington that looked at the Nike+iPod RFID transmitter as a personal data leak. On the surface, it's not a big deal if your sneakers broadcast their serial number such that a sub-$100 sensor can track physical location. But marry that to secondary sources of data -- students in a class, security camera video, DHCP logs (that reveal MAC addresses which may be familiar to you) and you can construct a crude mapping of people to those IDs in the literal sneaker net.
My guidance for thinking about ILP was to think in four layers: (1) the persistence mechanisms used, including filesystem crypto, encrypted tapes, tape handling, and backup security; (2) applications, both purchased and developed, and their persistence of data, logging, transfer of data and identity management; (3) services consumed, where the application may reside on the other side of a network and users convey a variety of identification and data to the services and (4) the devices we use to access all of the above. Determining how to best seal the leaks requires a combination of detection and prevention tools (mechanism) with clearly communicated rules for data and information handling (policy). Several of the speakers highlighted personal webmail (Gmail, Yahoo, HotMail, cable providers) accounts as a major source of information leakage; while the companies in question had protected their in-house mail servers, users could still send attachments using mail tunneled through https.
Bottom line is that the adage I learned in college radio still holds true: be careful what you broadcast, because someone may be listening.