Should data security be automated to the point where the process of achieving it is completely invisible to end users? Automation is the holy grail of data security to many security experts and vendors who envision the day when information is locked down and secured before anyone touches it.
However, not everybody agrees with this goal, arguing that long-term data security may be more assured when informed users are part of the process. That's a view shared by Richard Timbol, security manager at Amalgamated Family of Companies, who sees data security as an employee's responsibility as much as the company's. "If you put too much responsibility on the corporate side, you're doing a disservice by not improving the education level of your employees, of their responsibilities to protect live data," he says. "It's good for employees to have that knowledge. We believe in a strong security awareness posture, and not just to have a bunch of big brother rules forced upon employees."
Amalgamated is a group of companies that includes a life and health insurer, a property/casualty brokerage, a third-party administrator, a medical management firm, a computer outsourcing company and a printing and graphics company. Across the various business units, employees and applications manage large volumes of sensitive data every day, including insurance policies, customer health information and other personal data. "Up to 75 percent of our data is sensitive data," Timbol says. "We manage a lot of health information and data for our clients. So that's a significant part of the data we generate on a daily basis."
Thus, ensuring the security of this data and compliance with industry standards such as the Health Insurance Portability and Accountability Act (HIPAA) is a high priority. "At the end of the day, regardless of what our business lines are and what we're doing, we handle a lot of personal information," says Timbol. "We need to ensure that we're providing our clients with the best privacy possible, as well as complying with all of the various state and federal regulations."
E-mail Issues
Data security has many fault lines, and among the most prominent is e-mail. Amalgamated employees exchange significant amounts of information with partners and customers via e-mail messages. To meet security requirements, the company originally relied on employees to manually encrypt messages containing sensitive data. However, those posed risks, such as employees not understanding when they needed to encrypt a message, or failing to notice a Social Security number or other sensitive data hidden at the bottom of a message forwarded to them after multiple back-and-forth exchanges.
Inbound e-mail filtering also posed problems. The company lacked the ability to provide detailed, customized reports on what was being blocked. This made it impossible for the company to investigate false positives, an important business requirement. "We have a couple of scenarios," says Timbol. "There's corporate-to-corporate data: Whether we're the covered entity or the business associate, we have to trade information with our vendors. So we have to ensure that transmission is secure. Then, of course, we also communicate directly with the end users of the information."
To address these concerns and meet privacy and HIPAA compliance standards, Amalgamated moved to a more automated, rules-based solution based on Proofpoint Enterprise Privacy, a data loss and prevention suite.
Balancing Act
Amalgamated's approach is to automate a great deal of this information, but still keep employees engaged in the process. The challenge, Timbol explains, is that if you do everything in the background, you take the responsibility away from the employees who don't know what's going on. "We believe very firmly that every employee should be a guardian of that information. We didn't want to totally take away the responsibility from them. We wanted them to be aware of what they need to be secure."
At the same time, Timbol continues, "we didn't want to put too much of the onus on the individual," he continues. 'Everyone has bad days, right? Someone may forget to encrypt a message, especially if they're in a hurry, or get sidetracked. These things happen."
The key, Timbol continues, was to be able to provide a data security "safety net." If the individual "mistakenly did not do what they needed to do to protect the information, then we had a process in place that would ensure that the data is still secured."
This challenge particularly related to e-mail, Timbol says. "E-mail is probably one of the biggest ways of communicating data either between the users or between companies. We have queries come out, contacts, requests to verify claims. We wanted to make sure that we had security awareness among our employees, but at the same time, if they failed to secure it properly, we would still be able to catch that, and ensure that data's protected."
Initially, the encryption process was to be entirely automated, but the company decided that taking responsibility away from users could lower organizational sensitivity to the importance of security and HIPAA compliance. It was decided that the Proofpoint system should function as a backup, automatically encrypting messages if users failed to do so, and also sending a message to the offending user.
The end result was establishment of a security environment that provided for this balanced requirement. "One, it's about maintaining security awareness on individuals. And two, it's about catching whatever gets missed in the background," Timbol explains. "Say I'm sending you an e-mail with a Social Security number. A keyword is typed into the subject line, which automatically triggers the encryption. The encrypted e-mail goes out, and the end user receives an e-mail that says they have a secure e-mail waiting, and directs them to click on a link." First-time recipients will be prompted to set up a security code, he adds. This level of security also meets the FIPS 140-2 guideline, the standard that will be used by federal organizations when these organizations specify that cryptographic-based security systems are to be used to provide protection for sensitive or valuable data.
Amalgamated's system has a network appliance designed to analyze the content of outgoing e-mails. For e-mails sent without security keyword triggers in the subject line, the appliance scans the content against a terminology dictionary.
If sensitive data is identified in the body of the e-mail, the message will automatically be encrypted. "It also sends an e-mail back to the person who sent the message, explaining that the e-mail had sensitive data, with basic compliance requirements. And it will tell them it encrypted the mail, is still forwarding the mail, but tells them to 'please be aware that you need to encrypt it.'" For employees who repeat the mistake, "we can see where we're having an education problem," he adds.
With this approach, the Proofpoint solution not only ensured appropriate encryption and compliance, but also served an educational function for employees. The bottom line is that the system "allows us to maintain a security awareness posture, and keeps the employee involved in that responsibility," Timbol says. "It also allows the corporation to know that our data is secure, and our clients have their data secure."
Outside and Inside Risks
Today, Amalgamated is in full compliance with HIPAA requirements and has dramatically reduced major risks associated with security breaches related to e-mail. The company has also increased the effectiveness of its spam and malware blocking efforts while gaining access to customized reports that eliminate the possibility of "lost" e-mail that was inadvertently blocked. It is difficult to quantify the ROI of risk reduction, although it is common knowledge that security breaches can have catastrophic effects both on customers and the credibility of the company that was breached.
In addition, e-mail is just one aspect of the data security challenge. "We also have secure FTP, in which data at rest is encrypted," Timbol points out. "If data is encrypted, it's a lot harder. Even if people break through your defenses and actually access files, now that file is in an unusable form."
Internal data security is just as important as external security. "From the inside, if someone manages to get in your building and attach to a computer, the wireless network or a desktop, they just can log in and take the data that way," Timbol points out. "Aside from the typical network login and application authentication that everybody has, we also take an approach toward locking down our USBs for example, so that people can't attach portable storage, unless they are FIPS 140-2 encrypted."
Plus, the rise of bring-your-own-devices in the workplace adds a new dimension to the data security challenge, and again puts the spotlight on personal responsibility, Timbol continues. "Blackberries were easy, because they were corporate-supplied devices, and you were able to enterprise-manage the policy. Now you have a lot of people coming in with smartphones or iPads. "We're taking a similar strategy where we're able to put the enterprise policy on any device connecting to our network. Of course you have to cover that under your electronic policy agreement that you have with your employees, that they understand the responsibilities they have, as well as to help them along the way by being able to push out password policies. Every device, regardless of where it comes from, if it touches our network, it has to have a complex password."
Ultimately, companies and employees alike need to be vigilant and think outside the box, Timbol says. "Firewalls and antivirus protection are very 1980s concepts if you stop there. The value of information is a lot higher than it ever was before. If you have personally identifiable information-date of birth, mother's maiden name, or even a medical diagnosis, they can tailor identity theft around that. So, it's crucial for us, in this business environment, to ensure that a best-of-breed approach is taken."
The best defense is to "raise the cost on the attacker so high, making them spend more and more effort to get in, that they just move on to an easier target," says Timbol. "That's really the approach right now-your neighbor's six-foot fence versus your 40-foot high stone wall."
Joe McKendrick is a Doylestown, Pa.-based author and consultant specializing in IT, and a regular blogger for insurancenetworking.com.
