Data Protection is Impossible

Preventing data loss is one of the biggest challenges facing any CIO today. The problem is that data protection is impossible. From the moment data is generated it is at risk of being misused, falling into the wrong hands, being sold to industrial spies, or simply falling off the back of a truck—literally. Protecting all data, from inception to final back-up and storage is not just difficult, it’s not feasible.

That is not to say it is futile to install procedures, and technology to protect data. You should just be aware that, ultimately, there will be a data loss incident and you will have to deal with it. At the same time, you can only spend so much to protect data. At some point, the return on investment in terms of better protection run afoul of the loss of productivity introduced by more and more draconian measures.

The first issue facing the organization is determining which data to protect. Everything is not an acceptable segmentation. Most organizations start with personally identifiable information (PII) which includes names, addresses, birthdates, social security number, employment records, and health records of customers, employees, or the general populace. It is the loss of these records that has given rise to the current spate of public disclosures of data loss. A California law (1386) passed in 2001 requires notification of every individual whose PII is lost, be it through theft or just a CD left in the pocket of an airline seat by an over-worked auditor.

Check out this site ( for a continuously updated list of major data losses by U.S. companies, universities, and government agencies.

Just protecting something as simple to find and segregate as PII is a daunting task. Best practice is to encrypt just the columns in a data base that contain SSNs, credit cards, and other PII. That avoids the mass theft of data as in the infamous TJX loss of 90 million credit card records. But what about when someone accesses the database? Can they write a script to systematically mine the database to pull that info? Can they subscribe to that database as some Nigerian entrepreneurs did to Choice Point, the credit agency?

What if the data is more than PII? Plans for a new missile for instance? Or internal financial discussions about an upcoming acquisition? Chemical formulae? Trade secrets? Quarterly results? The crop report? Salaries of executives?

I mention the last because when Lee Iacocca was negotiating major concessions from the UAW, a union janitor in the data center happened upon a greenbar print out of all of the top executive’s salaries. It put Iacocca in a very uncomfortable position when those high figures where made known.

Once you have identified the information you want to protect how do you prevent it from leaking? There are vendors who provide products that search your internal network, find certain types of critical data, tag it, and then block it from leaving via the network. That plus a huge hole. Just make sure you have deployed gateway filters over email, IM, file transfer, Web forms, and VoIP.

What about small storage devices like USB thumb drives, hard drives, PDA’s, even cell phones and iPods? There is the case of the Indian IT worker at the secret intelligence agency who delivered stolen data to a U.S. embassy on USB thumb drives. There are solutions that can monitor USB devices and even block all but approved types. Or you could order PC’s from the manufacturer with no USB ports. Either way you introduce friction to the everyday task of moving information around.