Data Leaks

Posted on 2009-07-10
Medium Priority
Last Modified: 2012-05-07
Can anybody recommend a good solution to ensure nothing meant for private eyes gets published on your corporate website. Commercially sensitive docs, personal docs, passwords etc etc.

Basically in our setup we have numerous authors for the main corporate website for each compnay department. Using googles site operator and the google hack db I have noticed some stuff has been published on our corporate site that should never been seen by anyone except internal staff. Our web authors use  a CMS to edit pages, and there is an author and approver level permission, so once someone developes a page the author scans through its content and agrees to it publish. However either the approvers arent doing there job or the authors can approve there own page, but sensitive data is being published out the world and we need a solution to make it stop?

What tools are out there for this problem? Do they scan the site for keywords or something?
Question by:pma111
  • 2
  • 2
LVL 19

Accepted Solution

CoccoBill earned 500 total points
ID: 24822079
I think this is one task that needs human intervention, no automated tool can be trusted to perform it fully. They can, however, be used to support the process and act as an additional control.

What you need is an information classification policy, which defines the levels of data confidentiality (such as public/confidential/private/secret), defines what data belongs to which class, and the appropriate regulations regarding the storage, publication, transport, retention, disposal etc. for said data. This policy needs to be communicated to the users and they need to approve to abide by it. After that all relevant processes, such as in this case the process for publishing data on the public web pages, needs to be revised (or created) to reflect the policy. This process, while not making data leaks impossible, at least makes them less likely to happen by accident, and someone will be directly responsible if something does happen.

Make sure the configuration of the CMS supports the process, for example all publications and changes have to be reviewed and approved, the author must not be able to approve his own data etc.

Author Comment

ID: 24822157
Thanks CoccooBill I agree with you. I'd like the tool to act as a secondary review mroe than anything to check they are abiding by the approval stages and not approving their own styuff. Are there any tools out there you know of?
LVL 19

Expert Comment

ID: 24822194
I'm not aware of any separate products for this exact purpose. The best option would probably be if this functionality could be integrated with your CMS product, and prevent approval if certain keywords are found. Which CMS are you using?

Author Comment

ID: 24822219
The old version of Microsoft CMS
LVL 38

Assisted Solution

by:Rich Rumble
Rich Rumble earned 500 total points
ID: 24822853
This is the first line of most DLP solutions, "catching stupid" it's called.
You'd need to set the DLP up to know what doc's or keywords shouldn't be displayed, it can look to the the disclaimer at the bottom "this memo is confidential and should not be viewed by..." Or if there is a certain place non-public memo's are stored or made, the DLP can scan to see if anything in those locations appears on the public side of your network or if someone is sending it out in an email. Nothing is fool-proof but you can "catch stupid" with most DLP's.

Featured Post

Free Tool: Port Scanner

Check which ports are open to the outside world. Helps make sure that your firewall rules are working as intended.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

The article explains the process to deploy a Self-Service password reset portal I developed a few years ago. Hopefully, it will prove useful to someone.  Any comments, bug reports etc. are welcome...
This blog will spread awareness about Dropbox. We have given the statements based upon our experience. Along with this, there is a section of some new plans that should be added in Dropbox this year. This will make the storage service enhanced from …
Nobody understands Phishing better than an anti-spam company. That’s why we are providing Phishing Awareness Training to our customers. According to a report by Verizon, only 3% of targeted users report malicious emails to management. With compan…
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…

607 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question