The problem isn't just content within e-mail messages, but the explosion of alternative communication mechanisms that employees are using, including instant messaging, blogs, FTP transfers, Web mail and message boards. It's not enough to simply monitor e-mail, Fredriksen says.
"We have to evolve and change at the same pace as the business," he explains. "Things are coming much faster."
So Fredriksen is rolling out a network-based outbound content monitoring and control system. The software, from San Francisco-based Vontu Inc., sits on the network and monitors traffic in much the same way that a network-based intrusion-detection system would. But rather than focusing on inbound traffic, Vontu monitors the network activity originating from Raymond James' 16,000 users. It examines the contents of each network packet in real time and issues alerts when policy violations are found. Fredriksen could also configure it to block that traffic, but he doesn't plan to use that feature right away.
Unlike security tools that protect specific applications such as e-mail or instant messaging, network-based content monitoring and control tools take a broad-brush approach, examining all traffic that crosses the network. Tools such as e-mail filters address part of the content security puzzle but only recently have begun to focus on outbound content. In contrast, network-based products offer more sophisticated linguistic analysis techniques to identify and block the transmission of protected content.
Network-based systems do more than just rule-based scanning for Social Security numbers and other easily identifiable content. They typically analyze sensitive documents and content types and generate a unique "fingerprint" for each. Administrators then establish policies relating to that content, and the system uses linguistic analysis to identify sensitive data and enforce those policies as information moves across the corporate LAN. The systems can detect both complete documents and "derivative documents," such as an IM exchange in which a user has pasted a document fragment.
Most tools offer preset compliance modules that can detect specific types of sensitive data out of the box. These cover areas ranging from sexual harassment and privacy concerns to compliance with federal regulations. The tools are designed to be used by nontechnical staff, such as the legal, governance or human resources departments. But there is one hitch: They can't identify encrypted content. Organizations need to review business processes where encryption is used and develop policies that permit the movement of encrypted files within specific contexts.
Broader Trend
These network-based compliance products, which IDC analyst Brian Burke calls multiprotocol content- filtering tools, are part of a broader category of outbound content compliance products that includes e-mail filters, secure e-mail, instant messaging security and enterprise rights management tools. While IDC expects the overall market to grow to US$1.9 billion by 2009, the fastest-growing segment will be multiprotocol content filtering, with a compound annual growth rate of 70 percent over the next four years, Burke says.
That growth is being driven by privacy concerns and the need to comply with regulations such as the Sarbanes-Oxley Act and the Health Insurance Portability and Accountability Act. Enforcement by regulatory agencies is on the rise, says Trent Henry, an analyst at Burton Group in Midvale, Utah.
While network-based content monitoring tools have been around for several years, until recently most vendors offered only monitoring and alerting functions. Now most have added real-time blocking capabilities, a feature that some companies are experimenting with but most aren't yet using. Some vendors, including Tablus Inc.in San Mateo, Calif., have added products that can also monitor "at rest" content on individual workstations.
Fidelity Bancshares Inc. in West Palm Beach, Fla., is using the message-blocking feature in PortAuthority from PortAuthority Technologies Inc. in Palo Alto, Calif. Outbound e-mail messages that contain Social Security numbers, account numbers, loan numbers or other personal financial data are intercepted and returned to the user, along with instructions on how to send the e-mail securely.
Joe Cormier, vice president of network services, says he also uses PortAuthority to catch careless replies. Customers often send in questions and include their account information. "The customer service rep would reply back without modifying the e-mail," he says.
Fear of false positives is one reason why Fredriksen started out using only Vontu's monitoring functionality. Minimizing false positives requires tuning the system, investigating the causes of false positives and developing policies to work around or avoid them. Fredriksen warns that technology alone won't succeed unless the company using them has a strong policy for handling sensitive data, as well as a response plan.
"The challenge with any system like this is they're only as valuable as the mitigation procedures you have on the back end," he says. Another key to success, says Fredriksen, is educating users about monitoring to avoid "Big Brother" implications. "[We are] making sure that the users understand why we implement systems like this and what they're being used for," he says.
Henry says real-time blocking could cause network slowdowns because all traffic must be routed through the appliance before being forwarded to its destination. For now, he says, most organizations that enable blocking avoid performance problems by using it only at the network perimeter, where bandwidth is significantly lower, rather than inside the core network.
Cormier focuses on e-mail -- all FTP, Web mail and instant messaging traffic is blocked -- so he can turn on blocking without worrying about performance. But he says false positives have been a problem at Fidelity Bancshares because some account numbers match legitimate ZIP codes or phone numbers. Creating an exception would leave those account numbers vulnerable, so users have been trained to send communications with that information as secure messages.
Mark Rizzo, vice president of operations and platform engineering at Perpetual Entertainment Inc. in San Francisco, learned in a previous job the consequences of not protecting intellectual property. "I have been on the side of things disappearing and showing up at competitors," he says. The start-up online game developer deployed Tablus' Content Alarm to remedy the problem. Rizzo uses it to look for suspicious activity, such as large files that are moving outside of the corporate LAN. Now that the basic policies and rules have been set, the system doesn't require much ongoing maintenance, he says. But Rizzo says he doesn't use blocking because he would need to spend significant amounts of time creating more policies in order to avoid false positives.
While companies in highly regulated industries can justify investing in outbound content monitoring and blocking tools, other organizations may have to sharpen their pencils to justify the cost. "These are very expensive solutions to deploy," says Henry.
Fredriksen, who built a system to support 16,000 users, says that for a setup with about 20,000 users, "you're in the $200,000 range, easily."
Prices range from $6 to $40 per user, depending on the size of the deployment, says Burke. However, companies in less regulated industries are increasingly interested despite the costs. The reason: They're aware that the consequences of intellectual property loss, releases of customer information or inappropriate leakage of financial data can be very damaging. Timing It Right
The market is currently dominated by smaller players, but other vendors are entering. For example, CipherTrust Inc. and Proofpoint Systems Inc., which sell e-mail content filtering products, have announced new offerings, says Burke. "Any space that grows by 70 percent is going to attract the established security players," he says.
So, should you wait to buy? Not necessarily, says Burke. Many organizations don't want to buy different point products to protect each communication channel, he says.
Using application-specific tools isn't necessarily a bad idea, however, especially if your organization already has them, says Henry. The need for multi-protocol content-filtering tools may be at least partly mitigated by existing security mechanisms. Users that have outbound e-mail content filtering, URL blocking and instant messaging controls in place already have some protection, although such tools don't generally do the same level of linguistic analysis.
You should also consider the possibility of conflicts with other security tools. Network-based content-monitoring software can detect encrypted files and interpret them in some contexts, but it can't read the content. That puts it at odds with other outbound content management tools that encrypt documents, such as e-mail security applications and enterprise rights management software, says Henry.
Fredriksen says that although Vontu is important, it's still just one piece of a larger strategy that includes an overlapping set of controls that Raymond James uses to combat insider threats. "This augments the intrusion-detection and firewall systems we have that control and block specific ports," he says. "It's just a piece. It's not the Holy Grail."
SIDEBAR
Block that swap
While most organizations consider using network-based outbound content monitoring tools to meet regulatory compliance needs, the systems can also help detect and block the dissemination of objectionable or illegal content. At real estate agency Prudential Americana Group in Las Vegas, the problem was illegal file swapping on agents' PCs.
"We were served papers by Columbia, 20th Century Fox and a few others for people stealing movies and using our service to do it," says IT Director Tom Araujo. However, Araujo can't lock down or otherwise manage end users' PCs because his company doesn't own the equipment. "The way we operate, it's 99 percent independent contractors," he says. So he uses PacketSure from Ames, Iowa-based Palisade Systems Inc. to monitor and block file swapping and other inappropriate traffic on the PCs of his 1,684 users. By tuning PacketSure, Araujo eliminated traffic associated with popular file-sharing programs such as Grokster and Kazaa. Prudential also blocks all credit card and Social Security numbers.
However, Araujo must be careful that overzealous use of compliance tools doesn't impinge on the business. "I haven't got any idea where the next lead or connection is going to come from for someone to get the next piece of business," he says. But stealing on company time is a clear no-no. "I can't control what agents do on their own time, but I do have an issue with them downloading funniest home videos or sharing information that's nonbusinesslike."
SIDEBAR
Both sides of content filtering tools
Pros
Can detect and block the dissemination of sensitive information embedded in instant messages, Web mail, FTP uploads and other applications as the traffic crosses the network.
Require little maintenance once set up and configured.
Linguistic analysis techniques allow products to detect sensitive content, even when only a portion is being sent.
Can be operated by non-IT staff such as legal or HR employees.
Cons
Can be expensive to purchase and install.
Real-time blocking requires in-line monitoring of network packets that could create a choke point.
Blocking feature may generate false positives.
Employee education is required to avoid "Big Brother" perception of monitoring activity.
Can't identify content embedded within encrypted files.