SPOTLIGHT

The Truth About DLP

Data loss prevention: the term that fills marketing managers with joy, and infosec managers with dread. Preventing a data leak may be the top priority for the IT security team, but is DLP technology mature, and cost effective enough, to be the answer? Stephen Pritchard reports
Since HMRC the UKs tax collection authority mislaid disks containing the details of 25 million UK citizens in 2007, businesses and public sector organizations have been on notice to improve their measures to stop data loss. In April 2010, the UK data protection authority, the Information Commissioners Office, increased its maximum fine for a data breach to 500,000 ($800,000), in order to tackle the rising problem of the loss of sensitive data. Although some breaches, such as the one suffered recently by Sonys PlayStation Network, are the result of foul play, the level of accidental data losses from both commercial and public sector organizations remains worryingly high. Verizons 2011 Data Breach Investigations Report, compiled in collaboration with the US Secret Service, and published in April this year, identified 760 breaches the highest number since the research began in 2004.

More Breaches, Less Data

The Verizon report does, however, identify a more positive trend: the number of records lost per breach is falling (this, of course, does not include data from the massive breaches thus far in 2011). The number of breaches caused by outsiders, including hackers and criminal gangs, increased sharply over 2010, and the number of data breaches attributed to insiders fell to just 16%. The survey identified three reasons for these trends: a significant increase in the number of malicious, outsider attacks; a trend for more of the data losses to affect smaller organizations, which are more numerous, but which also hold smaller sets of records; and improvements in data loss prevention (DLP) technologies. Because DLP technology is mostly being used by larger organizations, its uptake has further skewed the percentage of reported data losses toward those affecting smaller bodies with fewer records, which are less likely to deploy DLP. Smaller organizations cannot, however, escape all of the pressures that are forcing their larger peers to deploy data loss prevention technology. According to

Gartner only considers a product to be offering content-aware DLP if the technology is able to look at the data itself
Gartner, the industry research firm, the use of content-aware DLP is being driven by four factors: regulatory compliance; risk management; the need to protect intellectual property; and evidentiary support, or the need to be able to answer queries in civil or criminal law cases.

Security is largely automated and hidden from the user, so its not something they have to think about every time they need to do something
Keith Lester

DLP Catalysts
There is another, higher-level trend that is prompting organizations to look again at DLP, suggests Steve Jones, global head of master data management at Capgemini, the IT consultants. Growing data volumes are making it harder for organizations to police the transmission and use of their data through policies alone. There is more and more information available, and it is easier to store so there is more information that can leak, he warns.

JULY/AUGUST 2011 SPOTLIGHT

19

SPOTLIGHT
director of IT at Wedbush Securities, a Los Angeles-based financial investment bank and brokerage. There are a lot of loopholes and a number of ways an employee could circumvent the system. But the market is maturing and there are more solutions available to monitor [activity]. But Tornyi stresses that DLP is just one layer in the firms security technology, along with conventional perimeter security measures, policies, and education. DLP is one of those things you can enforce through policies. Making sure employees follow those policies is more of a technology solution, he suggests.
When an organization develops its information architecture, it should do so in a way that minimizes the risk of data loss

Part of the Furniture

It is this enforcement of policy that is prompting security vendors to roll DLP capabilities into their general-purpose security products. According to Richard Turner, CEO of web and email security vendor Clearswift, preventing data loss is now a mainstream activity for security vendors. Most information loss today happens over the web or email channels, and most attacks are over the web, he says. The biggest risk is at the end point, which is a web browser or email. As Gartner suggests, though, DLP is evolving into more than a variation on a set of perimeter protection measures. Content-aware DLP requires CISOs to move from thinking about securing a device, or an application, to thinking about securing specific pieces of data. This, in turn, needs both more granular tools, and a more mature approach to enterprise

Extensive marketing efforts on behalf of security vendors have also accelerated the adoption of data loss prevention technologies.

Terms related to DLP get overused in marketing messages

Paul Proctor

With the larger anti-malware and general IT security companies such as Symantec and Sophos as well as specialists such as Websense and even network hardware vendor Cisco, which is active in DLP, firms are better able to buy the technology as part of a suite of applications from a single vendor.

Terms related to DLP get overused in marketing messages. Vendors reference any capability that can address the loss of data with DLP-related terminology, warns Paul Proctor, a vice president at Gartner and role service director for risk management. He adds that Gartner only considers a product to be offering content-aware DLP if the technology is able to look at the data itself. By no means can all products labeled as DLP do this today. The participation of the larger vendors is, nevertheless, evidence of the growing maturity of the DLP market. Three or four years ago, DLP was largely confined to specific, niche solutions of varying effectiveness. DLP, being a fairly new technology, is still fairly immature, says Mattias Tornyi,

A Marketing Tool
But there is also a danger that DLP could be over-hyped, with disparate technologies including network traffic monitoring, access and identity management, and encryption all being labeled as DLP. Gartner, for example, describes DLP as a hot market.

Where business is done: Inside the Wedbush Securities offices

20

SPOTLIGHT

JULY/AUGUST 2011

SPOTLIGHT
data management. When an organization develops its information architecture, it should do that in a way that minimizes the risk of data loss, says Capgeminis Steve Jones. Building data loss prevention into an overall information management plan can also help organizations reduce their risks and their compliance costs by restricting access to, or the archiving of, sensitive data (See box: British Waterways). To do so effectively, organizations need to develop a deeper understanding of the data they gather and hold and its sensitivity says Mike Gabriel, director of the data protection practice at security consultants Integralis. The perimeter model, which was effective in the mainframe era, and even extended into the PC era, no longer holds

BRITISH WATERWAYS: KEEPING DATA PRIVACY WATERTIGHT

British Waterways is responsible for the canal and river network in Britain, looking after a 2,200-mile mile network used by 13 million people each year. British Waterways also issues licenses for 40,000 boats and moorings, generating an income of $37 million (23m). This licensing role means that the organization is handling both sensitive personal data such as boat-owners identities and the credit card and banking data it needs to process payments. Boat owners still complete license applications using paper forms, and British Waterways uses scanning technology to convert the paper forms to computer records, and a PDF-based workflow to manage documents. From a data protection standpoint, however, this raises a number of issues. Scanning in whole forms and storing them electronically is efficient, but it could place license holders data at risk by increasing the number of employees who can view it. It would also require British Waterways to treat the entire application form as sensitive data. To reduce this risk, British Waterways has a multi-step approach to data loss prevention. Firstly, when the scanning system, supplied by vendor Kofax, captures a license form, it recognizes personal details such as addresses, and financial information. This data is then extracted for separate processing, and redacted or blanked out from the electronic facsimile of the forms. We are very proactive in removing sensitive information from customer documents as they are processed, and before they are stored, says project manager Keith Lester. The software is clever enough so that, with our own forms, bank or credit card information is redacted before the forms are processedthat is converted to a PDF that also shows only the redacted image. A very small team of staff at British Waterways is responsible for keying in credit card details to a commercial credit card system and for setting up direct debits (recurring transactions) from banks. Document security procedures go hand in hand with strict policies governing other use of confidential data. Data protection policies are documented, with non-compliance viewed as a disciplinary offence. Emails with sensitive data are encrypted, as are communications with other organizations or institutions. Staff laptops are also encrypted. Our regulations for information security and data protection are part of our employment terms, says Lester. However, by automating security measures such as redacting sensitive data and encrypting laptop hard drives by default, the organization aims to cut down on human error too. Security is largely automated and hidden from the user, so its not something they have to think about every time they need to do something, he says.

DLP is one of those things you can enforce through policies. Making sure employees follow these policies is more of a technology solution

as we enter the cloud [computing] age, he says. There is no perimeter that works, because data moves so much. Instead, encryption and access management tools that understand users roles and locations will be needed to protect specific pieces of data.

Facing Reality
The difficulty for enterprises, however, lies in applying such technologies to ever-larger volumes of sensitive data. According to Sean Sutton, a specialist in data loss prevention in the security practice at Deloitte, an approach based on education and policy alone will struggle to scale up to handle data growth, so organizations need to deploy technology.

Mattias Tornyi, Wedbush Securities

The technology itself, nonetheless, still needs to develop to the point where it is effective, and cheap enough, to deploy across the enterprise. For now, then, a blend of policy and the selective use of DLP technology is more practical. If you deploy data loss prevention around the perimeter, at least you have a better idea of what is leaving your organization, Sutton says. Organizations have a better ability to monitor what is leaving, and so can take a more focused, risk-based approach. But it may be that only some parts of a business need those more granular DLP technologies, and that addresses the scalability issue.

JULY/AUGUST 2011 SPOTLIGHT

21