Professional Documents
Culture Documents
38
Data can be both an asset and a liability. As organisations grow,
the volume and complexity of data required to support the
business increases. All organisations store sensitive data that their
customers, business partners, shareholders and the Board expect
them to protect against theft, loss and misuse.
The intrinsic and contextual value of data and associated Figure 1 - Enterprise data lifecycle
ownership risks vary throughout the data life cycle.
The business value of information assets—gains on
process and function performance, revenue and margin
contribution—is a function of:
Acquisition Storage
• Inherent value
• Contextual value
• Enterprise context
• Associated risk
Archive
• Cost of ownership Use
Total cost of
Net business value = Data value – Data risk –
ownership
• Return on Inherent value • Data in motion • Managing data
investment on + Contextual value • Data at rest throughout its life
managing data Data value • Data retention cycle
versus liability • Operating cost
exposure of supporting the
• Data leakage infrastructure that
handles the data
-- Facilities
-- Equipment
-- Staffing
39
When managed data and information has a negative A number of factors are driving organisations’ data loss
net business value, the enterprise has several options, prevention needs: globalisation, varying regulations,
including: varying customer expectations, customer privacy
• Increasing the value sensitivity, brand risk, advances in technology, mobile
• Reducing risk devices, advanced persistent threats (APT), extended
• Discarding the data enterprise, third party service provider risk, regulation and
compliance (anti-money laundering, breach notification,
Despite data management, high profile security breaches PCI-DSS, GLBA, etc.) and data growth.
involving personal and corporate data continue.
The data explosion
What is data loss? There has been massive growth in data volumes in recent
Data loss can be defined as the movement of an years. Almost 3 trillion gigabytes of information was
information asset from an intended state to an created and replicated as of 2012, compared to over 1
unintended, inappropriate or unauthorised state, trillion in 2012 and 130 million in 2005. There are several
representing a risk or a potentially negative impact factors driving this data growth and the associated
to the organisation. challenges, including:
• Globalisation: “70% of economic growth over the
Data can be categorised using the following criteria: next decade will come from emerging markets, with
1. Form: China and India accounting for 40% of that growth”7
• Structured—hierarchical, relational, network: XML • Organisation: “40% projected growth in global
files, relational information (databases), files with data generated per year vs. 5% growth in global IT
detailed attributes, transactional information spending”8
• Unstructured—free form (80% of potentially usable • Consumerisation:
business information): email, blueprints, audio, -- “On an aggregate, 56% of companies say yes to
video, images consumerisation and allow employees to use their
2. Type: personal devices for work-related activities”9
• Personal: credit card number, social security number, -- “31% of the mobile devices connecting to the
social insurance number, name and/or address, corporate network are owned by the employees:
financial information, medical information, date of 66% are laptops, 25% smartphones and 9% are
birth tablets”10
• Corporate: strategy, legal, intellectual property,
intelligence information, financial information, sales The rise in data volumes is forcing organisations to
information, marketing information re-evaluate and refocus their information management
practices to better integrate and leverage data in core
3. The type of threat data is exposed to:
business processes.
• Insider: disgruntled employee, ladder climber, petty
ID thief, contractors, outsourcers, business partners/
Sensitive data such as personal and financial information
vendors, fraudsters
and intellectual property moves horizontally across
• Outsider: spies and industry espionage, gangs,
organisational boundaries, including vertical business
ideologists, cyber terrorists, scammers (e.g. phisher),
processes. Organisations commonly do not have a good
social engineer, script kiddies
understanding of the movement, proliferation and
changes in their data leaving them susceptible to data
Data loss can come in many forms, and may compromise
loss.
various types of personal or corporate information. Data is
being targeted by both internal and external groups.
Additionally, organisational boundaries are changing as
enterprises become more virtual, blurring the distinction
between internal and external. Perimeter-centric security
often hinders business growth and brings a false sense of
7 World Economic Outlook Database, International Monetary Fund,
UNWTO World Tourism Organisation security when it comes to data protection.
8 McKinsey Global Institute—Big data: The next frontier for innovation,
competition, and productivity
9 Trend Micro Consumerization Report 2011
40 10 Trend Micro Consumerization Report 2011
Figure 3 - Blurred organisational boundaries
B S
B S
B
B S O
S
O
S
B O
C O
C Support and
Maintenance Manufacturing O
X
C
C S
O R
APAC C
C Sales Legend
EMEA
C S. America Sales B
Sales X C Accounting R R Regulators
M X and Finance
Canada B
B B B
X S Suppliers
M Sales
B O
C M B O Outsourcers
B C
B U.S. Sales
B X
Product Merchants
M M
R Development
C
B C
B M C
C Customers
B C
C
C B Business partners
B B C
C
B
How data loss can happen to your organisation • Data at rest (i.e. ‘Where is sensitive data located?’):
Sensitive data can be lost or compromised in a number of -- Business users innocently placing personal
intentional or unintentional ways, due to information in insecure storage locations where
‘threat agents’ (employees, users, hackers, etc.) acting in access is not administered by IT
a malicious or innocent manner. Some common data loss -- Database administrators storing (unencrypted)
scenarios are: backup copies of sensitive data in unapproved
• Data in use (i.e. ‘What is the agent doing with it?’): locations
-- Disgruntled employees copying files containing
personal or confidential information to portable
devices (e.g. flash drives)
-- Users printing sensitive data to equipment in
common areas which can be accessed by others
• Data in motion (i.e. ‘Where is the data going?’):
-- Users sending sensitive data to personal webmail
accounts in order to work at home
The intrinsic and contextual value of
-- Personal and confidential information being data and associated ownership risks
shared with third parties for valid business
purposes using insecure transmission protocols vary throughout the data life cycle
-- Malicious insiders transmitting personal
and confidential information outside of an
organisation’s network
41
Data loss proliferation
Data is growing at an exponential rate, as is the number
of incidents in which data has been lost.
1090
1048
1000
828
774 727
644
500 416
157
43
0
2004 2005 2006 2007 2008 2009 2010 2011 2012 2013
13%
Other
31%
/lost
10% Stolen ed ia
Online exposure lm
d igita
3% Email
27% 15%
Hacking Stolen/lost
non-digital
media
43
Moreover, a recent study by the Ponemon Institute14 Data protection is a general term that encompasses
shows that the cost of data loss is steadily increasing. a number of measures, including:
Figure 8 - Cost per record of direct and indirect costs -- Randomisation, which replaces the value with
random data
$250,0 -- Shuffling, which switches column values between
$202,0 $204,0 $214,0 records
$200,0
$152,0 $144,0 $141,0 -- Nullifying, which replaces column values with
$150,0
NULL
$100,0 Direct
$60,0 $73,0
Indirect
-- Skewing, which alters the numeric data by
$50,0
$50,0 Total a random variance
$,0 -- Encryption/decryption, which employs reversible
scrambling
• Data masking is a method of hiding sensitive data
The cost to organisations occurs at each stage of the
in a way that the clear text cannot be reconstructed
incident response life cycle—detection, notification, post-
from the displayed data. This is useful in situations
response—leading to the cost of lost business.
where it is only necessary to display a portion of the
data
The cost of lost business has remained relatively stable
• Data generation is a method of creating fictional
last four years, and now averages US$135 per record
data following certain patterns to completely replace
compromised, or 63% of data breach costs
the original data set with the intent of being fully
displayed
Data loss can have a significant impact on an
organisation’s bottom line, which is why organisations are • Data redaction is a method of locating unstructured
increasingly turning to data protection measures in order data in the document, indexing it using OCR, and
to prevent data loss. masking or obfuscating as appropriate
• Data loss prevention, which according to a recent
Gartner survey , is the top priority for organisations
implementing security technologies
44 14 http://www.symantec.com/about/news/resources/press_kits/detail.jsp?pkid=ponemon
Figure 9 - DLP implementation trends
Application security 7 7 6 20
IT GRCM tools 6 7 6 19
Device control 4 5 5 14
Vulnerability assessment 3 5 5 13
Firewalls 3 2 3 7
None 1 3 4 % of respondents
0 25 50 75
45
DLP tools typically consist of the following components:
• Policy Management and Enforcement Servers: a central platform for defining,
deploying and implementing enterprise-wide DLP policies across various DLP
components. Management servers are also used for incident response workflow
management and reporting
• End-point agents: located within end-user devices such as desktops, laptops, etc.
These agents discover and collect data on Data in Use activities performed on the
device and are responsible for enforcing DLP policies on the device and reporting
back to the Policy Management and Enforcement Server(s)
• Network components: can monitor network communications and restrict the flow
of Data in Motion as necessary. Network components provide real-time monitoring
and reporting of policy breaches to the Policy Management and Enforcement
Server(s)
• Discover components: together with end-point agents, these components perform
discovery activities for Data at Rest. Data discovery is based on the policies defined in
the Policy Management and Enforcement Server(s)
Central administration,
policy management
and workflow
Content
Policy management discovery
End point
monitoring Network
Activity
monitoring
monitoring
46
More than 1600 data loss
incidents occurred last year
• Regular expressions
• fingerprinting
• File shares • Exact file matching
• Db2 • Partial file matching
• Sql Analysis • Statistical analysis
• Sharepoint techniques
• Eschange
• HTTP/HTTPS
• FTP
Common
repositories • IM
• Severity • SMTP
• Correlation Common • TELNET
Policy
• Notification protocols • POP3
concepts
• Attribute lookup • IMAP
• Action required Common
use cases
• CITRIX
• Printing
• USB drive transfer
• Bluetooth transfer
• CD/DVD burning
• Copy/Paste/Print screen
47
Common DLP deployment challenges and their root causes
DLP solutions often do not achieve full business and data loss mitigation due to a number of common, but preventable
challenges and root causes, including:
48
Our approach
In our experience, a successful DLP solution/program must be approached holistically, focusing not just on the
technology, but also on the people and processes needed to support and interface with the system(s). The approach
we propose is as follows:
• DLP strategy • Business process analysis • Integration with • Hardware and software
• DLP requirements • Incident response enterprise security • Egress points
• Organisational structure workflows solutions • Storage repositories
• Policies and procedures • Incident response plan • End points
• Training and awareness • Tuning and optimisation • Policy configuration
• Metrics, monitoring and • Policy change • Access configuration
reporting management
• Help desk procedures
• Business process
re-engineering
49
Foreword
Conclusion
Approaching DLP in a more holistic manner and treating • Enables the use of advanced system capabilities
it as a program to drive organisational change, minimise that can help prevent significant legal, regulatory,
business risk and realise full business value, as opposed compliance and brand issues
to treating it as a technology “plug and play” type of • Improves incident response capabilities, helping
solution, will bring some of the following key benefits: the organisation to respond more efficiently and
effectively in the event of data loss
• Clearly articulates the DLP program vision and strategy • Helps prevent business interruption through advanced
• Helps prevent the cost of repeating work through search/monitor policy definition that consider not only
clearly defined scope and requirements content but context
• Demonstrate business value through ‘quick wins’ • Facilities advanced incident correlation and reporting
• Maintains stakeholder support through clearly defined on governance, risk and compliance issues through
metrics and success criteria integration with other security technologies
• Helps to prevent business community and end-user
outcry through well designed, planned and delivered
training and communications
50
51