Can you ever be wholly leakproof from data loss?
- Article 21 of 33
- SC Magazine, April 2010
Data leakage prevention (DLP) is beginning to appeal to many, but even the best products need careful deployment, says Rob Buckley.
Page 1 | Page 2 | Page 3 | Page 4 | All 4 Pages
Preventing data loss or data leakage is now a priority for many organisations and their security functions. Data leakage prevention (DLP) technologies appeal to many as a way of attaining that goal. However, before implementing DLP, organisations need to consider what DLP is capable of, what they really want and what processes and technologies they're going to need.
With so many ways for data to leave the enterprise, there is an equally large number of technologies that can describe themselves as DLP or DLP-related: business continuity, intrusion detection, endpoint protection, encryption, auditing, email/web filtering, identity management, two-factor authentication et al.
It might seem obvious that all these technologies should be implemented. But to implement all aspects of DLP would require considerable budget, expertise and time, and not all of these are going to be available to the average recession-impeded security function.
More importantly, the idea of being able to prevent all data leakage, even with DLP technologies, is an illusory one, according to Grega Vrhovec, a researcher for the Information Security Forum: “In terms of stopping malicious attempts to steal data, DLP is not as efficient. Systems differ in how effective they are. Many are good at monitoring anything sent in plain text, some can deal with zipped PDFs and more, for example, but can they deal with PDFs saved as Tiff images? Steganography? Encryption? Many can monitor the network and block activity, but there may be other business processes they haven't counted on that can bypass that.” And even a perfect DLP system can't stop people printing out information and taking it from the building if they have permission, or simply memorising, writing down or taking photos of data they see on-screen.
So counting on DLP to prevent all losses is impossible. Organisations should expect DLP to be able to block most forms of accidental leakage – but only the more amateurish attempts at malicious leakage that employees might perpetrate. Architecting the necessary security into existing apps is the only way to prevent more concerted malicious leakage.
A good starting-point for a DLP project is risk assessment to determine where the most likely vectors of data loss are liable to be. If these are anticipated to be on the network, it's possible to install network DLP software or appliances from many vendors on a trial basis and monitor activity to determine if and how data is already leaking. This should give you a greater idea of what kind of measures will be needed to stop further leakage.
José Grandmougin, consultant systems engineer at Fortinet, says that means “considering a layered strategy to DLP, with either one or several systems being combined to block the various possible vectors”. Many security vendors, including Fortinet but not Symantec, for example, offer DLP features in the latest versions of their software, so it's possible that upgrading under an existing licence is all that's needed to gain access – with minimal investment – to the DLP features the organisation needs.
Since they are part of existing suites, you may find that integration between different security systems is easier and can be done through a single management console, without further programming. Although some DLP systems, including Symantec's Data Loss Prevention 10 platform, support technologies such as web services, others do not yet incorporate integration. Says Novell's senior technology sales specialist Mark Oldroyd: “In many data breaches, there's lots of evidence of data loss about to happen. If you collect and monitor, you can see it before it happens, but the key is the ability to correlate data from individual systems.”
A data assessment is also necessary, to establish which data is important and needs to be protected. “Unfortunately, this can be very difficult,” says Martin Blackhurst, head of IT security at Redstone Managed Solutions. “You need to find out where the data is and whose responsibility it is.”
Any organisation that has implemented an enterprise content management (ECM) system will at least have a good idea where the important documents are stored, and many DLP systems such as Websense's can integrate with ECM systems, but ECM might not know which documents are so important that they can never be checked out. ECMs that incorporate record management functions can also help to ensure data is only kept for as long as it is needed, points out Hitachi Data Systems' (HDS) field product manager John Hickman.
Page 1 | Page 2 | Page 3 | Page 4 | All 4 Pages