Can you ever be wholly leakproof from data loss?

• Article 21 of 33
• SC Magazine, April 2010
• View the original article online

Page 1 | Page 2 | Page 3 | Page 4 | All 4 Pages

While ECM will help maintain a central store, many organisations will still find copies of information being stored on laptops and other mobile devices, as well as PCs. Encryption can help solve the problem of lost removable media and mobile devices being raided for data, although it can do nothing about someone who knows the password for the device, or, as Activity IM consultant Neil O'Connor points out, “an employee who puts the token in the laptop in Starbucks and then goes off to the toilet”. Many DLP systems don't support operating systems such as Mac OS X or Linux, so can't be used to protect them automatically either.

Encryption is also useful on servers on desktops since, as HDS's Marcus Benham points out, all hard drives eventually leave an organisation. HDS's storage system can also write backups and data onto Worm media. However, ‘data in motion', ie data transferred between datacentres or to backup, can still present a challenge, since encryption needs to be quick enough not to impede performance.

Performing that data audit might be something that an organisation can do for itself, or it might require an experienced data auditor to help determine how best to scan large numbers of documents. “Sometimes an external pair of eyes with external expertise is good,” says Redstone Managed Solutions' Martin Blackhurst. “If you get a security VAR to come and talk to you, it would be sensible to seek advice.

“You need to be making sure you aren't missing a trick. But you have to have someone with expertise in data discovery and to be sure about the technology they're using to look – so don't rely on a VAR or a consultant.”

Another option, not just for DLP but for data discovery, might be to look for a cloud service. SecureWorks is planning to offer a cloud DLP service by the start of 2011 and is about to launch a pilot programme. According to senior product manager Kerwin Myers, the company is planning a staggered approach, with phase one offering monitoring of network traffic and phase two offering monitoring of ‘data in use'. However, Novell's Oldroyd cautions against DLP in the cloud, saying that it marks “a step backward in security”.

With a collection of sample documents that you want to prevent from leaving the organisation – and knowledge of how they might currently be leaking – you can choose an appropriate system or systems to defend against the loss. Most systems are able to scan Microsoft Office documents, PDFs, zip files and plain text, but if you use other file formats, be sure any DLP system that you choose can scan those additional file types.

Systems that allow you to selectively block documents will require you to set up rules to determine what kinds of documents to block, when – and what to do afterwards. Most vendors have created sets of rules applicable to certain industries or to deal with certain pieces of legislation, such as PCI DSS or the Data Protection Act. Simon Godfrey, director, security solutions at CA, advises larger organisations to check whether DLP vendors have sets of rules defined for countries other than the UK. “Germany and France have very different privacy rules, much stronger than the rest of the EU's,” he says. Customers at larger organisations should look into DLP systems with tried and tested rulesets for as many territories as possible, he adds.

Customising these rules for your firm requires work, which may require consultants with experience in the area to help you avoid the common pitfalls. Some systems employ a ‘Bayesian' approach, with users able to train systems by giving them documents already selected as confidential, as well as documents that are not, so the system can learn which is which. Others require users to create rules that use keyword searches, regular expressions and other forms of analysis to decide which files are confidential: typical flags might be credit card numbers or social security numbers.

While some systems rely purely on this level of detail, one of the biggest issues with DLP systems is false positives – they can err on the side of caution and flag up too many possible documents. To avoid this kind of overload, tying actions to identity can significantly reduce admin issues. Either using standalone identity management systems or by tying typically into LDAP or Active Directory, you can define certain actions as allowable by certain users or groups of users. “If someone in finance is sending a financial report, that might be fine, but someone in IT shouldn't be able to – and someone in a call centre shouldn't even be able to access it,” says Lior Arbel, managing consultant, DLP of Websense. This ability to identify users can also be used for an audit trail and to monitor user activity for patterns of behaviour.

With most systems able to run in ‘monitoring' mode at first, a testing period after installation is vital, since it allows the organisation to test the rules and refine them. Arbel highlights the case of an organisation that chose the keyword of ‘confidential' to determine if a document was confidential or not – but would have ended up blocking every single outgoing email in a live system, since its standard email footer also included the word ‘confidential'.

Page 1 | Page 2 | Page 3 | Page 4 | All 4 Pages