Data leakage prevention (DLP) is a topic that has been getting a lot of attention lately. Keeping sensitive data from leaving the network has quickly risen to the top of many IT and compliance officers’ lists of priorities.
DLP will likely be the first thing most organizations spend their 2010 information security budgets on.
Any time sensitive data gets into the hands nonauthorized individuals, it can constitute a data security breach. Malicious employees may take and use sensitive customer or employee information to commit fraud, identity theft or sell to others for quick, easy money. Careless and untrained employees also make mistakes that lead to breaches.
All data security breaches must be publicly disclosed, which often leads to negative public perception, loss of customers, expensive damage control, class-action lawsuits, and more.
Data breaches can cost companies million of dollars, even if the data is never used to commit fraud or used for identity theft.
There are countless ways an insider can capture data and remove it from the network. Email, FTP (file transfer protocol), and a variety of other standard utilities available on every computer can be used, as well as social media networks, posts to other Web sites and forums, and online storage solutions.
Peer-to-peer (P2P) software can also be utilized to capture and post information for download anywhere in the world. There are lots of tools that can utilize encryption to hide the storage and transport of sensitive information.
Then there are even simpler methods, including burning a CD or DVD, or copying files to a USB thumb drive. The variety of memory sticks available on the market offer massive amounts of storage. Additionally, smartphones, iPods, and other portable media devices are commonly connected to corporate systems, each with the capacity to store and transport massive volumes of data.
As a result of this ever-growing threat, state and federal regulators have created new laws and are strictly enforcing previous requirements.
For example, Massachusetts and Nevada both passed state data encryption laws that are designed to keep sensitive information in the hands of those who are meant to see and use it. The new Red Flags rule, although delayed now for the fourth time until June 1, 2010, before FTC enforcement goes into effect, is specifically designed to regulate how sensitive customer and employee data is kept private.
Regulations such as HIPAA and GLBA have been around for more than a decade with various data privacy requirements; however, starting about a year ago, regulators and auditors have been looking at data leakage prevention very seriously.
Regulators under the umbrella of the FFIEC that enforce GLBA for U.S. financial institutions are now putting pressure on banks and credit unions to implement data leakage prevention solutions. After speaking with various examiners over the last month or so, it is clear to me that this requirement is going to be one on the top of their lists for the next couple of years. To date, the financial institutions that have been feeling the brunt of this new focus are large organizations with many billions of dollars in assets.
We have seen this trend before. We saw it with vulnerability assessments, firewalls, intrusion detection and prevention systems, and many others. The regulators start the enforcement with the very large financial institutions and move down from there. Within a couple of years, all financial organizations will have to take data leakage prevention very seriously.
When the term “data leakage prevention” became popular a couple of years ago, many technology vendors had claims that their product was a DLP solution, and they received the venture capital money at the time.
In the beginning, the term by itself was broad enough that nearly any solution could qualify as DLP. A firewall could qualify because you can write rules that block outbound traffic. Analyst firms such as Gartner stepped in and clearly defined what a DLP must be.
A DLP solution should:
- detect sensitive content in any combination of network traffic, data at rest or endpoint operations;
- detect sensitive content using sophisticated techniques such as partial and exact document matching, structure data fingerprinting, statistical analysis, regular expression matching, conceptual and lexicon analysis and keywords;
- support the detection of sensitive data content in structured and unstructured data using registered or described data definitions; and
- be able to block (at minimum) policy violations that occur over email.
In other words, a DLP needs to identify and classify data, filter based on classification anytime data leaves the network, and control data both while at rest and in motion.
In the last couple of years, many solutions under the title of DLP have entered the market. There are several of these that do not qualify as DLP from a regulatory compliance perspective.
Some organizations are looking to solutions such as those offered by Vontu (now Symantec) or Websense. These solutions have an all-in-one approach and can single handedly take care of your data leakage issues and regulatory compliance.
The other method is using several solutions to achieve DLP. Some might wonder why they would want to employ several solutions when they can just use one. The answer is that some organizations are already using solutions that are part of an overall DLP solution. So in an effort to maximize the existing investment, adopting additional solutions is a good alternative for some. For example, if you are using an email-based content filtering system that blocks sensitive data from leaving the network, that is part of a DLP solution. If your firewall, proxy or other network device can be configured to detect and block sensitive data from leaving the network, that can be part of your DLP solution. If you use desktop security software that blocks sensitive data from being written to portable media devices, that can be part of your DLP solution. So perhaps money can be saved by utilizing existing solutions to create a total DLP solution.
One thing that I feel is often missed when people think about DLP is backup tapes and drives. Lots of sensitive data is stored on our backup media … often unencrypted. If this media is lost or stolen, it will usually constitute a data breach. In some states it doesn’t even matter if the data is encrypted — public disclosure is required regardless. So in my opinion, using a remote data backup service that utilizes the Internet, rather than traditional backup tapes or other backup media, should be considered an important part of a comprehensive DLP solution.
While there are a couple of different approaches to full data leakage prevention, the most important thing is to do something soon. It is a legitimate problem for most organizations today. Data breaches can cost companies millions of dollars, not to mention loss of revenue and customer loyalty. Regulators are putting a lot of emphasis on it now.
This is a lot more work, and will cost more money than similar initiatives in the past such as firewall, IDS and IPS. However, it is one of the very best ways of protecting the data the matters most to your company.
Kevin Prince is chief technology officer at Perimeter E-Security.