Sunday, September 06, 2009

Unmasking DLP: the Data Security Survival Guide

Click here for CIO Magazine Article

DLP = Data Loss Prevention to the uninitiated.  It is the Information Security practice of governing the removal of company data and or content.  While this might seem like a simple process, it most certainly is not.  Let’s consider the obvious scenario of an employee downloading company product or customer information as a normal course of a job function to a company – provided laptop.  Maybe this employee is in Marketing and is developing an email marketing campaign.  This certainly seems appropriate.  Well the employee is traveling to an industry conference and needs his laptop.  So the data is stored on the laptop while the employee works diligently on the marketing campaign with tools installed on the laptop.  So far, this is a perfectly normal occurrence.

Here is where the employee and company get into a pickle.  The employee rents a car from the airport while traveling and the rental car is then stolen with the employee’s luggage and laptop.  The un-encrypted data on the laptop has personal information (email, home address, Credit Card Data, etc) of customers’ stored on the hard drive.  As soon as the laptop left the possession of the employee, the data was out in the open and it’s status unknown. 

You have read about these types of data breaches in the past.  While this seems like a straight-forward opportunity to install encryption, the problem is really much deeper.  Did the company make an active decision to allow this particular employee to have the data?  Did the company know that this data might be mobile (and at risk) at any point?  Without any type of DLP infrastructure, the answer is probably no.

Let’s take this to the next level and I will illustrate how big an issue DLP really is.  Have you ever sent an email to some business partner externally with a company spreadsheet, document or data output?  Was this data governed by the company’s Data Security Policy?  How secure is the email or the attachment?  Have you ever tried to rush home to catch a late train home and decided to take that work home by saving it to a $2 Thumb Drive or burning content to a CD?  What happens to that data / content if the Thumb Drive falls out of your pocket?  Or if your kid saves an MP3 on that Thumb drive and shares it with a neighbor’s child?

The key issues here are:

  • Policy & classification
  • Governance
  • Decision making
  • Monitoring
  • Encryption
  • Reporting

The embedded article from talks about tools for DLP.  Certainly, each company needs to make decisions about their data.  It should start with a comprehensive Data Security Policy and get acceptance from Executive Sponsors.  Your Policy should drive the functional and technical requirements for any tools or DLP infrastructure acquisitions.  Your policy should also dictate the depth and breadth of reporting and monitoring requirements as well.

Develop your Policy, figure out how aggressive you need to be in protecting company data, evaluate each vendor’s solution as to how they align with your needs.  Think very carefully about your decisions as DLP is a Strategic choice and has long term implications.

Caveat Emptor





No comments: