| After years of battling intrusions, viruses, and spam, | | | | User resistance. There is a wariness about deploying |
| organizations now find themselves wrestlingwith a | | | | yet another agent on eachdesktop and laptop that |
| relatively new but hugely significant security issue: data | | | | might interfere with legitimate business by hogging |
| leakage. By March 2008, the inadvertent exposure of | | | | processor cycles, requiring frequent updates and |
| company confidential information was already being | | | | slowing down the performance of other user |
| cited by analyst IDC as the number one threat, | | | | applications. |
| aboveviruses, Trojans, and worms1. At the end of the | | | | Complexity of scope. Devising and implementing a |
| year, 80 percent of respondents in anothersurvey | | | | comprehensive, viable policyto be supported by the |
| agreed that data security was one of the biggest | | | | DLP solutions can get in the way of regular business |
| challenges facing them, with 50 percentof respondents | | | | practices, requiring the involvement of not just IT but |
| admitting they’d experienced a data leakage | | | | also human resources, finance and legal teams, and |
| incident in 2008.2 IDC’s survey identified intellectual | | | | business unit managers. |
| property as the most common type of information | | | | The wrong focus. Many of these solutions focus to a |
| leaked and 81 percent of respondents saw information | | | | large extent on intentional data leakage, when in reality |
| protection and control (IPC) – defined as monitoring, | | | | data leakage is hard to stop. For example, people can |
| encrypting, filtering, and blocking sensitive information | | | | deliberately alter files to avoid detection or there is |
| contained in data at rest, data in motion, and data in | | | | themore mundane problem of people simply sharing |
| use – as an important part of their overall data | | | | information inappropriately in conversation. |
| protection strategy. The highest priority IPC solution | | | | Organizations’ real requirements |
| was data leakage prevention (DLP) deployed atthe | | | | The truth is that, with the exception of the largest |
| organization’s perimeter and on endpoint | | | | enterprises with the most stringent security |
| computers.1 | | | | requirements, most organizations simply don’t have |
| Importance of monitoring employee use1 | | | | the funds, staff resources, and need to implement |
| % choosing 4 or 5 on a 5-point scale | | | | large-scale DLP efforts. Their mostpressing and |
| Corporate email 56% | | | | immediate needs fall into three categories. |
| Lost/stolen laptop 51% | | | | Stopping the stupid |
| Web email or web posting 37% | | | | 98 percent of data leakage incidents are actually due |
| Instant messaging 33% | | | | to accident or stupidity.9 Lost laptops and USB keys, |
| Lost/stolen mobile device 33% | | | | inadvertent misuse of email, the unthinking sharing of |
| Media devices 19% | | | | information on IM, webmail, social networking sites, and |
| Other 12% | | | | peer-to-peer file sharing sites are a much more |
| The intentional or accidental exposure of information, | | | | significant threat to organizations than hackers. |
| ranging from legally protected personal information to | | | | Meeting regulatory requirements |
| intellectual property and trade secrets, is something | | | | The most pressing need for most organizations is to |
| that affects the IT environment in its widest sense, | | | | implement an effective solution that will satisfy auditors |
| involving lostor stolen laptops, USB keys and other | | | | that they are providing the protection and control |
| devices, email, and Web 2.0 applications, such as IM. | | | | required to meet current regulations without the need |
| Respondents to IDC’s survey demonstrate just | | | | for a huge amountsof funds, staff, and resources in |
| how many points of exit there are (see figure 1). | | | | implementation and management. |
| The challenge now is not simply to protect data from | | | | Stopping data leakage: Making the most of your |
| the threat of theft or corruption frommalware, but to | | | | security budget |
| add a second security layer preventing data being | | | | Maximizing IT investment |
| accessed if it is lost. | | | | IT departments want to ensure that the budget |
| The growing importance of DLP | | | | available to them – which is being asked to do more |
| There are several reasons for the movement of data | | | | and more – is spent in the most efficient and |
| leakage prevention to the forefront of enterprise | | | | cost-effective way. Solutions that integrate DLP with |
| security. | | | | other security features are best placed to do this (as |
| High-profile, reputation-damaging data leaks | | | | discussed more fully below). |
| Bad publicity from data leakage can result in damaged | | | | Enabling DLP |
| reputation, lost customers, andsometimes even ruin for | | | | Enforcing an acceptable use policy |
| companies. | | | | Creating and enforcing an acceptable use policy (AUP) |
| The number of well-publicized examples of data | | | | should underpin any attempts to stop data leaking |
| security breaches is growing significantly. | | | | from an organization. Because of the changing nature |
| Government bodies, financial organizations, education | | | | of both the organizational infrastructure and the |
| institutions, industry giants and even presidential | | | | expectation of employees that information should be |
| candidates – no-one is immune | | | | freely available to access and share, an AUP’s |
| . Recent high-profile incidents have included: | | | | success depends heavily on creating ongoing |
| Secret government documents on al Qaeda and Iraq | | | | employee buy-in to the fact that the threat is internal, |
| were left on a commuter train in the | | | | overwhelming accidental, and in their hands to avoid. |
| UK. (Jun 2008) | | | | As well as stressing the importance of commonsense, |
| The personal information of almost 1000 bank | | | | the AUP should set outexactly how an employee is |
| customers was lost by an employee of Bank of | | | | expected to use an organization’s information, |
| Ireland, after the data was copied onto an unencrypted | | | | containing prescriptive advice on best practice and |
| USB memory stick which was then lost. (November | | | | clearly defining prohibited behavior. |
| 2008)4 | | | | It should cover issues such as: |
| Stopping data leakage: Making the most of your | | | | What information/files must not be emailed |
| security budget | | | | The company policy on posting to web message |
| An email containing names, positions, salaries, and | | | | boards or downloading from the web |
| social security numbers of 192 faculty and staff | | | | The policy on use of USB keys and CDs for storing |
| members was accidentally sent to Ohio State | | | | sensitive company information |
| University Agricultural Technical Institute students. | | | | The policy on altering security settings. |
| Hackers were charged with stealing more than 40 | | | | The repercussions of not adhering to the policy should |
| million credit and debit card numbers from nine US retail | | | | also be spelled out. |
| outlets by breaking into the wireless networks of | | | | Integrated solutions |
| major retailers. | | | | The key to achieving successful data leakage |
| An investigative reporter for MyFoxDC bought a | | | | prevention within constrained budgets is to seeit as |
| Blackberry device during the McCain-Palin US | | | | part of your overall security picture, not as a separate |
| presidential campaign’s sale of its used office | | | | entity. In fact, you might alreadyhave security tools with |
| inventory, only to find 50 phone numbers for people | | | | features that address your most pressing DLP |
| connectedwith the campaign and hundreds of emails. | | | | requirements. |
| Regulations | | | | As DLP grows as a corporate concern these |
| Government legislation | | | | features are likely to be upgraded in muchthe same |
| Governments worldwide have introduced increasingly | | | | way that spyware prevention, spam detection, and |
| stringent data protection legislation,such as the US’s | | | | intrusion prevention all started as separate security |
| Sarbanes-Oxley Act, HIPAA, and Gramm-Leach-Bliley | | | | categories and infrastructures, but were quickly |
| Act, and the UK’s Data | | | | subsumed into other categories, such as anti-virus |
| Protection Act, to provide suitable controls over | | | | protectionand firewalls. |
| sensitive company information. Organizations found to | | | | As you go forward, the inclusion of up-to-date DLP |
| be in breach of the legislation can be fined and forced | | | | features is something you need to ensure in order to |
| to put solutions in place to prevent a recurrence. The | | | | make the most of your budget. The two key |
| California Senate | | | | requirements can be summed up as: |
| Bill 1386, introduced in 2003, was the first to require that | | | | Protect your data against accidental loss or deliberate |
| organizations notify all affected individuals if their | | | | theft |
| confidential or personal data has been lost, stolen, or | | | | Secure your data so that if it is lost or stolen, it cannot |
| compromised. This public disclosure is now required by | | | | be read. |
| 35 states. | | | | Protect your data |
| Many regulations also require regular audits, which an | | | | Endpoint protection |
| organization may not pass if the rightcontrols are not in | | | | Endpoint protection goes far beyond the imperative |
| place. | | | | not to leave laptops on trains: |
| Today, protection must focus on controlling access to | | | | Use powerful anti-malware solutions to block spyware |
| the information, not on blocking the perimeter. | | | | that can steal financial and other confidential data. |
| Cost of a data breach | | | | Organizations need to implement products that |
| Up 11 percent since 2006 | | | | combine DLP features with other security functions to |
| Average cost per breach – $6.6 million | | | | provide an integrated solution. |
| Average cost per record – $202for heathcare – | | | | Three steps to AUP success |
| $282for retail breach – $131 | | | | Create the policy |
| Cost of lost business | | | | Educate users about the policy |
| Up 40 percent since 2005 | | | | Enforce the policy |
| 69 percent of overall cost (compared to | | | | Stopping data leakage: Making the most of your |
| 65 percent in a similar 2006 study) | | | | security budget |
| Source: Ponemon Institute8 | | | | Block the use of non-essential applications such as |
| PCI DSS | | | | P2P file sharing, IM, FTP clients, unauthorized email |
| Alongside government legislation sits PCI DSS | | | | clients, wireless network connections, and smartphone |
| (Payment Card Industry Data Security | | | | and PDA synchronization tools. All of them can be |
| Standard). Created by multinational corporations, it is | | | | subverted by criminals to get hold of information. Even |
| enforced on merchants as a part of their terms of | | | | more easily, employees can – usually unthinkingly |
| being allowed to accept credit card transactions. | | | | – send out and share company data via these |
| Organizations that cannot demonstrate PCI-compliance | | | | applications. |
| at anaudit are subject to sanction even if no actual | | | | Manage write access to portable storage devices |
| data leak has occurred. PCI’s reach across | | | | such as USB keys. Because these are so easy to |
| international boundaries and its ability to respond quickly | | | | lose, these devices are a high security risk. |
| to change – it last extended its scope in October | | | | Ensure that every computer connecting to the |
| 2008 – makes it as importanta security standard as | | | | network – whether office-based or remote, |
| any local or national legislation. | | | | company-owned or belonging to guest users – is |
| Cost | | | | compliant with the organization’s security policy. |
| In addition to legal costs, organizations have to deal | | | | Gateway protection |
| with the less tangible costs of recovery | | | | Much of the functionality available in email and web |
| andcommercial fallout, such as lost business, or | | | | products can prevent sensitive or inappropriate data |
| withdrawal of credit card merchant status. Allthese | | | | being sent outside the organization or to unauthorized |
| costs have been rising steadily. | | | | users inside the organization. Features include: |
| The dissolving perimeter and Web 2.0 | | | | Content scanning of email messages and attachments |
| As business has gone online and become vastly more | | | | to control and block sensitive information, by identifying, |
| mobile, the 20th century security strategyof protecting | | | | for example, social security numbers, or keywords |
| the organization’s perimeter with firewalls, intrusion | | | | relating to confidential corporate information. |
| detection, and other similartools has become | | | | Content scanning of web traffic to ensure spyware |
| insufficient. There are simply too many points of data | | | | Trojans and other malware are not downloaded onto |
| entry and exit. Whileblocking the perimeter remains | | | | the user’s computer. |
| important,protection must focus on controlling access | | | | Preventing the download of particular file types and |
| to the information. | | | | preventing users from disguising and obfuscating |
| Stopping data leakage: Making the most of your | | | | unauthorized file types in emails. |
| security budget | | | | Controlling access to particular websites and |
| This need is growing exponentially with the totally | | | | applications and to webmail sites such as |
| different perspective introduced by Web 2.0 users. | | | | Googlemail and Yahoo! Mail. |
| This new “employee 2.0” workforce brings a | | | | Controlling and blocking the unauthorized use of IM and |
| mindset that is highly tuned to sharing information on | | | | FTP traffic. |
| social networkingsites, posting to blogs, and emailing | | | | Protecting against “drive-by downloads” which |
| and IMing friends, with little or no regard to whether this | | | | secretly place spyware on the user’s computer |
| isappropriate in a business context. | | | | when they visit a website. |
| The challenge for today’s DLP solutions | | | | Secure your data |
| Several enterprise-focused DLP solution vendors, have | | | | In spite of having the best policies and the best |
| developed innovative solutions for preventing the | | | | solutions, you might still find your data has beenstolen |
| leakage of sensitive company information. Many of | | | | or lost. So it is essential to have a second layer of |
| these products focus on identifying and categorizing all | | | | defense – encryption. In a survey by the Identity |
| company data and then implementing corporate DLP | | | | Theft Resource Center, 82 percent of respondents |
| policies to track sensitive information across the | | | | who had lost data, said that if the data had been |
| enterprise, applying controls where necessary. | | | | encrypted, the risk to the company would have been |
| These solutions make a lot of sense in concept, but in | | | | far reduced.2 With this being the case, you should: |
| practice they run up against severalimplementation | | | | Perform full disk encryption of laptops and notebooks. |
| roadblocks. | | | | Encrypt data on removable storage devices, such as |
| Too much data, too little time. For many organizations | | | | USB drives, CDs and DVDs. Encrypt emails to prevent |
| data is so dispersed, disorganized, and voluminous that | | | | unauthorized users from reading them. Encrypting your |
| classifying it comprehensively is just too burdensome | | | | data and devices in this way means that your |
| and resource-intensive a task for most ITdepartments | | | | information is safe, even if it gets into the wrong hands. |
| to undertake. | | | | Summary |
| IT resistance. Many available DLP products are | | | | Data leakage has become one of the most pressing |
| relatively new and still suffer from issues such as | | | | security issues facing organizations today. The most |
| frequent false positives. IT departments can be | | | | effective solution to the problem is to see DLP as part |
| reluctant to invest their increasingly stretched | | | | of your overall security problem, integrating it into a |
| resources indeploying another complex enterprise level | | | | comprehensivestrategy. You also need to create an |
| infrastructure at the expense of deliveringstrategic | | | | AUP, enforce it with technology and ensure that both |
| value to the organization. | | | | are monitored for compliance with corporate policies. |