Data Loss Prevention is fast becoming one of the most overused yet misunderstood acronyms in an industry known for its cryptic abbreviations. The popular label for data loss prevention is appearing on a puzzling variety of security products, adding to the confusion and hype.
For CIOs, however, solutions that prevent the loss of critical data demand serious examination. After all, it is the CIO who is responsible for the company's information, and preventing it from being lost. To that end, the CIO must also be able to identify the tools that will enable them to strategically plan and effectively execute on a program to substantially reduce the risk of data loss.
Meanwhile, the debate continues over where Data Loss Prevention (DLP) should be deployed: on the network or the endpoint? What about stored data? And does it matter whether DLP is deployed as a standalone solution or as a feature in a broader product portfolio?
To address those questions, organizations must first understand what DLP is, why it is important, and how it works.
What is DLP?
Data Loss Prevention solutions help CIOs and CISOs answer three very basic questions:
- Where is my confidential information?
- How is this data being used?
- And how can I best prevent it from being lost?
To answer these questions, DLP does three basic things: (1) deep content inspection, (2) automatic protection of sensitive data across endpoint, network and storage systems, and (3) incident response workflow to enable corrective action with employees.
DLP allows you to see which databases, file servers, laptops and desktops hold sensitive data. It tells you when someone is sending out source code via email or copying a customer list to a USB drive. And it allows you to enforce policy by blocking network transmissions that contain confidential data, preventing copies to USB drives, iPods and the like, and automating other enforcement actions such as sender notification, routing of emails for encryption, and ensuring that sensitive data is not left exposed on file systems.
Today, unlimited access to the Internet and unprecedented mobility are changing the global landscape. In this new, wide open world, information can be easily shared and accessed anytime and anywhere by employees, partners, consultants, outsourcers, and more.
Homes are outfitted with high-bandwidth Internet connections that enable workers to easily transfer large amounts of data to and from the office. Mobile devices are smaller yet more powerful than ever. Today it is possible to copy the personal data of every U.S. citizen onto an iPod and still have room for music. Sensitive data may be sent through unprotected Web e-mail. Confidential files may be exposed on a shared server or copied to a laptop that is then taken home or on the road.
However it occurs, the loss of data can be devastating to a company. Just ask any of the growing number of businesses who have experienced data breaches. According to a 2007 Ponemon Institute study, the average cost of a data breach is just under $200 per record. Considering that nearly 219 million records of U.S. residents have been exposed due to security breaches since 2005, according to Privacy Rights Clearinghouse, the cost to business is staggering.
DLP solutions are specifically designed to avert such disasters. Wherever data lives-whether it is in transit on the network, at rest in storage, or in use on the endpoint-DLP can significantly reduce the risk of its loss. What's more, the most advanced DLP solutions go beyond protecting information to also help identify risk, establish policies and processes, educate users, and integrate security technologies and controls.
How DLP Works
It is easy to see how employee access to the Internet can lead to data loss, so many organizations start by deploying DLP on the network, enabling them to establish policies, monitor network traffic, accurately detect incidents and to proactively block inappropriate transmissions. With DLP technology in place on the network, these organizations are able to immediately reduce the risk of losing data in transit.
Companies also want to gauge their level of exposure across their internal systems in order to improve access controls and meet compliance requirements. Using the same policies as on the network, DLP solutions can also look for confidential data wherever it is stored, scanning a wide range of data repositories to discover things like executive salaries, personnel files, contracts and transaction records. When such data at rest is found, it can be automatically moved to a secure location or encrypted based on policy.
Network- and storage-centric DLP solutions significantly reduce the risk of data loss due to inadvertent employee behavior and broken business processes, the causes of 95 percent of data loss incidents. Next, companies often turn their attention to the small percentage of breaches caused by malicious insiders. DLP capabilities are extended to preventing data from being copied to removable devices or downloaded from servers in violation of policy. Endpoint DLP enables organizations to identify sensitive information on laptops and desktops and stop it from being copied to USB drives and iPods, or burned to CDs or DVDs. With DLP capabilities at the endpoint, organizations are now able to reduce the risk of losing data in use.
Today, the most advanced DLP offerings are available as integrated solutions that combine both endpoint and network-based software to protect confidential data wherever it is stored or used. These solutions leverage a common foundation with the same policy management, detection, incident response workflow, and reporting capabilities across network, storage, and endpoint systems. This unified approach to enforcement enables the organization to write a policy once and automatically enforce it throughout the enterprise.
Automated Policy Enforcement and the Human Factor
Being able to automatically enforce policies is a big key to the value of DLP. It gives you the ability automatically route an email to an encryption gateway, for instance, or move an obsolete file containing sensitive data that has been left exposed on a file system-all based on policy.
One of the most overlooked benefits of DLP is its ability to reduce risk by strengthening what has long been considered the most vulnerable element in any organization-its people. Virtually all data breaches involve people and the processes they follow, or don't follow, when handling information. The vast majority are caused by people who are either unaware of policy or are simply following a business process that is not secure.
Either way, DLP protects the data according to policy and prevents its loss. But it also goes a giant step further and remediates the incident by notifying the employee of his or her error in real time and then suggesting corrective action. Such on-the-spot correction can not only change the behavior of the employee but it can also have a positive impact on the behavior of others with whom the person interacts.
It works. In fact, one Fortune 100 company noted a 90 percent drop in data loss incidents just 10 days after turning on the automated user notification capabilities within DLP.
Standalone vs. Feature
As organizations increasingly turn their attention to the challenge of preventing data loss, many are asking whether DLP is most effective as a standalone solution or as part of a broader suite of security products. The answer is yes, there will continue to be a market for standalone DLP, because data loss is a pressing problem that demands a targeted solution-one that leverages a common foundation with the same policy management, detection, incident response workflow, and reporting capabilities across network, storage, and endpoint systems.
And yes, such unified, integrated DLP solutions will likely also become a critical component in more comprehensive portfolios for information-centric security. An information-centric security program includes keeping the bad things out, so you still need a defense-in-depth strategy that relies on the traditional security solutions like antivirus software and anti-spam programs. But information-centric security is also about keeping the good stuff in, and that means being able to protect information at rest, in motion, and in use. To do that, security and storage solutions will need to work hand-in-hand. DLP is the linchpin that will make this vision of information-centric security a reality.
Clearly, DLP offers a wide range of compelling benefits to organizations. That's why the market continues to grow. With a unified DLP solution across endpoint, network, and storage systems, organizations can better understand where their sensitive information is, how it is used, and how best to prevent its loss. What's more, the automated workflow and remediation capabilities in DLP help educate employees about data loss policies. That's a critical factor in meeting the challenge of how to ensure information security in today's wide open world.
About the Author
Joseph Ansanelli is Vice President, Data Loss Prevention Solutions, Symantec Corp.