Security Essentials: Data Loss Prevention – Technology is Just the Start
The data revolution gains pace and data is massively more accessible and transferable than ever before.
Not all data is equal, some data is more sensitive than others but the vast majority of data is sensitive in one way or another.
It might be regulations that require data to be held securely, or data that holds the company’s intellectual property or just communications between individuals that are not for public consumption.
The downside can range from embarrassment to increasingly large fines but they all threaten the viability of an institution.
The issue is that with so many applications able to transmit data, it is increasingly easy to make an irretrievable error. Not that it necessarily has to be an unfortunate typo, it can just be ignorance of the risk an individual is taking, as highlighted recently by a medical student, presumably intelligent, copying encrypted data to an unencrypted USB memory stick and then losing that memory stick.
In addition, there is also the increased expectation of working from home and the loss of data that occurs whilst in transit and at home.
So technology has been created to try and prevent unintentional data leaks which implements an automated corporate policy that will help catch protected data before it leaves an organization, the increasingly ubiquitous Data Loss Prevention (DLP).
There are numerous technologies that can be used:
- Deep content inspection: looking at the payload in the packet to see if key data is present. Regular expressions are used to provide some flexibility in what is searched for.
- Contextual Analysis: looking at more general aspects of the data, who is the originator, who is the recipient, is this communication allowed at this time and similar attributes.
- Data Dictionaries: providing standard algorithms (catching credit card and Social Security numbers for instance) or standard phrases and lists of words and their synonyms.
- Centralised management framework to allow company policy to be set.
The trouble is that the technology is just one element of the solution. There is little doubt that whilst DLP software and devices can help, there is no single software solution that can encompass all aspects of DLP, as different types of data have different threats and hence need different controls.
As with so much security, the answer is not just the tin, it is the people and the processes put in place which count as much if not more so. So before you invest in a system, make sure you are ready for it and it is appropriate to your organisation.
So what needs to be done?
The first step is a Risk Assessment: this should have already been done but if it hasn’t, then use this opportunity to carry one out. It will define what your risks are and it may be that DLP is not the most urgent requirement.
If DLP is required, and it probably is, then this assessment should identify:
- The different types of data inside the company
- The value of the data
- The threats and vulnerabilities relating to that data
- What losses cannot be tolerated
The other important issue to consider is Regulatory Requirements. Identify what regulations govern your industry with regard to data loss. This may drive the requirement for DLP.
In the UK, the OFT has been given the power to fine companies significant amounts of money if it can be shown that the security of data was not taken seriously, though it has rarely done so.
However, it does take a dim view if there is no attempt to adhere to those regulations and it is wise to put in place the expected practices. So consider what controls have to be put in place in light of these regulations.
If from this, you conclude that DLP is required, the next step is to identify the scope of the DLP project and define goals for each stage. Most organisations have a lot of data and multiple avenues for leakage so DLP can be a large undertaking and may require a staged approach or targeting the most value or most frequent data loss first.
As part of this exercise, it is important to carry out data discovery and classification:
- Identify where the sensitive data is
- Where it should be
- Where it is allowed to be
- Classify your data – structured, unstructured, confidential, secret etc
This important step will enable you to define the rules for any application that you install. It may sound obvious but many systems have rules that do not match requirements and when implemented produce major issues with the business.
Whilst you might hope that the people, procedures and technology you put in place will save you from data loss, it is important to plan for the worst. The creation of an Incident Response plan is vital to define the strategy if data does go missing is essential.
It should be well defined and must be carried out swiftly should an incident occur. It is also important to ensure that the workforce know their part in the plan. People speaking out of turn can turn a manageable incident into a crisis.
Unfortunately, all these activities take time so you need to ensure that someone has the time to carry out these initial duties along with the on-going requirements to manage a DLP Program?
Do you have the required expertise in house or will you need to out-source it go for training. Be aware that if you bring this in house, your resource must have time to keep aware of issues and keep the policies up to date.
Finally, an ongoing budget will need to be allocated to this project. This is very important if the decision is made in light of this work that one or more applications are required.
This budget will be required to cover not just the cost of the application(s) you identify as relevant but also for the training and on-going management that will be associated closely with them.
If you cannot commit to these steps then the purchase of DLP software may not be a wise option. You supplier should be able to help you work through this but only you or your management will be able to say if DLP is going to produce a beneficial result.
Cross-posted from Redscan