COLUMN

Data loss prevention doesn't come in a pill

By Ron Condon 13 Mar 2008 | SearchSecurity.co.UK Digg This!     StumbleUpon     Del.icio.us

The mere fact that a "DLP market" has suddenly emerged with products claiming to solve the problem underlines our tendency, when put under pressure, to install another bit of software rather than take time to do a proper analysis.

For instance, when that Nationwide laptop went missing a couple of years ago, the company was rightly pilloried for allowing unencrypted customer data to walk out of the company. But few asked why an employee felt it necessary (or permissible) to copy the whole customer file in the first place. It appears there was no policy in place covering such an action; nobody thought it mattered.

Take also the notorious case of the lost CDs at HMRC, where someone decided it was OK to copy 25m records, complete with bank details, and put them unencrypted into the post. Again, encryption would have boosted security but it hardly answers much broader questions – why send bank details when they had not been requested? Why not use the Government's own secure network to send the data? Why not use a secure courier? Again it seems the policy was vague or non-existent, and it was not enforced anyway.

Then in January, we heard that an MoD laptop had gone missing, with records on 600,000 people who had applied to join the British armed forces over the last decade. The data was, again, unencrypted but, again, that's not the whole point. Why does anyone need all that data? Are there no controls? Is there no policy, and is it not enforced?

Which brings us back to the so-called DLP market. What kind of single product is going to stop the combination of ignorance, carelessness, stupidity and incompetence that the above three examples demonstrate?

That wise industry-watcher, Philippe Courtot of Qualys, observed recently that many companies have a "pill mentality" when it comes to security – if they have a problem, they think they can take a pill (or install a product) and that will make everything better.

But don't count on anything with a DLP label to wash your blues away. As Paul Simmonds, currently head of security at ICI, says: "The canned demos of DLP products always show how to stop Social Security numbers (for the US) or credit card numbers, both of which have a fixed format that is easy to spot." In other words, the products are unlikely to block more subtle company secrets or information.

If a company is serious about data leakage, it needs to take a much broader view and tackle the basics first. John Pironti, chief information risk strategist at Getronics, says the "painful and non-fun things" – asset inventory, process mapping, data classification – need to be endured to enable companies to get a picture of where data sits, and how it moves around.

Once they've gone through the process, companies can then take a proper risk-based approach to protecting what they have. That may (and certainly will) involve encrypting data, using some DLP products, and using the fund of new features in many email systems to prevent secrets going out via the mail gateway.

The companies may use endpoint solutions to restrict the use of USB ports on laptops, and new discovery tools to help them root out forgotten repositories of sensitive data. In the near future, they may even be able to apply tagging techniques to documents and data to help automate the classification process.

But in the end, technology cannot do it all. People have to use their brains and their judgment to determine what should be protected, what should be allowed and how information should move around. Technology can help define policy and it can also help enforce it much more effectively than any army of officials.

But it won't create or decide the policy for you.

Tags: Endpoint and NAC Protection,  Information Security Risk Assessment: Methodology and Analysis,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Endpoint and NAC Protection Considering two-factor authentication? Do cost, risk analysis Look into SIEM services to cut costs, comply with PCI DSS, HIPAA Voice data security risks on the rise, say experts The value of booting from a VHD in Windows 7 Thin-client technologies surge thanks to easier security, says Deloitte A closer look at Internet Explorer 8 security features USB drive security best practices and processes First step in forensics: Create a bootable Windows environment CD Protecting enterprise networks from new mobile application downloads Four things to remember about server virtualization security concerns Information Security Risk Assessment: Methodology and Analysis Improving software with the Building Security in Maturity Model (BSIMM) Encryption basics: How asymmetric and symmetric encryption works Getting the most out of the gap analysis process Jericho Forum to provide customers with good security questions to ask A guide to internal and external network security auditing Insider threat detection still a challenge for employers Get more out of your security event log data Secure cloud computing: a contradiction in terms? Report: U.K. lags in information security management practices Aligning network security with business priorities

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary Centre for the Protection of National Infrastructure  (SearchSecurityUK.com) Computer Misuse Act 1990  (SearchSecurityUK.com) Regulation of Investigatory Powers Act  (SearchSecurityUK.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary