Data theft incidents dominated the information security scene in 2006 and only increased in 2007. If the trend continues, 2008 should prove to be the worst year yet.
While organisations looking to thwart data theft have spent thousands, if not millions, of pounds implementing the best perimeter security technologies, these efforts have seemingly had little effect; massive breaches of confidential information continue unabated, despite dire consequences for enterprises and their customers. This has driven security professionals toward new tools that can lessen their chances of becoming the next top news story.
Over the past couple of years, vendors like McAfee Inc., Trend Micro Inc. and Symantec Corp. have been among the many information security vendors aggressively pitching a product set that promises to help. This product category, called data loss prevention, or DLP, is drawing so much attention that some antimalware and antispam vendors have even modified their primary focus in order to enter the DLP market. For example, Clearswift Ltd.'s primary focus a few years back was antispam tools. Although the content security vendor's product line continues to include antispam technology, Clearswift now focuses on creating better network-based data loss prevention products.
Let's look at the key differentiating features of DLP technology as vendors strive to help customers guard data in a way that past security products have not.
It is the responsibility of the organisation to ensure that the proper steps are taken to tag all confidential data. DLP products ensure that confidential and critical information is appropriately tagged so that employees cannot accidentally disclose it. Tagging is the process of classifying which data on a system is confidential, and marking it appropriately. Because of this labeling, an employee that accidentally or maliciously attempts to disclose confidential information may be denied. For example, a sensitive file that is tagged can be restricted from being sent via email and instant messaging programs.
Implementing a DLP product into a large corporate network is by no means a walk in the park. Most large organisations have hundreds of servers with thousands of directories and files stored on them. Having to sort through that much information and decide on what is to be tagged can be a daunting task for any organisation. However, tagged data will differ between organisations. The process is simply not a cookie-cutter implementation. For instance, some organisations will choose to tag company financials, trade secrets, etc., while others may not. For a successful DLP implementation, meetings with personnel from all levels of management need to be conducted so that data is properly classified. Such teamwork will ensure that the data tagging strategy is appropriate for the business as a whole.
Key features that should be tested in a DLP evaluation include the ability to block and monitor by system, as well as by user. It is also important to consider the use of host-based and network-based DLP products to ensure that data is protected by systems that are not running a DLP agent.
DLP technology will become the new firewall of the security industry. After all, it's implemented at the next logical layer; where the data is stored. However, before taking the plunge and purchasing DLP technology, it's always best to evaluate a number of vendor products to ensure that the technical ability of the product is not clouded by a fancy marketing campaign.
About the author Peter Giannoulis, GSEC, GCIH, GCIA, GCFA, GCFW, GREM, GSNA, CISSP, is an information security consultant in Toronto, Ontario. He currently maintains www.theacademy.ca, which provides organizations streaming video on how to configure and troubleshoot many of today's top security products. He also serves as a technical director for the GIAC family of certifications.
This was first published in February 2008