An "out of the blue" data security project forced global technology services company CDI-Aerospace to come up with a bullet-proof data loss prevention scheme for a major customer in just five months.
CDI-Aerospace -- headquartered in Hamburg, Germany and with offices throughout the United States -- served as a third-party supplier to XX Aviation. It dedicated 375 engineers to the crash data loss prevention (DLP) project located at engineering offices in Cincinnati and Springdale, Ohio, and Lynn, Mass.
Industry observers said they expect to see more of these risk management DLP programs as third-party risk grows. "We are in the early stages where companies are moving beyond risk assessments and maturing their third-party risk programs," said Rick Holland, an analyst who tracks security and risk management at Cambridge, Mass.-based Forrester Research Inc.
In CDI's case, the customer is required under U.S. export controls known as ITAR (International Trade in Arms Regulations) and EAR (Export Administration Regulations) to ensure the security of its technical data and trade secrets. Hence, it mandated CDI-Aerospace to come up with a DLP framework so the customer's suppliers could securely handle its data and comply with U.S. export controls.
These include stringent internal controls to restrict the export of customer technical data used by suppliers, as well as the re-export of resulting products or proprietary data.
The DLP program also had to provide enterprise-wide data security and allow CDI-Aerospace and, eventually, other third-party suppliers to securely move XX Aviation's proprietary data across multiple networks.
Among the requirements set in front of CDI were continuous monitoring of sensitive information, data classification and a policy enforcement scheme. The enforcement element was to have particular emphasis on identity and how sensitive data was being used.
CDI said the unbudgeted program eventually cost about $400,000 to implement.
Faced with what it originally considered to be an "impractical" DLP implementation deadline, CDI managers conducted "comparison evaluations" of three security vendors: RSA, Wave Systems' Safend unit and Verdasys. Given time constraints, and the fact that Verdasys was also a vendor to XX Aviation, CDI went with its Managed Service for Information Protection (MSIP).
This "leap of faith" turned out to be a key step in meeting XX Aviation's tight deadline for export control compliance.
Verdasys, based in Waltham, Mass., assigned a former XX Aviation employee with extensive DLP experience to the project. According to CDI, the employee also had ties to the XX Aviation unit that had mandated the DLP requirements. His contacts were able to buy CDI additional time to implement the DLP program.
"It looks like DLP wasn't on CDI's project list and then suddenly they had a new requirement to address this on top of all their 'normal' infosec work," Holland said. "The most common challenges we see clients deal with are staffing, other priorities taking precedence over projects, day-to-day operational requirements, and then periodic maintenance that includes patching and major upgrades."
With its team in place, CDI then settled into a routine of bi-weekly conference calls to keep the project on track and to ensure its customer's requirements were being met. Among the issues to be tackled were classifying customer data, determining how data was used in different applications and how it moved across networks. Another focus was refining policies and controls on data handling.
The team found that MSIP allowed them to, for example, track login times, work flows and data egress trends. CDI said the data mining capability provided key insights it needed to develop a workable DLP scheme and deliver it on schedule.
A managed DLP program
Another key insight was that implementing DLP as a "managed service" through MSIP helped to eliminate the need to procure infrastructure and then take the time needed to set up and configure a DLP program. This key decision eventually allowed CDI to implement its program while meeting XX Aviation's extremely tight deadline.
Underlying the managed services approach was Verdasys' Digital Guardian data protection platform. CDI said the system allowed it to determine where sensitive data resides, who is using it and what it was being used for.
"The Verdasys offering is relatively new, but I think it will be attractive to many companies that don't have the resources to manage a DLP implementation," said Forrester's Holland. He also noted "that sensitive data isn't in the cloud; you are just managing the infrastructure from the cloud."
The result, CDI-Aerospace said, was the first implementation of DLP as an on-demand, managed service. By teaming with the already engaged Verdasys, resource-constrained CDI said it was able to develop new information security functions that it could scale up to meet its customer's strict requirements for handling sensitive technical data and protecting trade secrets.