Data theft incidents dominated the information security scene in 2006 and only increased in 2007. If the trend
continues, 2008 should prove to be the worst year yet.
While organizations looking to thwart data theft have spent thousands, if not millions, of dollars implementing the best perimeter security technologies, these efforts have seemingly had little effect; massive breaches of confidential information continue unabated, despite dire consequences for enterprises and their customers. This has driven security professionals toward new tools that can lessen their chances of becoming the next top news story.
Over the past couple of years, vendors like McAfee Inc., Trend Micro Inc. and Symantec Corp. have been among the many information security vendors aggressively pitching a product set that promises to help. This product category, called data loss prevention, or DLP, is drawing so much attention that some antimalware and antispam vendors have even modified their primary focus in order to enter the DLP market. For example, Clearswift Ltd.'s primary focus a few years back was antispam tools. Although the content security vendor's product line continues to include antispam technology, Clearswift now focuses on creating better network-based data prevention products.
Let's look at the key differentiating features of DLP Technology as vendors strive to help customers guard data in a way that past security products have not.
Protect information from accidental disclosure - Employees have access to an organization's most sensitive information, but some simply are not aware of the dangers inherent in sending data over the Internet. For example, a new finance employee sending a confidential document to an offsite accounting firm may decide to attach the document to an email without realizing that it's being sent in clear text across the Internet.
It is the responsibility of the organization to ensure that the proper steps are taken to tag all confidential data. DLP products ensure that confidential and critical information is appropriately tagged so that employees cannot accidentally disclose it. Tagging is the process of classifying which data on a system is confidential, and marking it appropriately. Because of this labeling, an employee that accidentally or maliciously attempts to disclose confidential information may be denied. For example, a sensitive file that is tagged can be restricted from being sent via email and instant messaging programs.
- Protecting information from malicious intent (internal and external) - Disgruntled employees continue to be a primary driver of data theft. Implementing DLP can restrict the channels in which employees can transfer data. DLP can also prevent confidential data from being copied to USB devices, external hard drives and iPods.
For more information
In a lesson from our Data Protection School, instructor Richard Bejtlich reviews extrusion detection and other data leak prevention techniques.
Check out other lessons in SearchSecurity.com's Data Protection School.
- Meeting regulatory compliance requirements - Many organizations need to comply with certain government regulations, be it SOX, GLBA, HIPAA or all of the above. DLP technology seems likely to play a major part in assisting with regulatory compliance requirements this year. HIPAA, for example, requires that all healthcare information remain confidential, and a DLP strategy is not only a means of protecting such information, it's also a way to demonstrate that the organization is taking the appropriate steps outlined in the regulation.
Implementing a DLP product into a large corporate network is by no means a walk in the park. Most large organizations have hundreds of servers with thousands of directories and files stored on them. Having to sort through that much information and decide on what is to be tagged can be a daunting task for any organization. However, tagged data will differ between organizations. The process is simply not a cookie-cutter implementation. For instance, some organizations will choose to tag company financials, trade secrets, etc., while others may not. For a successful DLP implementation, meetings with personnel from all levels of management need to be conducted so that data is properly classified. Such teamwork will ensure that the data tagging strategy is appropriate for the business as a whole.
Key features that should be tested in a DLP evaluation include the ability to block and monitor by system, as well as by user. It is also important to consider the use of host-based and network-based DLP products to ensure that data is protected by systems that are not running a DLP agent.
DLP technology will become the new firewall of the security industry. After all, it's implemented at the next logical layer; where the data is stored. However, before taking the plunge and purchasing DLP technology, it's always best to evaluate a number of vendor products to ensure that the technical ability of the product is not clouded by a fancy marketing campaign.
About the author
Peter Giannoulis, GSEC, GCIH, GCIA, GCFA, GCFW, GREM, GSNA, CISSP, is an information security consultant in Toronto, Ontario. He currently maintains www.theacademy.ca, which provides organizations streaming video on how to configure and troubleshoot many of today's top security products. He also serves as a technical director for the GIAC family of certifications.