The business case for data loss prevention products
Data loss prevention (DLP) can help any organization where the loss of sensitive information could seriously impact continued operation, explains Bill Hayes.
Data loss prevention products are valuable tools to organizations that want to effectively monitor and control sensitive information such as financial data, personally identifiable information (PII) of customers and employees, medical records, intellectual property and other types of important company data. Organizations with sensitive data that has a long shelf life will find DLP tools valuable as well.
Data loss prevention (DLP) products can also help organizations guard against insider threats, ranging from the theft of credit card numbers to the stealing of data by departing employees who plan to use a company's hard earned information to their advantage at new jobs. For example, in a case study cited by DLP vendor Digital Guardian, a senior research scientist who left an organization made off with thousands of technical documents, 150 of which were of immediate use to his new company. The estimated loss to his former employer amounted to millions of dollars.
Because DLP tools are regarded as specialized niche products, comprehensive implementations addressing data at rest, data in use and data in transit can cost in the mid six-figure range. Nonetheless, they should not be regarded as just expensive tic marks for a compliance checklist. When employed properly as part of larger data loss prevention and protection efforts, DLP products can identify and stop information leakage through malicious actions, faulty business processes and employee ignorance of proper sensitive information-handling techniques. These include information security controls, such as an effective data classification policy with cradle to grave data handling procedures and end-user safe data handling training.
DLP tools are not used in a vacuum
Organizations that deploy DLP products often discover poorly documented business processes that regularly expose sensitive data in transit. They can identify unknown stores of sensitive information in abandoned files on FTP servers or in improperly secured file shares, for example, and often find improper handling of sensitive information at endpoints by employees unaware of how to properly process sensitive data.
The deployment of DLP tools should be part of an overall strategy where data owners and business process owners work with IT security staff to determine how data should be used and protected. However, these products are never used in vacuum.
To effectively use DLP products, companies must know their data's monetary value and their compliance obligations. They should know where sensitive data resides and be able to create data flow diagrams showing the expected paths of sensitive information and the expected network protocols, as well who should be accessing sensitive information, where it is going and how to stop it from being compromised. Organizations should also be able to identify gaps and risks to safeguarding sensitive data. And, finally, they should have an incident response plan that addresses data loss events.
What types of organizations do really well with DLP security?
DLP tools make strong showings in the financial, government, healthcare and insurance sectors. They can also be effectively used by any organization where the loss of sensitive information could seriously harm its continued operation.
The deployment of DLP tools should be part of an overall strategy where data owners and business process owners work with IT security staff to determine how data should be used and protected.
For financial organizations, the threat of data loss and stiff compliance requirements of the Sarbanes-Oxley Act, Payment Card Industry Data Security Standard and numerous state laws regulating data breaches and data privacy make DLP tools a valuable aid in preventing and detecting compliance infractions.
Healthcare and insurance companies carry many of the same compliance requirements as the financial sector, plus the Health Insurance Portability and Accountability Act brings along the additional burden of protecting patient information found in narratives and healthcare and procedural data codes. Here, DLP tools can address the added complex technical challenges preventing protected health information (PHI) exposure while exchanging data with business partners and contractors including insurance agents, medical specialists, labs and billing processors.
Government agencies and contractors working for those agencies, meanwhile, can be targets of industrial and nation state espionage. The Federal Information Security Management Act and the Federal Information Systems Modernization Act provide frameworks for better information security, in part by calling for the use of automated tools to detect the misuse of data, a task for which DLP tools are admirably suited.
Manufacturing and technology companies can also benefit from DLP tools. The complex web of suppliers and subcontractors, many of whom can be scattered across several continents provide ample opportunities for unintentional data exposure and information theft when companies collaborate with a worldwide network of suppliers, contractors and business partners. In this scenario, sensitive intellectual property assets are routinely shared with third parties based on a need to know basis and covered by non-disclosure agreements.
DLP products can help insure the employees of collaborating entities access only the information needed for a particular undertaking.
What types of organizations do not need DLP products?
For any organization, the biggest challenge in determining if a DLP product is required will be to develop the data loss policies and procedures it desires even if DLP tools are not needed. This is an administrative effort entirely independent of automated policy enforcement tools like DLP.
It involves work that includes analyzing where sensitive data is stored, the network path through which it is accessed and which endpoints are allowed to process it. This analysis should also include what kind of technical controls are currently in place to monitor the access, modification, storage and transmission of sensitive data.
Data classification is a daunting task for many organizations, large and small. So, while at first blush this seems a simple task, the devil is indeed in the details. Once organizations begin to ask managers who oversee one or more types of sensitive data (the data owners) exactly what kinds of information their business units process, they may find sensitive data they didn't realize it possesses.
For instance, in 2010, CBS News reported that it had discovered a copier once owned by Affinity Health Plan. The copier's hard drive contained PHI and PII for 409,000 persons. The company had to publicly explain that the information may have been compromised once the copier left its control. And, in the highly embarrassing Sony Online Entertainment breach of 2011, Sony officials acknowledged the theft of customer PII and payment card information for some European customers in an 'outdated' database.
Do your homework before deciding if your organization needs a DLP product and to help size that project if it is decided that it does. SMBs may decide not to install DLP systems if their sensitive information's total monetary risk is less than the resources needed to field and maintain a DLP product, for example. On the other hand, small companies with significant intellectual property may want a DLP product to keep their trade secrets out of the hands of competitors.
As the above examples illustrate, not every organization will need (or can afford) a full-blown DLP suite. However, every organization that has sensitive data processing will need some form of data loss prevention strategy. These include data handling policies, procedures and automated tools to enforce and audit those policies and procedures.
Smaller organizations concerned about the cost of DLP suites (that may range from $125K to $250K for smaller firms of 500 to 1000 employees) can make use of built-in DLP features found in security tools such as unified threat management appliances, intrusion detection systems/intrusion prevention systems and endpoint security suites. The challenge here, however, may be how to integrate and correlate this DLP information using a security information and event management (SIEM) system with DLP reports, alerts and dashboards. Modern SIEMs can collect, correlate and present the information gathered from the security tools' integrated DLP functions. Investigate existing SIEM products in your organization to see if they have canned DLP features that can be built upon.
Conclusion
At the core of the data breach prevention conundrum is the need for organizations to protect sensitive information. DLP tools are not a magic wand for this process, however, and are sometimes too expensive to justify the expenditure.
Deciding whether or not to deploy a comprehensive DLP product begins with a thorough understanding of how sensitive data is used for business processes. Next comes the implementation of information security controls to help manage how data is used, transmitted and stored. A good portion of these controls are addressed in policies and procedures followed by training to ingrain them in employees. Finally, should an organization come to the decision to deploy DLP tools, they will be used as information security controls to enforce these established DLP policies in ways that make good use of available resources. Hence the decision on the part of the organization to either deploy a comprehensive standalone DLP suite or enable DLP functionality in existing security perimeter products and solutions.