DLP: An Effective Approach or Just Another Finger in the Information Flow Dike?

25 02 2012

By Brett Vermette

Corporations around the world have become increasingly sensitive to protection of their ever growing portfolio of confidential intellectual property assets.  Research conducted by Gartner has revealed that increasing regulatory compliance requirements, protection of sensitive intellectual property, management of information mishandling risk and the need to gather evidentiary support in response to claims based on data loss are the key factors driving this increased focus on data loss prevention. [1]

What is Content-Aware DLP?

Content-aware DLP, or just DLP for short, is a combination of hardware and software technologies that are used to locate, detect, warn and in some cases prevent access to or movement of sensitive information.  Most DLP solutions provide the ability to define rules that are applied to examine data content and determine its level of sensitivity.  DLP solutions can provide a variety of mechanisms to protect sensitive data from accidental or deliberate disclosure.  These include the ability to inspect data either at rest or in-transit, identification of sensitive data based on customizable business rules, the ability to log and report on data movement and disclosure events and the ability to block transmission or copying of data determined to be sensitive.

Why is DLP Important?

As noted by Ben Rothke, enterprises commonly implement rigorous controls to manage valuable physical assets. [8]  However, it is much less common for organizations to have the same level of rigor when it comes to their information assets.  Chief Information Security Officers (CISOs) are under increasing pressure from organization stakeholders to protect these intangible assets.  Forrester Consulting recently published a report entitled “The Value of Corporate Secrets” in which they found that organizations classified sensitive data into two distinct categories; “secrets that confer long-term competitive advantage and custodial data assets that they are compelled to protect”.   Furthermore, Forrester found that secrets comprised two-thirds of the value of firms’ information portfolios and that most firms’ security programs remained focused on compliance driving an underinvestment in protection of secret information. [2]  In October 2011 Ernst & Young’s Insights on IT Risk Business Briefing cited a Ponermon Institute survey that determined that the average cost of a data breach had risen to $7.2M. [3]

While firms and their CISOs have been working to implement improved policies, procedures and tools to stem the exfiltration of sensitive information, investment in content-aware digital loss prevention (DLP) technologies have become a growing trend.  Ernst & Young’s 2011 Global Information Security Survey found that implementation of DLP processes and the supporting technologies “ranked second on the list of areas most likely to receive additional funding”. [3] The question of whether these technologies are necessary and sufficient to prevent deliberate and inadvertent data loss is worthy of examination.

The Benefits

Clearly, the primary benefit associated with DLP technologies lies in the mitigation of the risk of accidental disclosure or deliberate theft of confidential information.  DLP technologies can inspect data in-transit and warn or prevent copying or transmission.  DLP solutions can also be used to log events and provide CISO staffs with a view of key information movement events for appropriate response.  DLP technologies can also be used to examine data at rest and help an organization profile its information landscape, allowing development of additional and more effective controls.  With appropriate implementation DLP tools can provide the foundation for organizations to demonstrate that adequate controls are in place to prevent inappropriate handling and disclosure of their most sensitive information assets.

A key finding of the 2011 Gartner Study on Critical Capabilities for Content-Aware Data Loss Prevention noted that the DLP technology market is expected to grow at a rate of more than 20% on a year over year basis. [5] This significant growth profile, particularly during economically challenging times, is a clear indication of senior IT executives’ perception of DLP benefits.

The Difficulties

The deployment of DLP hardware and software can be an expensive endeavor, particularly for large, complex international organizations.  Gartner recently noted that the average cost of a content-aware DLP solution deployment ranged from $350k to $750k or higher. [6]  Additionally, organizations must also consider the cost of sustaining and effectively utilizing their DLP solution.  These include the resources required to monitor and react to disclosure events, the need to continuously maintain the rule set used to identify sensitive data and the inconvenience cost associated with data handling or storage activities interrupted by false positives.

In order to achieve maximum effectiveness DLP solutions must be implemented as part of an overall, business driven information security framework and program.  As Gartner noted in February 2012, DLP “can only be effective when implemented as a comprehensive process, rather than a ‘set and forget’ platform”.  They also noted that information security organizations commonly make the mistake of treating DLP implementations as technology projects rather than a business risk mitigation initiatives.  [7]

The increasing collection and use of unstructured data presents a unique challenge to DLP solution providers.  In general, DLP tools do not have adequate capabilities to profile, classify and appropriately handle data contained in unstructured formats such as audio, video and images.

Finally, deployment of a content-aware DLP solution in a large and complex international organization presents some unique difficulties.  Data discovery tools must be capable of dealing with multilingual information sources, including those that require double-byte representation.  Regulations and associated business rules regarding identification and handling of sensitive personal and financial information can vary widely across jurisdictions.  DLP solutions that must be deployed to end user devices can often require distribution to 100,000+ devices, resulting in significant deployment cost increases.

In Conclusion

In today’s environment of rapid information portfolio growth, increasing organizational complexity and swelling regulatory and organizational requirements to protect sensitive data, content-aware DLP solutions are an important component of a robust information security program.  However, DLP solutions alone are not sufficient to adequately mitigate the risks associated with data exfiltration.  Senior management must sponsor and encourage an organizational culture that promotes awareness, defines appropriate policies and requires active business participation in the protection of key information assets.  DLP can be an effective tool, but without adequate underlying support, processes and controls it will be just another finger in the information flow dike.

_________________________________________________

[1] McMillian, Rob and Eric Ouellet.  Four Factors Driving Interest in Content-Aware Data Loss Prevention: A DLP Spotlight.  Gartner, Inc.  2011.  Print.

[2] Forrester Research, Inc.  The Value of Corporate Secrets – How Compliance and Collaboration Affect Enterprise Perceptions of Risk.  Cambridge, MA.  2010.  Print.

[3] Ernst & Young.  Data Loss Prevention, Keeping Your Sensitive Data Out of the Public Domain.  2011.  Print.

[4] Ernst & Young.  Global Information Security Survey – Into the Cloud, Out of the Fog.  2011.  Print

[5] McMillian, Rob and Eric Ouellet.  Critical Capabilities for Content-Aware Data Loss Prevention.  Gartner, Inc.  2011.  Print.

[6] McMillian, Rob and Eric Ouellet.  Anticipate and Overcome the Seven Key Obstacles to Success in Content-Aware DLP Deployments.  Gartner, Inc.  2011.  Print.

[7] McMillian, Rob and Eric Ouellet.  Best Practices for Data Loss Prevention:  A Process, Not a Technology.  Gartner, Inc.  2011.  Print.

[8] Rothke, Ben.  The Need for DLP Now.  Clearswift Publications.  New York, NY.  2011.
<http://www.slideshare.net/Benrothke/the-need-for-dlp-now-a-clearswift-white-paper >

Advertisements