Data Loss Prevention – not a panacea
Protecting your data from within
Ralph M DeFrangesco, IT Consulting Dir, Accume Partners
Data Loss Prevention (DLP) is a very powerful tool that many organizations are using to prevent the unauthorized copying or transmission of confidential or personal data. Organizations spend a tremendous amount of money and time to set up firewalls and intrusion detection solutions to prevent attackers from the outside from gaining access to internal assets. However, what about the internal threat? A Web page, an e-mail with a client list, or personal data copied to a USB drive are all examples of data that can leave an organization unmonitored and undetected.
Some of the driving forces behind Data Loss Prevention are: HIPAA, GLBA, Sarbanes-Oxley and PCI-DSS. In addition, more than half of the states have passed regulations that force organizations that have been breached to notify their customers that their data has been stolen.
The process starts with an organization identifying what assets they want to protect. This will obviously vary from organization to organization but any files that include personal or sensitive data are a good place to start.
The DLP tool will do a deep analysis of data in motion, data at rest and data at the endpoint. These are considered loss vectors. Data in motion can be defined as data moving through the internal network or through to the outside. Data at rest resides in databases, spreadsheets or on disk. Data at the endpoint is considered as data stored on USB drives, MP3 players, laptops or other portable mobile devices.
Next the organization should determine their vulnerability to each loss vector. Here we ask the tough questions: What tools are we currently using? What is working and what is not working? Are there policies in place to prevent data loss? What needs to be changed or restricted to prevent data loss?
Once we have the answer to these questions, we can pick a tool. I don’t want to get into a discussion about best-of-breed versus a single solution. Whatever solution you choose, it should address all loss vectors. In addition, it should not impact network performance, it should be extensible and detect large and small leaks.
I don’t think that Data Loss Prevention is an simply option today, it’s mandatory. It’s just too easy for an employee to steal sensitive data. Organizations that don’t take the proper steps to protect themselves are at risk. Luckily, there are many solutions on the market to meet the demands of today’s tough loss prevention requirements.