By Kevin Bailey, Vice President of Market Strategy.
Scanning all the latest security news is a normal part of my daily activity, when I came across a SearchSecurity article by Michael Heller on the value and future of data loss prevention. The article posed the question, “How does your organization view the place of a standalone DLP product in future security plans?” So I thought I might chime in with feedback to Michael on what I hear from our customers and prospects.
First, let’s make sure we are talking about the right kind of data loss prevention, because there are two major categories that DLP covers:
- DLP to stop sensitive data from being inadvertently accessed when an individual is authorized to send this to a trusted third party:
a. This is normally achieved through the use of ‘crypto’ tools, such as encryption, tokenization and/or data masking. Heidi Shey from Forrester mentioned the use of encryption in Michael’s article.
b. All these ‘crypto’ tools can be provided via DLP, Firewall, security gateway, UTM, etc. solutions. The driver for this is knowing what data is eligible for these tools, so they can be applied automatically.
- DLP to stop unauthorized / malicious / mistaken collaboration of sensitive data leaving or entering an organization:
a. This is where the majority of conversation happens for DLP and is the cause of financial, reputational and business headaches.
b. You do not use the above tools for this category of DLP. Why would you encrypt an unauthorized collaboration of sensitive data? It’s not authorized and you cannot say “well, it’s encrypted.” If encryption was that safe, vendors wouldn’t have to keep enhancing it to stop the hackers from breaking the algorithms.
So based on the second category of DLP products that secure unauthorized/malicious/mistaken collaboration of sensitive data, many of our clients and prospects would say they do and they don’t.
A standalone DLP product is only ‘stand-alone’ when it comes out of the box or CD. Once they are deployed they have to be ‘integrated’ into the organizations data flows, whether that be at the network, endpoint or storage locations.
The real question to ask is “Does the DLP product have the capability to meet current business and regulatory requirements, but more essentially, is it able to mitigate future data breach scenario’s that hackers and cyber criminals may deploy?”
Things Are Changing
Recent changes to the DLP technology are leading companies to revisit DLP as a strategic layer within their information security plans. The imperative is becoming greater. The nature of the threat is changing, or at least awareness of the real threat is growing. While hackers and malevolent outsiders still account for a large number of data breaches, insider threats are consistently recognized as a major concern.
Internal breaches are not just malicious; many are simple mistakes as humans are not infallible. An email from finance to the wrong person could reveal everyone’s salaries and cause internal rifts within the company. In fact, inadvertent data loss is responsible for 75 percent or more of all data breaches. This will only be exacerbated by the increasing business need for collaboration and the ever growing number of social tools to do so.
Finally and most importantly, the technology itself has evolved dramatically. As both Heidi and Anton commented on in the article, the ‘stop and block’ approach has been superseded by new adaptive technologies. These technologies can remove only the critical information which breaks policy from email and web traffic or documents – while leaving the remaining authorized content to continue unhindered. Advances in Deep Content Inspection (the brains behind DLP’s judgment) mean that embedded malware and active content, visible data and meta-data can all be correctly identified and removed from outgoing and incoming documents, without the risk that a firewall or sandbox may misinterpret the active content as harmless. All of this is done intelligently, looking at both context and content (which addresses Heidi’s example of the basketball team) – who is sharing it with whom, how are they sharing it, what is the information, and how sensitive is it – in a direction agnostic manner (internal and external) to make decisions about whether the data collaboration should be permitted, pre-authorized, quarantined, encrypted or redacted.
So whether the product comes pre-loaded within gateway, UTM or firewall or is delivered by UPS as an add-on security layer to your existing infrastructure, it needs to meet your needs, have all the advanced functionality, minimize policy management and resources, and, finally, embrace and not inhibit your business operations.