Data leakage prevention still 'too immature'
With major changes to the Privacy Act set to occur next year, many organisations are exploring data leakage prevention (DLP) technologies.
According to Trend Micro premium services manager Adam Biviano, customers in financial services, legal and the communications industry are the most interested in its DLP solution, which is called Leakproof and came from the company's acquisition of Provilla earlier this year.
A key driver in the finance sector, according to Biviano, is Payment Card Industry (PCI) standards, which among other things, requires organisations to control the flow of certain information internally.
"Part of [the PCI standard] certificate mandates you have an understanding of the information in your control and that you need to limit its movement within the company. If there are breaches, you need documented processes in place to deal with them," said Biviano.
Trend Micro isn't the only vendor touting the benefits of DLP. Symantec, Websense, EMC have all made acquisitions over the past year, predicting growth in the market for leakage prevention solutions.
Symantec this week completed its US$350 million acquisition of data leakage prevention company, Vontu. Websense acquired DLP vendor PortAuthority in January this year. And storage giant EMC last year acquired Tablus and more recently, digital rights management company, Authentica.
DLP in the banking and finance sectorSome of Australia's largest banks are also considering the technology to meet regulations set by the Australian Prudential Regulatory Authority, the Australian Stock Exchange and Australian Securities and Investment Commission.
The cost to banks for non-compliance can be illustrated through a reporting error made by a Westpac employee on Melbourne Cup day in 2005.
Westpac was forced to stop trading for a day after the employee e-mailed an Excel document to analysts containing the bank's previous year's profit results. The problem was that the bank's then current AU$2.82 billion profit result was also embedded in the document -- concealed within a template of last year's result -- which was meant to be lodged with the Australian Stock Exchange first.
Protecting customer data is also high on the agenda as data disclosure rules are likely to be introduced next year.
The Australian Law Reform Commission's discussion paper explicitly links data leaks to identity theft. It is hoped the new legislation will minimise data handling errors by handing out large fines if a breach occurs due to inadequate data protection.
Some banks are gearing up for the new legislation by deploying DLP technology.
"You can't deny there is a primary obligation to protect the confidentiality of your customer data and that's a number one priority at all times," National Australia Bank's general manager of technology risk and security, Gary Blair told ZDNet Australia.
NAB is considering DLP technology for this purpose, according to Blair. However, he is unwilling to invest just yet since he considers the technology too immature.
"We are constantly looking at [DLP] but with all technologies there are some that fall into a domain that we class as 'mature technologies' and others which we think are 'evolving technologies' -- DLP technologies are evolving," said Blair.
As NAB's workforce becomes more distributed, DLP technology has the potential to close the current gap in the trust model of peer to peer collaboration technologies.
"Right now a lot of the technologies -- especially around peer to peer -- don't yet have mature trust models in place," said Blair. "In time they will and these technologies are part of our road map as we look at ways of deploying these technologies securely."
Is DLP a security or information management technology?James Turner, IBRS security analyst, said that DLP technology still needs to find a place within existing product stacks, but he doesn't think that DLP should be viewed as a "risk mitigation technology".
"From my perspective, DLP is an information management solution, which will make sense when Microsoft or EMC weave the technology into a document management or change control system," he said.
"Really DLP is just a safety net. I think anyone who's looking at this space needs to think what problems they're trying to address.
"If you're bowing to the hype of insider attacks, then you'd better have some data proving that there is someone inside doing that stuff ... But insider attacks don't seem to be that prevalent in Australia -- it's usually the result of someone being careless," said Turner.
Another problem in rolling out DLP solutions today, particularly for highly collaborative environments, is the problem of interoperability between two different DLP systems, said Turner. In this scenario, he believes businesses may sacrifice the availability of information for security.
Although Trend Micro's Biviano could not contest Turner's assertion about interoperability, he reckons companies still must first gain control of internal flows of information.
"Once internal data management is under control it makes sense for DLP vendors to explore how standards can be established. Then you can start looking at data movement policies that extend beyond the organisation," he said.
But while vendors, analysts and technology buyers may disagree on when and how to introduce DLP technologies, all agree that policy and education should play a significant role.
"A lot of organisations haven't quantified the types of information they own and are not aware of how it moves internally and flows in and out of company borders," said Biviano.
"They need to first take a step back and look at the information in their control from a big picture point of view, and define the types and levels of criticality ... Implementing a DLP solution needs to be in conjunction with defining information policies," he added.
IBRS's Turner recommends organisations begin changing employee behaviour and knowledge while they wait for tighter integration from vendors.
"The best solution will be alerting end users to what they're doing, how to understand the value of the information and their responsibilities in handling it.
"Then you can bring in the technology -- when vendors like EMC, Oracle and Microsoft have integrated it -- which ensures users are more accepting of technology because it's more aligned with the processes they're doing regularly," added Turner.