Despite the proliferation of security products, the quantity and magnitude of high-profile data leaks continue to rise. With this increase in information leakage comes a higher data breach cost.
According to a 2009 Ponemon Institute study, data breach incidents cost U.S. companies US$202 per compromised customer record in 2008, compared to US$197 in 2007. The average total per-incident cost in 2008 was US$6.7 million, compared US$6.3 million in 2007.
Even though data leakage has become a mainstream problem, the number of companies that have bought and adopted data leakage prevention (DLP) technologies remains small. Is DLP at a standstill or is it at crossroads?
Not just about infrastructure
There is a huge misconception that organizations can just add another piece of infrastructure to solve data leakage problems. Securing the network connection is an important step, of course, but this usually does not result in truly improving the overall security of what enterprises care about--sensitive data.
In fact, today's networks and applications were designed without taking into account the overall security of information. The connectivity of "all" business networks to each other through the Internet was never in fact designed with that in mind--it just happened.
As such, the infrastructure actually has no context for what the exchange of information means, leaving many gaps in network security.
In our highly connected world, multiple applications can access the same data. It is not surprising if the number of entry and exit points of an organization's network far exceeds the number of machines or even users.
Just take a look around us. There are laptops, servers, smart phones, mobile phones, social networks--all these are potential leakage points. Also, the lack of awareness by computer users often results in important information "leaving" the organization.
Compounding this problem is that personal information is usually stored on multiple networks running multiple policies, without any control from the information "owner". Entities that hold consumer information are not necessarily savvy when it comes to IT or to information security issues. Their only objective is to satisfy regulations.
The number of access points is further increased when companies engage in contract work and offshoring activities. In the 2009 Ponemon Institute study, third-party organizations accounted for more than 44 percent of data breach cases in 2008, and are also the most costly form of data breaches as a result of additional investigation and consulting fees.
Closing one exit point does not provide any value. The organization needs an overall strategy to protect the organization.
Regulations, policies, compliance
To manage the current situation, more regulations are being implemented. As we need ways to measure progress, compliance is a good way to achieve that.
But, this also means that solving the compliance problem is usually the driver for businesses buying security products. Unfortunately, that drives vendors to satisfy regulations rather than actually attempt to solve the problem.
In reality, many PCI-certified businesses are still getting successfully attacked. Hence, implementing regulations can be more expensive than solving the actual problem at hand.
As companies look to address these challenges, they turn to an array of DLP vendors and technologies, only to face exponentially more complexity at every phase of security--from selection to integration to management.
Here's a quick look at some types of technologies that are presently used:
Network DLP offerings are enterprise tools that manage access to important information. They usually crawl the network and "fingerprint" files and records that contain information of a particular type.
These products are usually able to detect if a particular important file or dataset is being transferred somewhere. However, detecting whether the file is being sent to an authorized location is particularly difficult, unless the DLP application has knowledge of many applications and their expected behaviors.
Network DLP technologies also do not have the capacity to monitor data that are locally managed at an endpoint, such as personal e-mail and mobile device. So, it is difficult to thwart insider threats if the endpoints are not guarded.
At the same time, encrypted data can cause problems if the enterprise does not manage the encryption well.
These are agents or client software that reside at endpoints, such as mobile devices, computer ports, personal e-mail and instant messaging. An agent running on a particular PC can detect if an important file is being transferred out. However, managing the same information across the corporate network or other networks, requires additional infrastructure.
It is important to note that policies at the servers and endpoints are usually different in nature and need different ways to be managed. While the industry has been trying to come up with standards in the policy domain, this may take a long time. As such, different vendors and different departments are likely to still come up with different non-interoperable policies.
Can companies deploy a "partial" solution, where only applications that they decide are critical are monitored? And can they have DLP integrated into certain applications so they do not have to build a separate management infrastructure?
The answer lies in embedded DLP.
DLP should be embedded inside the pipe, such as the e-mail system. If companies build applications in a way where DLP is in the middle of the application, they can then implement the policy correctly because they are directly addressing the data flow. The content that is supposed to travel between networks knows where it is supposed to go and who should be given access to the data.
Ultimately, if companies truly want a security angle, it may be better to implement DLP piecemeal in each application.
Overall security strategy
Enterprises need to think about security as a suite of business processes, rather than about implementing a particular technology or two. What is truly needed is a suite of features in existing technologies that provide elements of DLP to help address the problem incrementally over time.
In addition, the management of the chosen technologies requires knowledge and effort.
DLP will not be successful until the industry knows how to describe policies for content independent of where and how the content is accessed.
One business partner can enforce its policy on a transaction as it travels between other partners. A policy can include aspects of access to the information by the partner or others. Embedding policies in content is perhaps the only way to enforce policies across company boundaries.
Enforcing policies will also continue to be difficult in different verticals.
There are regulation-based policies for which businesses such as retail firms, need to ensure credit card and other account data are not leaked. And there are also enterprise policies that are specific to a business, such as a chip manufacturer.
The challenge for security services providers is to provide customers with a good set of templates to build upon, rather than push a product out of the box. Deep experience of an industry segment will also help a lot.
DLP is a very important aspect of managing enterprise networks that host important data. It is possible to focus on critical applications and deploy aspects of DLP without affecting the management of other applications or other parts of the network.
Current technologies and products are going in the right direction, but the overall management remains a challenge.
Efforts need to be coordinated among the various industry groups to streamline and standardize security support. While we are making progress as an industry, a lot more is needed.
Taher Elgamal is chief security officer at Axway, which offers tools aimed at monitoring and securing business interactions such as e-mail.