SlideShare una empresa de Scribd logo

The Need for DLP now - A Clearswift White Paper

Ben Rothke
Ben Rothke

This white paper discusses the need for data loss prevention (DLP) solutions and provides guidance on implementing a DLP strategy. It notes that while companies secure physical assets like office supplies, data is often less protected. The paper outlines a multi-step approach to deploying DLP, including data discovery, classification, developing a DLP strategy involving multiple departments, addressing interim needs with secure gateways, and eventually selecting and testing DLP products. It emphasizes that DLP requires a long-term, systematic approach rather than being a quick fix, and should be integrated with other security and awareness practices.

Educación
1 de 8
Descargar para leer sin conexión
White paper The Need for DLP now A Clearswift White Paper Ben Rothke, CISSP CISA DLP (data leak prevention) Introduction is a powerful technology Anyone who has tried to replace a laser toner cartridge in corporate America knows the that can be used to plug the hassle. If you are lucky and there happens to be one in the supply closet, then signatures holes in the data leakage dam and a few keys later, the toner can be removed from the hollowed sanctums of the that is affecting a myriad office supply closet. As soon as the toner is taken, the door to the supply room is closed organizations worldwide. and secured. While DLP is a broad set of Evidently, firms feel there is a significant risk to leaving expensive toner cartridges features, of which would require a much longer unsecured, in the hands of employees who may pinch them. document, Clearswift is happy For some reason, these firms think that their trusted employees can’t be trusted with to offer this white paper as office supplies, which require them to be stored in locked areas. an introduction to the topic of DLP, which is one of the The truth is that a few bad apples can quickly steal thousands of dollars’ worth of office most important and powerful supplies and companies understand that they must be secured. tools in the information security industry toolkit. For similar reasons, companies will place asset tags on every chair, table, laptop, microwaves, etc. If these items are left unsecured and undocumented, the worst will likely happen. But when it comes to the terabytes of confidential and proprietary data on corporate networks, companies often use kid gloves to secure the data. This begs the question, why are office supplies subject to a higher level of security than the data? First off, take a moment and think of the myriad different types of data in your organization that need information security controls. Without much of an effort, you should be able to think of 10 types within in under a minute. Data types such as the following are just a few of the many in your organization: - Finance/spreadsheets HR - M&A - Customer private data - Social security numbers - Client lists - Sales forecasting data - R&D - Legal - Credit card numbers - Contact information - Marketing strategies For many years, Sun Microsystems noted that the network is the computer. With that, the network is the data, as data is the gold for many organizations. Imagine if it occurred that 500 office chairs were stolen, with asset tags. Not really such a big deal, as they are insured. But if a few gigabytes of data are lost from an organization, that can often mean significant impact and consequences, including: - Class action lawsuit - Public embarrassment - Expense to recover - Compliance violation (PCI DSS, Sarbanes-Oxley, GLBA, EURO-SOX, HIPAA/HITECH, UK Data Protection Act, California Senate Bill SB 1386, and many more) - Loss of customer trust - Diminished competitive advantage - Negative branding - Financial consequences With that, many organizations are turning to a DLP solution to help them in gaining control over their seemingly uncontrolled data stores. 1
Why DLP? There are a number of reasons why you want to consider a DLP solution. Gartner notes in their 2010 Buyer’s Guide to Content-Aware DLP http://www.gartner.com/DisplayDocume nt?id=1421941&ref=g_sitelink that content-aware DLP solutions offer a significant array of capabilities to organizations. Their key findings are that DLP: - Helps organizations to develop, educate and enforce effective business practices concerning the access, handling and transmission of sensitive data - Provides reporting and workflow to support identity and access management (IAM), regulatory compliance initiatives, intellectual property protection and data policy compliance management Those two areas alone are domains which nearly every company is struggling with. Other areas where DLP has shown to be of significant value is: - Helps organizations to develop, educate and enforce effective business practices concerning the handling and transmission of sensitive data - Dynamic application of policy based on the classification of content determined at the time of an operation - Early detection – which equates to earlier mitigation For many originations, they see DLP software and hardware as the answer to their information security problems. As I wrote in DLP – A security solution, not a security savior http://www.btsecurethinking.com/2009/12/dlp-%E2%80%93-a-security-solution- not-a-security-savior/, over the last few years. DLP has achieved critical mass. So what exactly is this security remedy called DLP? DLP refers to a set of software and hardware solutions that identify monitor and protect data, mainly via content inspection and contextual security analysis. One of the main benefits of a DLP solution is that it can detect and prevent the unauthorized use and transmission of confidential (as defined by the organization) information. DLP sounds like a slam-dunk security solution that every organization can use. Yet, as important as protecting data is, there’s more to DLP than simply rolling out a DLP solution. As noted in the beginning of this white paper, many organizations have much better knowledge of how many pencils they have in their supply closets, as opposed to how much data they have on their networks. DLP tools have data discovery capabilities and can scan data repositories and identify data. A decision can then be made if that data needs to be part of the protections scheme. The data can also be indexed as a way in which to start a process of determining who the data owner is. When looking at a products data discovery capabilities, one key area to look at is how many different data types it is able to identify. There are literally hundreds of different file formats in use; from Microsoft Office documents, multimedia, encrypted, zip, source code and many more. How does data leak? There are literally hundreds of ways (many of them in a manner many organizations can’t fathom) in which data can leak. The following table lists but a few of them. Careless mistakes, Accidently sending email Fat finger Disgruntled worker often when to a group rather than doing repetitive van individual mundane tasks Attaching the Not being careful when Hitting the send Malicious intent wrong file rushing to a deadline button too early Corporate espionage Outsourcers, business Poor firewall rules Lost USB, memory partners, contractors, card, DVD, etc. etc., with poor security practices Lost smartphones Lost backup tapes Data storage devices Phishing not properly sanitized Malware Insecure transmission of personal identifiable and other restricted data 2
Ultimately, think beyond DLP It is important to note that when considering a DLP solution, many companies are far too myopic and think that DLP works in a vacuum. Pragmatic firms don’t take such an approach and make sure to integrate DLP as part of their overall information security framework. The use DLP as one spoke in the larger information security wheel. By integrating DLP with other technologies and tools, including end-user awareness and training, DLP can be a very strong link in the information security chain. A multi-step approach to DLP nirvana So how does one take the theory of DLP and put it into practice? The following are a few steps to protect your data if you decide to deploy a DLP solution: Step 1 – Level set Realize that the DLP will not solve all of your data security issues, or mitigate its risks. DLP is but one part of a larger set of information security tools. Step 2 – You can only protect your data if you know where it is Every year, public companies produce annual reports. In the balance sheet section, a company notes how much cash on hand it has. These companies are expected to accurately know this and other crucial financial details. Yet how many of these companies can produce an annual report for their data? The following should be a simple question for an organization - how much data resides on your networks? How much of that data is in long-term storage? Archived? Perhaps 1 in 100 organizations can produce a reasonable answer regarding their data libraries. The main point to consider is that there is far too much data in motion that companies are oblivious to. It is impossible to protect data an organization is unaware of, where it is stored, or where it is traversing. Therefore, the first step in data protection is to identify where the corporate data is. By performing a data discovery project, you can find all the data on your network. Note though that this is a detailed endeavor. Expect it to take weeks if not months to locate, diagram and document all of your major data storage locations. 3
Step 3 – Data classification Not all data is equal. You therefore need a project to classify data to understand what needs to be protected and the reason for it. Detail the risks to confidentiality and list common risk scenarios that may arise from inappropriate data leakage. Think of security as insurance for your data and you only need to insure items of value. The first step in a DLP endeavor is to define what your valuable or sensitive data is. How much of your data is secret? More than you think. According to Forrester http://www.rsa.com/products/DLP/ar/10844_5415_The_Value_of_Corporate_Secrets.pdf, secrets comprise two-thirds of the value of firms’ information portfolios. Despite the increasing mandates enterprises face, custodial data assets aren’t the most valuable assets in enterprise information portfolios. Proprietary knowledge and company secrets, by contrast, are twice as valuable as the custodial data. And as recent company attacks illustrate, secrets are targets for theft. Step 4 – DLP strategy A DLP solution can’t be deployed in a vacuum. Organizations need to develop a formal DLP strategy that details the specific business and technology needs and requirements. Many vendors position their DLP solutions differently, so it is important that you document their DLP solutions differently. And it’s important that you document your requirements, and not simply map it to their product offering. A mistake that too many organizations make is that they get into the minutia of DLP, before developing their high-level DLP strategy. First start with the high-level objectives, and only then, do deep into the requirements. When you do get to the requirements phase, realize that DLP is not strictly an IT solution. Organizations that have effectively deployed DLP did it with input from various entities in their origination. While this is not a definitive list, ensure that at the very least, these departments are included: - Business owners - Legal - IT audit - Finance - Internal audit - Information security - Technology operations Note that the legal department is mentioned in the above list. For many IT professionals, working with legal is a foreign concept to them; but that should not be the case. Given that DLP includes monitoring of proprietary and personal data, your corporate legal department needs to give their approval to the DLP project to ensure that the monitoring does not violate any laws or requirements. For those entities in the European Union, this can’t be overemphasized as EU directive on data protection can quickly be violated with DLP if you are not careful. As you develop your strategy, take into consideration that DLP is a long-term endeavor; read: years not months. DLP is undoubtedly not a plug and play technology. From the time you start thinking of DLP, until the point that it is fully deployed and optimized, requires time and dedication. 4
What do you do when the CIO wants the DLP working now, not next year? Note that the previous paragraph uses years and DLP in the same sentence. But what about those firms that don’t want a full-blown enterprise DLP solution, rather an interim solution to get up and running quickly? What do you do when the CIO balks about the extended time to production and insists that the DLP solution be up and running this quarter, not next year. The Clearswift Secure Web and Email Gateway solutions are a perfect complement for those that want the functionality of a DLP solution without the extensive time and effort required. The Secure Gateways incorporates basic as well as advanced DLP capabilities natively. From built-in e-mail encryption, to anti-spam/anti-malware capabilities and more, theGateways have been well-received by large clients, as well as small and midsize businesses (SMBs) that are with DLP deployments of less than 3,000 users. The content security gateways can be quickly deployed to stop data leakage issues, and you can see the positive effect within hours. Many organizations prefer this approach, as it can rapidly immediately be put into execution, showing direct results. For those organizations that want to take this approach, the first step would be to identify the data in transit today so that accidental leakage (such as inadvertent transmittal of confidential documents) can be detected by the email and web gateways and stopped before its leaks out. In fact, Gartner writes in 2010 Content-Aware Data Loss Prevention FAQs that firms should “develop a two- to three-year road map for the deployment of capabilities from initial monitoring only to active blocking”. For those that don’t want to for that two- to three-year road map to complete, Clearswift Secure Web Gateway is an effective respite. Gartner also write that organizations can balance DLP feature richness against cost by knowing at the outset what the type and scale of the problem is that you are trying to solve. From this, you can then develop both the business requirements of the technology and the supporting processes, and also the tolerance for operational costs that are likely to be incurred post-deployment. Finally, many DLP initiatives get immediately blackballed when organizations see the price tag, which is often exorbitant. In Budgeting the Costs of Content-Aware DLP Solutions - Gartner in the report notes that the average DLP full solution price ranges from $350,000 to $750,000. The Clearswift Secure Gateways are a fraction of that cost. 5
So why does it often take a year or more to fully deploy a DLP solution? This is due to the fact that yet another mistake organizations make is attempting to take their data anarchy, and have it managed by DLP. Making DLP work means taking small steps at first, and then expanding on that. Many IT projects fail from too large of an initial scope. Therefore, start small, get initial victories and successes, and then expand. At the commencement of the project, start with the most critical and sensitive data; such as confidential data and laptops and mobile devices. Once you get that in order, then move to other systems and those with less critical data. Most organizations have far too much data to try to secure with DLP in one fell swoop. Since laptops were mentioned, note that while laptops and notebooks are great productivity tools, they are also one of the greatest mechanisms in the world of data leakage and data theft. Their level of convenience and accessibility are in direct response to the raw amount of data that can be compromised. In fact, a committed adversary will target the laptop of an executive or senior management, given the treasure trove of data residing on it. It is worth noting that this step does not have anything to do with vendors, as that is in step 5. You’re ready for primetime DLP strategy should be complete before engaging with a DLP vendor. Many DLP projects sometimes lose funding between the strategy stage and the deployment stage. In order to gain greater management support and business justification for the project, a good idea is to determine the number of DLP violations. Showing management DLP metrics such as how many credit card or social security numbers were quarantined is a great way to demonstrate the value of DLP technology. Finally, for those serious about a DLP strategy, the report from Gartner Develop an Enterprise Strategy for Data Loss Prevention http://www.gartner.com/ DisplayDocument?id=1383713 is quite valuable, and can be used as a guide. Step 5 – Product selection, testing and deployment Once the requirements are documented, the next step is to create a pilot to test a number of DLP products. Ensure various use cases are tested to analyze the product in different scenarios. Have specific and objective metrics to ensure value controls are tested and that your outputs are accurate. 6
Conclusion Overall, DLP is a great security technology, but it is not security pixie dust that can magically secure your network. The steps listed here are a few of the many that need to be done for a formal DLP rollout. By taking such a tactical approach to DLP, you can ensure that it really does prevent your data from being lost. For many organization, an enterprise-grade DLP solution may be overkill. Given the cost and effort required, many organizations are finding that it is better in the long run for them to start with the Clearswift Secure Gateway solution, given that it provides the short-term benefits and immediate interim success it can provide. These organizations find that once they have the Secure Web and Email Gateway solutions fully deployed and working, it is only then that they decided to consider a full-blown DLP package. About the author Ben Rothke, CISSP, CISM, CISA is a New York City based senior security consultant with BT Professional Services and has over 15 years of industry experience in information systems security and privacy. His areas of expertise are in risk management and mitigation, security and privacy regulatory issues, design & implementation of systems security, encryption, cryptography and security policy development, with a specialization in the financial services and aviation sectors. Ben is the author of Computer Security - 20 Things Every Employee Should Know http://books.mcgraw-hill.com/getbook.php?isbn=0072262826&template=osborne (McGraw-Hill), and writes a monthly security book review for Security Management magazine. He is also a frequent speaker at industry conferences, such as CSI, RSA, and MISTI, holds numerous industry certifications, and is a member of ASIS, CSI, Society of Payment Security Professionals and InfraGard. 7
Get in Touch Clearswift Ltd 1310 Waterside Arlington Business Park Theale Reading Berkshire RG7 4SA Tel : +44 (0) 118 903 8903 Fax : +44 (0) 118 903 9000 Sales: +44 (0) 118 903 8700 Technical Support: +44 (0) 118 903 8200 Email: info@clearswift.com

Recomendados

Secure dataroom whitepaper_protecting_confidential_documents
Secure dataroom whitepaper_protecting_confidential_documentsSecure dataroom whitepaper_protecting_confidential_documents
Secure dataroom whitepaper_protecting_confidential_documents
e.law International
 
The Economic Impact of File Virtualization
The Economic Impact of File VirtualizationThe Economic Impact of File Virtualization
The Economic Impact of File Virtualization
FindWhitePapers
 
Protecting Intellectual Property and Data Loss Prevention (DLP)
Protecting Intellectual Property and Data Loss Prevention (DLP)Protecting Intellectual Property and Data Loss Prevention (DLP)
Protecting Intellectual Property and Data Loss Prevention (DLP)
Arpin Consulting
 
Big Data: Beyond the Hype - Why Big Data Matters to You
Big Data: Beyond the Hype - Why Big Data Matters to YouBig Data: Beyond the Hype - Why Big Data Matters to You
Big Data: Beyond the Hype - Why Big Data Matters to You
DATAVERSITY
 
Ssi Data Protection Solutions V0.2
Ssi Data Protection Solutions V0.2Ssi Data Protection Solutions V0.2
Ssi Data Protection Solutions V0.2
olambel
 
Protecting the Information Infrastructure
Protecting the Information InfrastructureProtecting the Information Infrastructure
Protecting the Information Infrastructure
Jay McLaughlin
 
Big Data Dectives
Big Data DectivesBig Data Dectives
Big Data Dectives
- Mark - Fullbright
 
Responding to a Data Breach, Communications Guidelines for Merchants
Responding to a Data Breach, Communications Guidelines for MerchantsResponding to a Data Breach, Communications Guidelines for Merchants
Responding to a Data Breach, Communications Guidelines for Merchants
- Mark - Fullbright
 

Recomendados

Secure dataroom whitepaper_protecting_confidential_documents
Secure dataroom whitepaper_protecting_confidential_documentsSecure dataroom whitepaper_protecting_confidential_documents
Secure dataroom whitepaper_protecting_confidential_documents
e.law International
 
The Economic Impact of File Virtualization
The Economic Impact of File VirtualizationThe Economic Impact of File Virtualization
The Economic Impact of File Virtualization
FindWhitePapers
 
Protecting Intellectual Property and Data Loss Prevention (DLP)
Protecting Intellectual Property and Data Loss Prevention (DLP)Protecting Intellectual Property and Data Loss Prevention (DLP)
Protecting Intellectual Property and Data Loss Prevention (DLP)
Arpin Consulting
 
Big Data: Beyond the Hype - Why Big Data Matters to You
Big Data: Beyond the Hype - Why Big Data Matters to YouBig Data: Beyond the Hype - Why Big Data Matters to You
Big Data: Beyond the Hype - Why Big Data Matters to You
DATAVERSITY
 
Ssi Data Protection Solutions V0.2
Ssi Data Protection Solutions V0.2Ssi Data Protection Solutions V0.2
Ssi Data Protection Solutions V0.2
olambel
 
Protecting the Information Infrastructure
Protecting the Information InfrastructureProtecting the Information Infrastructure
Protecting the Information Infrastructure
Jay McLaughlin
 
Big Data Dectives
Big Data DectivesBig Data Dectives
Big Data Dectives
- Mark - Fullbright
 
Responding to a Data Breach, Communications Guidelines for Merchants
Responding to a Data Breach, Communications Guidelines for MerchantsResponding to a Data Breach, Communications Guidelines for Merchants
Responding to a Data Breach, Communications Guidelines for Merchants
- Mark - Fullbright
 
Data Leakage Prevention - K. K. Mookhey
Data Leakage Prevention - K. K. MookheyData Leakage Prevention - K. K. Mookhey
Data Leakage Prevention - K. K. Mookhey
Network Intelligence India
 
Cashing in on the public cloud with total confidence
Cashing in on the public cloud with total confidenceCashing in on the public cloud with total confidence
Cashing in on the public cloud with total confidence
CloudMask inc.
 
Protect your confidential information while improving services
Protect your confidential information while improving servicesProtect your confidential information while improving services
Protect your confidential information while improving services
CloudMask inc.
 
Law firms keep sensitive client data secure with CloudMask
Law firms keep sensitive client data secure with CloudMaskLaw firms keep sensitive client data secure with CloudMask
Law firms keep sensitive client data secure with CloudMask
CloudMask inc.
 
Big data security
Big data securityBig data security
Big data security
Anne ndolo
 
Managed Security For A Not So Secure World Wp090991
Managed Security For A Not So Secure World Wp090991Managed Security For A Not So Secure World Wp090991
Managed Security For A Not So Secure World Wp090991
Erik Ginalick
 
Defining a Legal Strategy ... The Value in Early Case Assessment
Defining a Legal Strategy ... The Value in Early Case AssessmentDefining a Legal Strategy ... The Value in Early Case Assessment
Defining a Legal Strategy ... The Value in Early Case Assessment
Aubrey Owens
 
Looking Forward - Regulators and Data Incidents
Looking Forward - Regulators and Data IncidentsLooking Forward - Regulators and Data Incidents
Looking Forward - Regulators and Data Incidents
Resilient Systems
 
Strong Authentication: Securing Identities and Enabling Business
Strong Authentication: Securing Identities and Enabling BusinessStrong Authentication: Securing Identities and Enabling Business
Strong Authentication: Securing Identities and Enabling Business
SafeNet
 
Encryption and Key Management: Ensuring Compliance, Privacy, and Minimizing t...
Encryption and Key Management: Ensuring Compliance, Privacy, and Minimizing t...Encryption and Key Management: Ensuring Compliance, Privacy, and Minimizing t...
Encryption and Key Management: Ensuring Compliance, Privacy, and Minimizing t...
IBM Security
 
Cloud Privacy Update: What You Need to Know
Cloud Privacy Update: What You Need to KnowCloud Privacy Update: What You Need to Know
Cloud Privacy Update: What You Need to Know
Act-On Software
 
Cloud Privacy
Cloud PrivacyCloud Privacy
Cloud Privacy
Act-On Software
 
Breached! The First 48
Breached! The First 48Breached! The First 48
Breached! The First 48
Resilient Systems
 
Data Breach from the Inside Out
Data Breach from the Inside Out Data Breach from the Inside Out
Data Breach from the Inside Out
The Lorenzi Group
 
Opteamix_whitepaper_Data Masking Strategy.pdf
Opteamix_whitepaper_Data Masking Strategy.pdfOpteamix_whitepaper_Data Masking Strategy.pdf
Opteamix_whitepaper_Data Masking Strategy.pdf
Opteamix LLC
 
The cost of downtime
The cost of downtimeThe cost of downtime
The cost of downtime
BillyHosking
 
Issa chicago next generation tokenization ulf mattsson apr 2011
Issa chicago next generation tokenization ulf mattsson apr 2011Issa chicago next generation tokenization ulf mattsson apr 2011
Issa chicago next generation tokenization ulf mattsson apr 2011
Ulf Mattsson
 
IT Asset Retirement Plan White Paper
IT Asset Retirement Plan White PaperIT Asset Retirement Plan White Paper
IT Asset Retirement Plan White Paper
SarahSanders60
 
A data-centric program
A data-centric program A data-centric program
A data-centric program
at MicroFocus Italy ❖✔
 
Master Data in the Cloud: 5 Security Fundamentals
Master Data in the Cloud: 5 Security FundamentalsMaster Data in the Cloud: 5 Security Fundamentals
Master Data in the Cloud: 5 Security Fundamentals
Sarah Fane
 
Microsoft DATA Protection To Put secure.
Microsoft DATA Protection To Put secure.Microsoft DATA Protection To Put secure.
Microsoft DATA Protection To Put secure.
jayceewong1
 
trellix-dlp-buyers-guide.pdf
trellix-dlp-buyers-guide.pdftrellix-dlp-buyers-guide.pdf
trellix-dlp-buyers-guide.pdf
LaLaBlaGhvgT
 

Más contenido relacionado

La actualidad más candente

Managed Security For A Not So Secure World Wp090991
Managed Security For A Not So Secure World Wp090991Managed Security For A Not So Secure World Wp090991
Managed Security For A Not So Secure World Wp090991
Erik Ginalick
 
Looking Forward - Regulators and Data Incidents
Looking Forward - Regulators and Data IncidentsLooking Forward - Regulators and Data Incidents
Looking Forward - Regulators and Data Incidents
Resilient Systems
 
Strong Authentication: Securing Identities and Enabling Business
Strong Authentication: Securing Identities and Enabling BusinessStrong Authentication: Securing Identities and Enabling Business
Strong Authentication: Securing Identities and Enabling Business
SafeNet
 
Encryption and Key Management: Ensuring Compliance, Privacy, and Minimizing t...
Encryption and Key Management: Ensuring Compliance, Privacy, and Minimizing t...Encryption and Key Management: Ensuring Compliance, Privacy, and Minimizing t...
Encryption and Key Management: Ensuring Compliance, Privacy, and Minimizing t...
IBM Security
 
Cloud Privacy Update: What You Need to Know
Cloud Privacy Update: What You Need to KnowCloud Privacy Update: What You Need to Know
Cloud Privacy Update: What You Need to Know
Act-On Software
 
Opteamix_whitepaper_Data Masking Strategy.pdf
Opteamix_whitepaper_Data Masking Strategy.pdfOpteamix_whitepaper_Data Masking Strategy.pdf
Opteamix_whitepaper_Data Masking Strategy.pdf
Opteamix LLC
 
A data-centric program
A data-centric program A data-centric program
A data-centric program
at MicroFocus Italy ❖✔
 

La actualidad más candente (20)

Data Leakage Prevention - K. K. Mookhey
Data Leakage Prevention - K. K. MookheyData Leakage Prevention - K. K. Mookhey
Data Leakage Prevention - K. K. Mookhey
 
Cashing in on the public cloud with total confidence
Cashing in on the public cloud with total confidenceCashing in on the public cloud with total confidence
Cashing in on the public cloud with total confidence
 
Protect your confidential information while improving services
Protect your confidential information while improving servicesProtect your confidential information while improving services
Protect your confidential information while improving services
 
Law firms keep sensitive client data secure with CloudMask
Law firms keep sensitive client data secure with CloudMaskLaw firms keep sensitive client data secure with CloudMask
Law firms keep sensitive client data secure with CloudMask
 
Big data security
Big data securityBig data security
Big data security
 
Managed Security For A Not So Secure World Wp090991
Managed Security For A Not So Secure World Wp090991Managed Security For A Not So Secure World Wp090991
Managed Security For A Not So Secure World Wp090991
 
Defining a Legal Strategy ... The Value in Early Case Assessment
Defining a Legal Strategy ... The Value in Early Case AssessmentDefining a Legal Strategy ... The Value in Early Case Assessment
Defining a Legal Strategy ... The Value in Early Case Assessment
 
Looking Forward - Regulators and Data Incidents
Looking Forward - Regulators and Data IncidentsLooking Forward - Regulators and Data Incidents
Looking Forward - Regulators and Data Incidents
 
Strong Authentication: Securing Identities and Enabling Business
Strong Authentication: Securing Identities and Enabling BusinessStrong Authentication: Securing Identities and Enabling Business
Strong Authentication: Securing Identities and Enabling Business
 
Encryption and Key Management: Ensuring Compliance, Privacy, and Minimizing t...
Encryption and Key Management: Ensuring Compliance, Privacy, and Minimizing t...Encryption and Key Management: Ensuring Compliance, Privacy, and Minimizing t...
Encryption and Key Management: Ensuring Compliance, Privacy, and Minimizing t...
 
Cloud Privacy Update: What You Need to Know
Cloud Privacy Update: What You Need to KnowCloud Privacy Update: What You Need to Know
Cloud Privacy Update: What You Need to Know
 
Cloud Privacy
Cloud PrivacyCloud Privacy
Cloud Privacy
 
Breached! The First 48
Breached! The First 48Breached! The First 48
Breached! The First 48
 
Data Breach from the Inside Out
Data Breach from the Inside Out Data Breach from the Inside Out
Data Breach from the Inside Out
 
Opteamix_whitepaper_Data Masking Strategy.pdf
Opteamix_whitepaper_Data Masking Strategy.pdfOpteamix_whitepaper_Data Masking Strategy.pdf
Opteamix_whitepaper_Data Masking Strategy.pdf
 
The cost of downtime
The cost of downtimeThe cost of downtime
The cost of downtime
 
Issa chicago next generation tokenization ulf mattsson apr 2011
Issa chicago next generation tokenization ulf mattsson apr 2011Issa chicago next generation tokenization ulf mattsson apr 2011
Issa chicago next generation tokenization ulf mattsson apr 2011
 
IT Asset Retirement Plan White Paper
IT Asset Retirement Plan White PaperIT Asset Retirement Plan White Paper
IT Asset Retirement Plan White Paper
 
A data-centric program
A data-centric program A data-centric program
A data-centric program
 
Master Data in the Cloud: 5 Security Fundamentals
Master Data in the Cloud: 5 Security FundamentalsMaster Data in the Cloud: 5 Security Fundamentals
Master Data in the Cloud: 5 Security Fundamentals
 

Similar a The Need for DLP now - A Clearswift White Paper

The Definitive Guide to Data Loss Prevention
The Definitive Guide to Data Loss PreventionThe Definitive Guide to Data Loss Prevention
The Definitive Guide to Data Loss Prevention
Digital Guardian
 
Protecting the Crown Jewels – Enlist the Beefeaters
Protecting the Crown Jewels – Enlist the BeefeatersProtecting the Crown Jewels – Enlist the Beefeaters
Protecting the Crown Jewels – Enlist the Beefeaters
Jack Nichelson
 

Similar a The Need for DLP now - A Clearswift White Paper (20)

Microsoft DATA Protection To Put secure.
Microsoft DATA Protection To Put secure.Microsoft DATA Protection To Put secure.
Microsoft DATA Protection To Put secure.
 
trellix-dlp-buyers-guide.pdf
trellix-dlp-buyers-guide.pdftrellix-dlp-buyers-guide.pdf
trellix-dlp-buyers-guide.pdf
 
The Definitive Guide to Data Loss Prevention
The Definitive Guide to Data Loss PreventionThe Definitive Guide to Data Loss Prevention
The Definitive Guide to Data Loss Prevention
 
The 2016 Guide to IT Identity Management
The 2016 Guide to IT Identity ManagementThe 2016 Guide to IT Identity Management
The 2016 Guide to IT Identity Management
 
Data foundation for analytics excellence
Data foundation for analytics excellenceData foundation for analytics excellence
Data foundation for analytics excellence
 
5 Myths About Data Loss Prevention
5 Myths About Data Loss Prevention5 Myths About Data Loss Prevention
5 Myths About Data Loss Prevention
 
Protecting the Crown Jewels – Enlist the Beefeaters
Protecting the Crown Jewels – Enlist the BeefeatersProtecting the Crown Jewels – Enlist the Beefeaters
Protecting the Crown Jewels – Enlist the Beefeaters
 
Big Data for Security
Big Data for SecurityBig Data for Security
Big Data for Security
 
Why Today’s Hybrid IT Complexity Makes 'as a Service' Security Essential
Why Today’s Hybrid IT Complexity Makes 'as a Service' Security EssentialWhy Today’s Hybrid IT Complexity Makes 'as a Service' Security Essential
Why Today’s Hybrid IT Complexity Makes 'as a Service' Security Essential
 
Symantec Data Loss Prevention- From Adoption to Maturity
Symantec Data Loss Prevention- From Adoption to MaturitySymantec Data Loss Prevention- From Adoption to Maturity
Symantec Data Loss Prevention- From Adoption to Maturity
 
Data Security.pdf
Data Security.pdfData Security.pdf
Data Security.pdf
 
eBook: 5 Steps to Secure Cloud Data Governance
eBook: 5 Steps to Secure Cloud Data GovernanceeBook: 5 Steps to Secure Cloud Data Governance
eBook: 5 Steps to Secure Cloud Data Governance
 
Cloud Computing Panel - NYCLA
Cloud Computing Panel - NYCLACloud Computing Panel - NYCLA
Cloud Computing Panel - NYCLA
 
Enterprise Digital Rights Management (Persistent Security)
Enterprise Digital Rights Management (Persistent Security)Enterprise Digital Rights Management (Persistent Security)
Enterprise Digital Rights Management (Persistent Security)
 
Cultivate a stronger corporate culture to enhance cybersecurity
Cultivate a stronger corporate culture to enhance cybersecurityCultivate a stronger corporate culture to enhance cybersecurity
Cultivate a stronger corporate culture to enhance cybersecurity
 
Can You Tell Me About Some Effective Ways to Prevent Data Leakage?
Can You Tell Me About Some Effective Ways to Prevent Data Leakage?Can You Tell Me About Some Effective Ways to Prevent Data Leakage?
Can You Tell Me About Some Effective Ways to Prevent Data Leakage?
 
Clearswift | Leading Provider of Advanced Content Threat Protection
Clearswift | Leading Provider of Advanced Content Threat ProtectionClearswift | Leading Provider of Advanced Content Threat Protection
Clearswift | Leading Provider of Advanced Content Threat Protection
 
Why Cybersecurity is a Data Problem
Why Cybersecurity is a Data ProblemWhy Cybersecurity is a Data Problem
Why Cybersecurity is a Data Problem
 
Big data security
Big data securityBig data security
Big data security
 
Digital Shadows SearchLight™ Overview
Digital Shadows SearchLight™ OverviewDigital Shadows SearchLight™ Overview
Digital Shadows SearchLight™ Overview
 

Más de Ben Rothke

Rothke effective data destruction practices
Rothke effective data destruction practicesRothke effective data destruction practices
Rothke effective data destruction practices
Ben Rothke
 

Más de Ben Rothke (20)

Securing your presence at the perimeter
Securing your presence at the perimeterSecuring your presence at the perimeter
Securing your presence at the perimeter
 
Rothke rsa 2012 building a security operations center (soc)
Rothke rsa 2012 building a security operations center (soc)Rothke rsa 2012 building a security operations center (soc)
Rothke rsa 2012 building a security operations center (soc)
 
Rothke rsa 2012 what happens in vegas goes on youtube using social networks...
Rothke rsa 2012 what happens in vegas goes on youtube using social networks...Rothke rsa 2012 what happens in vegas goes on youtube using social networks...
Rothke rsa 2012 what happens in vegas goes on youtube using social networks...
 
Rothke rsa 2013 - the five habits of highly secure organizations
Rothke rsa 2013 - the five habits of highly secure organizationsRothke rsa 2013 - the five habits of highly secure organizations
Rothke rsa 2013 - the five habits of highly secure organizations
 
Rothke rsa 2013 - deployment strategies for effective encryption
Rothke rsa 2013 - deployment strategies for effective encryptionRothke rsa 2013 - deployment strategies for effective encryption
Rothke rsa 2013 - deployment strategies for effective encryption
 
E5 rothke - deployment strategies for effective encryption
E5 rothke - deployment strategies for effective encryptionE5 rothke - deployment strategies for effective encryption
E5 rothke - deployment strategies for effective encryption
 
Locking down server and workstation operating systems
Locking down server and workstation operating systemsLocking down server and workstation operating systems
Locking down server and workstation operating systems
 
Mobile security blunders and what you can do about them
Mobile security blunders and what you can do about themMobile security blunders and what you can do about them
Mobile security blunders and what you can do about them
 
Securing your presence at the perimeter
Securing your presence at the perimeterSecuring your presence at the perimeter
Securing your presence at the perimeter
 
Lessons from ligatt from national cyber security nationalcybersecurity com
Lessons from ligatt from national cyber security nationalcybersecurity comLessons from ligatt from national cyber security nationalcybersecurity com
Lessons from ligatt from national cyber security nationalcybersecurity com
 
Lessons from ligatt
Lessons from ligattLessons from ligatt
Lessons from ligatt
 
Interop 2011 las vegas - session se31 - rothke
Interop 2011 las vegas - session se31 - rothkeInterop 2011 las vegas - session se31 - rothke
Interop 2011 las vegas - session se31 - rothke
 
Infosecurity Needs Its T.J. Hooper
Infosecurity Needs Its T.J. HooperInfosecurity Needs Its T.J. Hooper
Infosecurity Needs Its T.J. Hooper
 
Rothke effective data destruction practices
Rothke effective data destruction practicesRothke effective data destruction practices
Rothke effective data destruction practices
 
Rothke computer forensics show 2010
Rothke computer forensics show 2010Rothke computer forensics show 2010
Rothke computer forensics show 2010
 
The Cloud is in the details webinar - Rothke
The Cloud is in the details webinar - RothkeThe Cloud is in the details webinar - Rothke
The Cloud is in the details webinar - Rothke
 
Webinar - Getting a handle on wireless security for PCI DSS Compliance
Webinar - Getting a handle on wireless security for PCI DSS ComplianceWebinar - Getting a handle on wireless security for PCI DSS Compliance
Webinar - Getting a handle on wireless security for PCI DSS Compliance
 
La nécessité de la dlp aujourd’hui un livre blanc clearswift
La nécessité de la dlp aujourd’hui un livre blanc clearswiftLa nécessité de la dlp aujourd’hui un livre blanc clearswift
La nécessité de la dlp aujourd’hui un livre blanc clearswift
 
Rothke secure360 building a security operations center (soc)
Rothke secure360 building a security operations center (soc)Rothke secure360 building a security operations center (soc)
Rothke secure360 building a security operations center (soc)
 
Infotec 2010 Ben Rothke - social networks and information security
Infotec 2010 Ben Rothke - social networks and information security Infotec 2010 Ben Rothke - social networks and information security
Infotec 2010 Ben Rothke - social networks and information security
 

Último

IATP How-to Foreign Travel May 2024.pdff
IATP How-to Foreign Travel May 2024.pdffIATP How-to Foreign Travel May 2024.pdff
IATP How-to Foreign Travel May 2024.pdff
17thcssbs2
 
Exploring Gemini AI and Integration with MuleSoft | MuleSoft Mysore Meetup #45
Exploring Gemini AI and Integration with MuleSoft | MuleSoft Mysore Meetup #45Exploring Gemini AI and Integration with MuleSoft | MuleSoft Mysore Meetup #45
Exploring Gemini AI and Integration with MuleSoft | MuleSoft Mysore Meetup #45
MysoreMuleSoftMeetup
 
會考英聽會考英聽會考英聽會考英聽會考英聽會考英聽會考英聽會考英聽會考英聽會考英聽
會考英聽會考英聽會考英聽會考英聽會考英聽會考英聽會考英聽會考英聽會考英聽會考英聽會考英聽會考英聽會考英聽會考英聽會考英聽會考英聽會考英聽會考英聽會考英聽會考英聽
會考英聽會考英聽會考英聽會考英聽會考英聽會考英聽會考英聽會考英聽會考英聽會考英聽
中 央社
 
Basic Civil Engineering notes on Transportation Engineering, Modes of Transpo...
Basic Civil Engineering notes on Transportation Engineering, Modes of Transpo...Basic Civil Engineering notes on Transportation Engineering, Modes of Transpo...
Basic Civil Engineering notes on Transportation Engineering, Modes of Transpo...
Denish Jangid
 

Último (20)

IATP How-to Foreign Travel May 2024.pdff
IATP How-to Foreign Travel May 2024.pdffIATP How-to Foreign Travel May 2024.pdff
IATP How-to Foreign Travel May 2024.pdff
 
The Last Leaf, a short story by O. Henry
The Last Leaf, a short story by O. HenryThe Last Leaf, a short story by O. Henry
The Last Leaf, a short story by O. Henry
 
INU_CAPSTONEDESIGN_비밀번호486_업로드용 발표자료.pdf
INU_CAPSTONEDESIGN_비밀번호486_업로드용 발표자료.pdfINU_CAPSTONEDESIGN_비밀번호486_업로드용 발표자료.pdf
INU_CAPSTONEDESIGN_비밀번호486_업로드용 발표자료.pdf
 
The Ultimate Guide to Social Media Marketing in 2024.pdf
The Ultimate Guide to Social Media Marketing in 2024.pdfThe Ultimate Guide to Social Media Marketing in 2024.pdf
The Ultimate Guide to Social Media Marketing in 2024.pdf
 
Telling Your Story_ Simple Steps to Build Your Nonprofit's Brand Webinar.pdf
Telling Your Story_ Simple Steps to Build Your Nonprofit's Brand Webinar.pdfTelling Your Story_ Simple Steps to Build Your Nonprofit's Brand Webinar.pdf
Telling Your Story_ Simple Steps to Build Your Nonprofit's Brand Webinar.pdf
 
Operations Management - Book1.p - Dr. Abdulfatah A. Salem
Operations Management - Book1.p - Dr. Abdulfatah A. SalemOperations Management - Book1.p - Dr. Abdulfatah A. Salem
Operations Management - Book1.p - Dr. Abdulfatah A. Salem
 
Exploring Gemini AI and Integration with MuleSoft | MuleSoft Mysore Meetup #45
Exploring Gemini AI and Integration with MuleSoft | MuleSoft Mysore Meetup #45Exploring Gemini AI and Integration with MuleSoft | MuleSoft Mysore Meetup #45
Exploring Gemini AI and Integration with MuleSoft | MuleSoft Mysore Meetup #45
 
Post Exam Fun(da) Intra UEM General Quiz - Finals.pdf
Post Exam Fun(da) Intra UEM General Quiz - Finals.pdfPost Exam Fun(da) Intra UEM General Quiz - Finals.pdf
Post Exam Fun(da) Intra UEM General Quiz - Finals.pdf
 
會考英聽會考英聽會考英聽會考英聽會考英聽會考英聽會考英聽會考英聽會考英聽會考英聽
會考英聽會考英聽會考英聽會考英聽會考英聽會考英聽會考英聽會考英聽會考英聽會考英聽會考英聽會考英聽會考英聽會考英聽會考英聽會考英聽會考英聽會考英聽會考英聽會考英聽
會考英聽會考英聽會考英聽會考英聽會考英聽會考英聽會考英聽會考英聽會考英聽會考英聽
 
UNIT – IV_PCI Complaints: Complaints and evaluation of complaints, Handling o...
UNIT – IV_PCI Complaints: Complaints and evaluation of complaints, Handling o...UNIT – IV_PCI Complaints: Complaints and evaluation of complaints, Handling o...
UNIT – IV_PCI Complaints: Complaints and evaluation of complaints, Handling o...
 
....................Muslim-Law notes.pdf
....................Muslim-Law notes.pdf....................Muslim-Law notes.pdf
....................Muslim-Law notes.pdf
 
An Overview of the Odoo 17 Discuss App.pptx
An Overview of the Odoo 17 Discuss App.pptxAn Overview of the Odoo 17 Discuss App.pptx
An Overview of the Odoo 17 Discuss App.pptx
 
Basic Civil Engineering notes on Transportation Engineering, Modes of Transpo...
Basic Civil Engineering notes on Transportation Engineering, Modes of Transpo...Basic Civil Engineering notes on Transportation Engineering, Modes of Transpo...
Basic Civil Engineering notes on Transportation Engineering, Modes of Transpo...
 
BỘ LUYỆN NGHE TIẾNG ANH 8 GLOBAL SUCCESS CẢ NĂM (GỒM 12 UNITS, MỖI UNIT GỒM 3...
BỘ LUYỆN NGHE TIẾNG ANH 8 GLOBAL SUCCESS CẢ NĂM (GỒM 12 UNITS, MỖI UNIT GỒM 3...BỘ LUYỆN NGHE TIẾNG ANH 8 GLOBAL SUCCESS CẢ NĂM (GỒM 12 UNITS, MỖI UNIT GỒM 3...
BỘ LUYỆN NGHE TIẾNG ANH 8 GLOBAL SUCCESS CẢ NĂM (GỒM 12 UNITS, MỖI UNIT GỒM 3...
 
Behavioral-sciences-dr-mowadat rana (1).pdf
Behavioral-sciences-dr-mowadat rana (1).pdfBehavioral-sciences-dr-mowadat rana (1).pdf
Behavioral-sciences-dr-mowadat rana (1).pdf
 
Danh sách HSG Bộ môn cấp trường - Cấp THPT.pdf
Danh sách HSG Bộ môn cấp trường - Cấp THPT.pdfDanh sách HSG Bộ môn cấp trường - Cấp THPT.pdf
Danh sách HSG Bộ môn cấp trường - Cấp THPT.pdf
 
The Benefits and Challenges of Open Educational Resources
The Benefits and Challenges of Open Educational ResourcesThe Benefits and Challenges of Open Educational Resources
The Benefits and Challenges of Open Educational Resources
 
2024_Student Session 2_ Set Plan Preparation.pptx
2024_Student Session 2_ Set Plan Preparation.pptx2024_Student Session 2_ Set Plan Preparation.pptx
2024_Student Session 2_ Set Plan Preparation.pptx
 
Post Exam Fun(da) Intra UEM General Quiz 2024 - Prelims q&a.pdf
Post Exam Fun(da) Intra UEM General Quiz 2024 - Prelims q&a.pdfPost Exam Fun(da) Intra UEM General Quiz 2024 - Prelims q&a.pdf
Post Exam Fun(da) Intra UEM General Quiz 2024 - Prelims q&a.pdf
 
MichaelStarkes_UncutGemsProjectSummary.pdf
MichaelStarkes_UncutGemsProjectSummary.pdfMichaelStarkes_UncutGemsProjectSummary.pdf
MichaelStarkes_UncutGemsProjectSummary.pdf
 

The Need for DLP now - A Clearswift White Paper

  • 1. White paper The Need for DLP now A Clearswift White Paper Ben Rothke, CISSP CISA DLP (data leak prevention) Introduction is a powerful technology Anyone who has tried to replace a laser toner cartridge in corporate America knows the that can be used to plug the hassle. If you are lucky and there happens to be one in the supply closet, then signatures holes in the data leakage dam and a few keys later, the toner can be removed from the hollowed sanctums of the that is affecting a myriad office supply closet. As soon as the toner is taken, the door to the supply room is closed organizations worldwide. and secured. While DLP is a broad set of Evidently, firms feel there is a significant risk to leaving expensive toner cartridges features, of which would require a much longer unsecured, in the hands of employees who may pinch them. document, Clearswift is happy For some reason, these firms think that their trusted employees can’t be trusted with to offer this white paper as office supplies, which require them to be stored in locked areas. an introduction to the topic of DLP, which is one of the The truth is that a few bad apples can quickly steal thousands of dollars’ worth of office most important and powerful supplies and companies understand that they must be secured. tools in the information security industry toolkit. For similar reasons, companies will place asset tags on every chair, table, laptop, microwaves, etc. If these items are left unsecured and undocumented, the worst will likely happen. But when it comes to the terabytes of confidential and proprietary data on corporate networks, companies often use kid gloves to secure the data. This begs the question, why are office supplies subject to a higher level of security than the data? First off, take a moment and think of the myriad different types of data in your organization that need information security controls. Without much of an effort, you should be able to think of 10 types within in under a minute. Data types such as the following are just a few of the many in your organization: - Finance/spreadsheets HR - M&A - Customer private data - Social security numbers - Client lists - Sales forecasting data - R&D - Legal - Credit card numbers - Contact information - Marketing strategies For many years, Sun Microsystems noted that the network is the computer. With that, the network is the data, as data is the gold for many organizations. Imagine if it occurred that 500 office chairs were stolen, with asset tags. Not really such a big deal, as they are insured. But if a few gigabytes of data are lost from an organization, that can often mean significant impact and consequences, including: - Class action lawsuit - Public embarrassment - Expense to recover - Compliance violation (PCI DSS, Sarbanes-Oxley, GLBA, EURO-SOX, HIPAA/HITECH, UK Data Protection Act, California Senate Bill SB 1386, and many more) - Loss of customer trust - Diminished competitive advantage - Negative branding - Financial consequences With that, many organizations are turning to a DLP solution to help them in gaining control over their seemingly uncontrolled data stores. 1
  • 2. Why DLP? There are a number of reasons why you want to consider a DLP solution. Gartner notes in their 2010 Buyer’s Guide to Content-Aware DLP http://www.gartner.com/DisplayDocume nt?id=1421941&ref=g_sitelink that content-aware DLP solutions offer a significant array of capabilities to organizations. Their key findings are that DLP: - Helps organizations to develop, educate and enforce effective business practices concerning the access, handling and transmission of sensitive data - Provides reporting and workflow to support identity and access management (IAM), regulatory compliance initiatives, intellectual property protection and data policy compliance management Those two areas alone are domains which nearly every company is struggling with. Other areas where DLP has shown to be of significant value is: - Helps organizations to develop, educate and enforce effective business practices concerning the handling and transmission of sensitive data - Dynamic application of policy based on the classification of content determined at the time of an operation - Early detection – which equates to earlier mitigation For many originations, they see DLP software and hardware as the answer to their information security problems. As I wrote in DLP – A security solution, not a security savior http://www.btsecurethinking.com/2009/12/dlp-%E2%80%93-a-security-solution- not-a-security-savior/, over the last few years. DLP has achieved critical mass. So what exactly is this security remedy called DLP? DLP refers to a set of software and hardware solutions that identify monitor and protect data, mainly via content inspection and contextual security analysis. One of the main benefits of a DLP solution is that it can detect and prevent the unauthorized use and transmission of confidential (as defined by the organization) information. DLP sounds like a slam-dunk security solution that every organization can use. Yet, as important as protecting data is, there’s more to DLP than simply rolling out a DLP solution. As noted in the beginning of this white paper, many organizations have much better knowledge of how many pencils they have in their supply closets, as opposed to how much data they have on their networks. DLP tools have data discovery capabilities and can scan data repositories and identify data. A decision can then be made if that data needs to be part of the protections scheme. The data can also be indexed as a way in which to start a process of determining who the data owner is. When looking at a products data discovery capabilities, one key area to look at is how many different data types it is able to identify. There are literally hundreds of different file formats in use; from Microsoft Office documents, multimedia, encrypted, zip, source code and many more. How does data leak? There are literally hundreds of ways (many of them in a manner many organizations can’t fathom) in which data can leak. The following table lists but a few of them. Careless mistakes, Accidently sending email Fat finger Disgruntled worker often when to a group rather than doing repetitive van individual mundane tasks Attaching the Not being careful when Hitting the send Malicious intent wrong file rushing to a deadline button too early Corporate espionage Outsourcers, business Poor firewall rules Lost USB, memory partners, contractors, card, DVD, etc. etc., with poor security practices Lost smartphones Lost backup tapes Data storage devices Phishing not properly sanitized Malware Insecure transmission of personal identifiable and other restricted data 2
  • 3. Ultimately, think beyond DLP It is important to note that when considering a DLP solution, many companies are far too myopic and think that DLP works in a vacuum. Pragmatic firms don’t take such an approach and make sure to integrate DLP as part of their overall information security framework. The use DLP as one spoke in the larger information security wheel. By integrating DLP with other technologies and tools, including end-user awareness and training, DLP can be a very strong link in the information security chain. A multi-step approach to DLP nirvana So how does one take the theory of DLP and put it into practice? The following are a few steps to protect your data if you decide to deploy a DLP solution: Step 1 – Level set Realize that the DLP will not solve all of your data security issues, or mitigate its risks. DLP is but one part of a larger set of information security tools. Step 2 – You can only protect your data if you know where it is Every year, public companies produce annual reports. In the balance sheet section, a company notes how much cash on hand it has. These companies are expected to accurately know this and other crucial financial details. Yet how many of these companies can produce an annual report for their data? The following should be a simple question for an organization - how much data resides on your networks? How much of that data is in long-term storage? Archived? Perhaps 1 in 100 organizations can produce a reasonable answer regarding their data libraries. The main point to consider is that there is far too much data in motion that companies are oblivious to. It is impossible to protect data an organization is unaware of, where it is stored, or where it is traversing. Therefore, the first step in data protection is to identify where the corporate data is. By performing a data discovery project, you can find all the data on your network. Note though that this is a detailed endeavor. Expect it to take weeks if not months to locate, diagram and document all of your major data storage locations. 3
  • 4. Step 3 – Data classification Not all data is equal. You therefore need a project to classify data to understand what needs to be protected and the reason for it. Detail the risks to confidentiality and list common risk scenarios that may arise from inappropriate data leakage. Think of security as insurance for your data and you only need to insure items of value. The first step in a DLP endeavor is to define what your valuable or sensitive data is. How much of your data is secret? More than you think. According to Forrester http://www.rsa.com/products/DLP/ar/10844_5415_The_Value_of_Corporate_Secrets.pdf, secrets comprise two-thirds of the value of firms’ information portfolios. Despite the increasing mandates enterprises face, custodial data assets aren’t the most valuable assets in enterprise information portfolios. Proprietary knowledge and company secrets, by contrast, are twice as valuable as the custodial data. And as recent company attacks illustrate, secrets are targets for theft. Step 4 – DLP strategy A DLP solution can’t be deployed in a vacuum. Organizations need to develop a formal DLP strategy that details the specific business and technology needs and requirements. Many vendors position their DLP solutions differently, so it is important that you document their DLP solutions differently. And it’s important that you document your requirements, and not simply map it to their product offering. A mistake that too many organizations make is that they get into the minutia of DLP, before developing their high-level DLP strategy. First start with the high-level objectives, and only then, do deep into the requirements. When you do get to the requirements phase, realize that DLP is not strictly an IT solution. Organizations that have effectively deployed DLP did it with input from various entities in their origination. While this is not a definitive list, ensure that at the very least, these departments are included: - Business owners - Legal - IT audit - Finance - Internal audit - Information security - Technology operations Note that the legal department is mentioned in the above list. For many IT professionals, working with legal is a foreign concept to them; but that should not be the case. Given that DLP includes monitoring of proprietary and personal data, your corporate legal department needs to give their approval to the DLP project to ensure that the monitoring does not violate any laws or requirements. For those entities in the European Union, this can’t be overemphasized as EU directive on data protection can quickly be violated with DLP if you are not careful. As you develop your strategy, take into consideration that DLP is a long-term endeavor; read: years not months. DLP is undoubtedly not a plug and play technology. From the time you start thinking of DLP, until the point that it is fully deployed and optimized, requires time and dedication. 4
  • 5. What do you do when the CIO wants the DLP working now, not next year? Note that the previous paragraph uses years and DLP in the same sentence. But what about those firms that don’t want a full-blown enterprise DLP solution, rather an interim solution to get up and running quickly? What do you do when the CIO balks about the extended time to production and insists that the DLP solution be up and running this quarter, not next year. The Clearswift Secure Web and Email Gateway solutions are a perfect complement for those that want the functionality of a DLP solution without the extensive time and effort required. The Secure Gateways incorporates basic as well as advanced DLP capabilities natively. From built-in e-mail encryption, to anti-spam/anti-malware capabilities and more, theGateways have been well-received by large clients, as well as small and midsize businesses (SMBs) that are with DLP deployments of less than 3,000 users. The content security gateways can be quickly deployed to stop data leakage issues, and you can see the positive effect within hours. Many organizations prefer this approach, as it can rapidly immediately be put into execution, showing direct results. For those organizations that want to take this approach, the first step would be to identify the data in transit today so that accidental leakage (such as inadvertent transmittal of confidential documents) can be detected by the email and web gateways and stopped before its leaks out. In fact, Gartner writes in 2010 Content-Aware Data Loss Prevention FAQs that firms should “develop a two- to three-year road map for the deployment of capabilities from initial monitoring only to active blocking”. For those that don’t want to for that two- to three-year road map to complete, Clearswift Secure Web Gateway is an effective respite. Gartner also write that organizations can balance DLP feature richness against cost by knowing at the outset what the type and scale of the problem is that you are trying to solve. From this, you can then develop both the business requirements of the technology and the supporting processes, and also the tolerance for operational costs that are likely to be incurred post-deployment. Finally, many DLP initiatives get immediately blackballed when organizations see the price tag, which is often exorbitant. In Budgeting the Costs of Content-Aware DLP Solutions - Gartner in the report notes that the average DLP full solution price ranges from $350,000 to $750,000. The Clearswift Secure Gateways are a fraction of that cost. 5
  • 6. So why does it often take a year or more to fully deploy a DLP solution? This is due to the fact that yet another mistake organizations make is attempting to take their data anarchy, and have it managed by DLP. Making DLP work means taking small steps at first, and then expanding on that. Many IT projects fail from too large of an initial scope. Therefore, start small, get initial victories and successes, and then expand. At the commencement of the project, start with the most critical and sensitive data; such as confidential data and laptops and mobile devices. Once you get that in order, then move to other systems and those with less critical data. Most organizations have far too much data to try to secure with DLP in one fell swoop. Since laptops were mentioned, note that while laptops and notebooks are great productivity tools, they are also one of the greatest mechanisms in the world of data leakage and data theft. Their level of convenience and accessibility are in direct response to the raw amount of data that can be compromised. In fact, a committed adversary will target the laptop of an executive or senior management, given the treasure trove of data residing on it. It is worth noting that this step does not have anything to do with vendors, as that is in step 5. You’re ready for primetime DLP strategy should be complete before engaging with a DLP vendor. Many DLP projects sometimes lose funding between the strategy stage and the deployment stage. In order to gain greater management support and business justification for the project, a good idea is to determine the number of DLP violations. Showing management DLP metrics such as how many credit card or social security numbers were quarantined is a great way to demonstrate the value of DLP technology. Finally, for those serious about a DLP strategy, the report from Gartner Develop an Enterprise Strategy for Data Loss Prevention http://www.gartner.com/ DisplayDocument?id=1383713 is quite valuable, and can be used as a guide. Step 5 – Product selection, testing and deployment Once the requirements are documented, the next step is to create a pilot to test a number of DLP products. Ensure various use cases are tested to analyze the product in different scenarios. Have specific and objective metrics to ensure value controls are tested and that your outputs are accurate. 6
  • 7. Conclusion Overall, DLP is a great security technology, but it is not security pixie dust that can magically secure your network. The steps listed here are a few of the many that need to be done for a formal DLP rollout. By taking such a tactical approach to DLP, you can ensure that it really does prevent your data from being lost. For many organization, an enterprise-grade DLP solution may be overkill. Given the cost and effort required, many organizations are finding that it is better in the long run for them to start with the Clearswift Secure Gateway solution, given that it provides the short-term benefits and immediate interim success it can provide. These organizations find that once they have the Secure Web and Email Gateway solutions fully deployed and working, it is only then that they decided to consider a full-blown DLP package. About the author Ben Rothke, CISSP, CISM, CISA is a New York City based senior security consultant with BT Professional Services and has over 15 years of industry experience in information systems security and privacy. His areas of expertise are in risk management and mitigation, security and privacy regulatory issues, design & implementation of systems security, encryption, cryptography and security policy development, with a specialization in the financial services and aviation sectors. Ben is the author of Computer Security - 20 Things Every Employee Should Know http://books.mcgraw-hill.com/getbook.php?isbn=0072262826&template=osborne (McGraw-Hill), and writes a monthly security book review for Security Management magazine. He is also a frequent speaker at industry conferences, such as CSI, RSA, and MISTI, holds numerous industry certifications, and is a member of ASIS, CSI, Society of Payment Security Professionals and InfraGard. 7
  • 8. Get in Touch Clearswift Ltd 1310 Waterside Arlington Business Park Theale Reading Berkshire RG7 4SA Tel : +44 (0) 118 903 8903 Fax : +44 (0) 118 903 9000 Sales: +44 (0) 118 903 8700 Technical Support: +44 (0) 118 903 8200 Email: info@clearswift.com