There is a huge amount of hype in the industry regarding
data loss prevention. Naturally, the IT industry is focused on
data in an electronic format however, this does not take into
account paper and other physical forms of information, writes Rob
Swainson, managing director of Blue Cube Security.
Key issues to consider include:
• Identification of the data you need to protect
• Classification of which data is sensitive, commercially
confidential or even top secret. Without this classification,
decisions about what is permitted to be done with that data cannot
be made
• Any binding regulations or legislation, and which data they
apply to
• Identification of channels or media that are legitimately used
by the business
• Identification of who has access to the information and for
what purpose
• Classification of risk if the data were to be lost or stolen
what would be the
impact on the business?
• How this information can be used to augment information
security policies and enforce a policy for the protection of
data
• Are you focusing on data leaving the organisation, or where it
goes internally?
A significant problem with implementing data loss prevention is
that few organisations can legitimately claim to be able to
classify all the data that resides within their business, and where
it is stored. A good starting point is to identify the most
sensitive data and build from there.
In terms of solutions to the problem, there is no silver bullet.
However, once you have a grasp on what you are trying to protect,
there are some good data leakage management products (sometimes
referred to as extrusion prevention) available. The most useful are
those that adopt a holistic approach and allow you to apply policy
to data or content and respond according to either the content or
the action being taken with that piece of data.
The IT security industry has focused on the encryption of data
as the first cornerstone of data loss prevention. This is
complemented by systems to monitor and control USB devices and
removable media, e-mail/web filtering and
encryption technologies. Systems for device encryption and port
control should be considered as enforcement points rather than the
solution to the problem.
Products that enable integration with third-party solutions will
provide the strongest protection, for example, the
Workshare
Protect Network from Workshare. This will allow organisations
to utilise best-of-breed technologies and take advantage of
existing investment in security technologies. A 'one size fits all'
approach will never work since the components of the system will
invariably be weaker in certain areas and will almost certainly
mean a higher price tag.
Overall, technology can only address the issue of data loss
prevention once the key issues of data classification and
assessment of risk have been identified. However, once you know
what you are trying to protect, then appropriate products are
available, as are independent consultants to guide you through the
selection process and implementation.