Data leaks by employees have emerged as a serious security threat in recent years. Indian organisations lose as much as $40 billion (Rs 1,60,000 crore) due to employee fraud every year, according to a study conducted in 2008 by India Forensic Consulting Services, a Pune-based consultancy. "India Fraud Survey Report 2008," a report by KPMG, notes that employees pose the biggest threat to an organisation. This is where data loss prevention (DLP) has emerged as a significant measure to control these activities.
DLP solutions allow enterprises to identify, monitor and protect their critical data. As Seepij Gupta, the lead analyst for IDC India's security solutions research practice, points out, "Indian enterprises increasingly deal with sensitive data, which if stolen or compromised can result in serious legal implications and loss of goodwill in the market. Also, various regulations and compliance norms have come up in the last few years, both globally and in India, which mandate the need for a proper security posture."
As more of the workforce becomes mobile, laptops, smartphones and handhelds have become very common. However, organizations find it difficult to track information residing in all these endpoint devices. "Looking at the growth of smart mobile devices and their storage capacity, the need for DLP kind of solution will definitely increase," Gupta says.
According to IDC, DLP is currently a very small subset (less than 5%) of the overall $310 million USD security solutions spend in 2008. Yet to gain popularity among Indian enterprises, DLP has seen early success only in the IT/ITeS and banking, financial services and insurance segments. This is primarily due to the low awareness and perceived complexities of DLP deployment.
The main reason for lack of awareness is DLP's unclear definition. It's commonly called data loss prevention, as well as data leak prevention. However, Gupta says these two terms are entirely different concepts. "Data loss is a superset of data leak. Data leak often happens with malicious intention, whereas data loss can be completely unintentional. For some people, encryption is also DLP, but DLP goes much beyond mere encryption," he says.
Surendra Singh, Websense Inc.'s regional director for SAARC, says he believes there was some confusion in 2007-08 about how DLP solutions will address the market. However, DLP awareness has significantly increased. "There is good awareness among Indian CIOs. We have seen many deals and proof-of-concept projects since April 2009. Top 500 Indian companies are absolutely serious about DLP," Singh says.
However, that's just the beginning. "Today, Indian organizations are in a wait-and-watch mode for its peers to install DLP solutions. Many companies will contemplate DLP adoption only after it has matured as an industry-wide practice," Gupta explains.
DLP: More than just a product
DLP is not just another point product for information security; rather, it has to be an enterprise-wide data protection strategy. Mere technology solutions may not address actual data loss issues. Hence, a comprehensive policy that addresses the particular company and nature of business is essential for a successful DLP deployment. "An organization is headed for trouble if it does not have a DLP strategy. DLP is all about a holistic approach to determine your valuable data, its location and its leak prevention," asserts Nandita Jain Mahajan, the chief privacy and information security officer of IBM India/South Asia and IBM Daksh.
An organization typically has sensitive data about employees, customers, intellectual property and other confidential topics. Identification and classification of such critical data is the first step of DLP deployment. As Gupta explains, an organisation primarily has three types of data: data at rest (data in databases, storage, archives, etc), data in motion (data moving through the network) and data in use (data in desktops or endpoints used every day by employees). The DLP solution has to be effective on all these data types.
Vishal Salvi, the chief information security officer of HDFC Bank, provides an alternate approach in which an organisation can classify data as structured data (stored in applications) and unstructured data (stored on users' desktops). Classification of data calls for data flow analysis (DFA) of the organisation. Murli Nambiar, the vice president and head of information security for Reliance Capital Group, recently handled a successful DLP solution deployment from Websense. "Data flow analysis helps you identify critical data, who generates the data, its location and where it goes," Menon says.
After identifying critical data, the next step is to secure it. Based on the classification of data and DFA, the organisation should formulate a policy that defines critical data as well as each entity's role, responsibility and access rights. The policy should also detail the IT team's role and the security of the data as it travels through various channels. "Sensitivity of the data will determine severity of its loss. A user's profile will drive the level of monitoring. Both these parameters play a very important role when formulating a DLP strategy," Mahajan explains.
There are three major channels through which information is transferred within or outside the organisation: email, Web tools (blogs, social networking sites, IM) and endpoint devices (USB drives, laptops and mobiles). The DLP solution must check data leakage from these channels.
The step-by-step approach is currently more popular. However, there is an alternate methodology for data protection strategy. For example, Reliance Capital pairs a document rights management solution from Seclore with its DLP implementation. This allows Reliance Capital to enforce and assign rights such as view, print, copy, etc., on critical data. Only authorised users have access to this data.
At HDFC Bank, Salvi is also considering a DRM solution to complement the bank's DLP solution from Symantec. According to Salvi, although DRM and DLP are different tools, both address the single aim of information protection. "While DRM focuses on information control through access rights, DLP identifies and monitors the information. In an ideal world, one may not need DLP with a successful DRM implementation. But as that is not possible, DLP is also required. Both complement each other," Salvi says.
DLP solutions available in the market
All major security vendors like Symantec Corp., Websense, Trend Micro Inc. and McAfee Inc. offer DLP solutions in India. These solutions allow organisations to discover, monitor, protect and manage information and are primarily available in two areas -- network and endpoint. Network DLP solutions mainly have two clients -- Web and email. This prevents data from being leaked at the network level.
On the other hand, endpoint DLP solutions place a client on devices like laptops and USB drives to block data from being copied or transferred in an unauthorised manner. According to Singh, there is demand for both solutions. Gupta says he feels many well-known players in the encryption space will gradually evolve beyond encryption and start offering DLP solutions.
Common mistakes and best practices
Like other IT implementations, DLP should also be in close alignment with business imperatives. "The biggest challenge in a DLP implementation is the business knowledge. Also, how do you identify business stakeholders who can take decisions on what is right and wrong?" Salvi asks.
It's a tough call to classify data as sensitive or nonsensitive. "It's easier to classify new data or data which is created now. However, it's a very tedious task if the company has legacy data for 10 or 15 years," Gupta says.
Also, such implementations that affect all levels of employees need strong support from senior management. User awareness is another critical element of DLP implementation. As Nambiar says, "Users have to be made aware of the organisation's stand on any data misuse and its repercussions."
During DLP implementation, enterprises often want to protect all the information, which is not really practical, Singh says. "Organisations should start with the most confidential data. Then it should move gradually to protect other information," he explains.