Results of a recent TechTarget survey show that data protection technology and procedures are a key concern to many U.K. information security professionals. While respondents indicated interest in improving data protection efforts, in many cases a lack of extra budget and know-how stand in the way of properly securing data.
The survey, which queried approximately 150 U.K.-based information security professionals in late 2009, solicited answers about presumed security spending plans in 2010.
Survey respondents identified data protection as the area of focus that would receive the most time and money in 2010. This spending would largely precede other security technology categories, such as threat management, identity and access management and application security.
The increased interest in data protection this year may be a result of added compliance pressure: 70% of respondents indicated compliance is the biggest reason to protect data. Perhaps the largest compliance pressure point in the U.K. is the Data Protection Act, which as of April 6, grants the Information Commissioner's Office the power to fine noncompliant companies.
So far it's unclear exactly how and to what extent the ICO will impose fines on non-compliant organisations, but experts agree that while it will continue to drive data protection efforts, there will be other data protection drivers as well. "Obviously compliance is a big [driver]," said Jericho Forum member Paul Simmonds, "But there's a bigger business issue here."
Simmonds believes data protection procedures need to be beefed up as a result of sensitive data too often leaving companies' perimeters. Collaboration is becoming more common among companies, according to Simmonds, so it's vital to ensure that collaborative partners only see the data intended for them.
"Data is not just sitting on your servers anymore. If people think this [data protection] is just about endpoints and laptops, they're missing the point," Simmonds said. "This is about taking a holistic view on how your data travels outside your organisation."
For this reason, Simmonds argued that point products, such as data leakage prevention (DLP), are not necessarily the way to go about data protection. "It's just not delivering," he said of DLP, adding that "it's flawed." He said that DLP products can prevent the leaking of standardized data like credit card data; it's not as easy to tune systems for non-standard data that does not use a universal pattern. Without that pattern, according to Simmonds, DLP becomes "horribly complicated."
Stuart Brameld of Nebulas, however, disagrees. He predicts a trend toward gateway products that include integrated DLP. "I think there's going to be a big uptake in that, as opposed to people buying full-blown DLP solutions." Brameld believes this trend will be a result of organisations shying away from complex process and deployment-intensive DLP technologies.
Ian Kilpatrick, chairman of value-added distributor WickHill Group plc, said he doesn't believe that a true data loss prevention product exists, and that selling the concept of "DLP" is disingenuous on the part of vendors because no single product can deliver on the promise to prevent data leaks. True data loss prevention, he noted, includes not only DLP but also a range of technologies such as encryption and antimalware working together.
This may come as reassuring news for those organisations that cannot afford to purchase a full-blown DLP product. According to the survey, budgets are largely set to remain flat during the remainder of 2010. Nearly half of respondents (45%) said their budgets for laptop or drive encryption would remain flat, 43% said DLP spending would remain unchanged, and 54% indicated their organisations would not devote any extra pounds to database encryption.
While the interest in data protection technology and the struggle to allocate extra money toward it seem to come in conflict, there are some ways to get around this divide. Brameld once again mentioned consolidated, integrated security products as the way to go.
"I think people in the past were looking to provide things like firewall, DLP and Web filtering functionality using best-of-breed products on separate pieces of hardware," Brameld said. "There seems to be more of an acceptance that these functionalities can now run on the same piece of hardware."
Simmonds said he recommends looking for the root causes of data protection issues. "At the end of the day, for most corporations, this isn't about data leakage prevention; it's about controlled data leakage," he said, explaining that some data is meant to be put outside the network perimeter. The challenge for organisations is to control which data stays in and which is allowed out. Unfortunately, however, Simmonds does not believe that any implementation yet exists that can do this necessity justice.
Kilpatrick agreed that organisations need to reevaluate what needs to be done to protect sensitive data. He cited two-factor authentication and encryption as two good places to start.
"Just think about some of the easy stuff," Kilpatrick said. "Slowly protect the bits that are at highest risk, and work your way through to the rest. Don't just say I'm going to protect all the data inside and outside the network when 80% is of low value and isn't worth the value or expense of trying to protect it."
The bottom line, according to Brameld, is that organisations need to figure out how to protect different types of data leaving the business perimeter. "You need to target the biggest priority to start with," he said, "otherwise you'll just have people getting into a big maze of complexity."