There is a huge amount of hype in the industry regarding data loss prevention. Naturally, the IT industry is focused on data in an electronic format however, this does not take into account paper and other physical forms of information, writes Rob Swainson, managing director of Blue Cube Security.
Key issues to consider include:
• Identification of the data you need to protect
• Classification of which data is sensitive, commercially confidential or even top secret. Without this classification, decisions about what is permitted to be done with that data cannot be made
• Any binding regulations or legislation, and which data they apply to
• Identification of channels or media that are legitimately used by the business
• Identification of who has access to the information and for what purpose
• Classification of risk if the data were to be lost or stolen what would be the impact on the business?
• How this information can be used to augment information security policies and enforce a policy for the protection of data
• Are you focusing on data leaving the organisation, or where it goes internally?
A significant problem with implementing data loss prevention is that few organisations can legitimately claim to be able to classify all the data that resides within their business, and where it is stored. A good starting point is to identify the most sensitive data and build from there.
In terms of solutions to the problem, there is no silver bullet. However, once you have a grasp on what you are trying to protect, there are some good data leakage management products (sometimes referred to as extrusion prevention) available. The most useful are those that adopt a holistic approach and allow you to apply policy to data or content and respond according to either the content or the action being taken with that piece of data.
The IT security industry has focused on the encryption of data as the first cornerstone of data loss prevention. This is complemented by systems to monitor and control USB devices and removable media, e-mail/web filtering and encryption technologies. Systems for device encryption and port control should be considered as enforcement points rather than the solution to the problem.
Products that enable integration with third-party solutions will provide the strongest protection, for example, the Workshare Protect Network from Workshare. This will allow organisations to utilise best-of-breed technologies and take advantage of existing investment in security technologies. A 'one size fits all' approach will never work since the components of the system will invariably be weaker in certain areas and will almost certainly mean a higher price tag.
Overall, technology can only address the issue of data loss prevention once the key issues of data classification and assessment of risk have been identified. However, once you know what you are trying to protect, then appropriate products are available, as are independent consultants to guide you through the selection process and implementation.
This was first published in December 2008