Data loss prevention doesn't come in a pill

It's not hard to see why data loss prevention is flavour of the year amongst security professionals. But the panic to find a quick fix is unlikely to result in much improvement.

The mere fact that a "DLP market" has suddenly emerged with products claiming to solve the problem underlines our tendency, when put under pressure, to install another bit of software rather than take time to do a proper analysis.

For instance, when that Nationwide laptop went missing a couple of years ago, the company was rightly pilloried for allowing unencrypted customer data to walk out of the company. But few asked why an employee felt it necessary (or permissible) to copy the whole customer file in the first place. It appears there was no policy in place covering such an action; nobody thought it mattered.

Take also the notorious case of the lost CDs at HMRC, where someone decided it was OK to copy 25m records, complete with bank details, and put them unencrypted into the post. Again, encryption would have boosted security but it hardly answers much broader questions – why send bank details when they had not been requested? Why not use the Government's own secure network to send the data? Why not use a secure courier? Again it seems the policy was vague or non-existent, and it was not enforced anyway.

Then in January, we heard that an MoD laptop had gone missing, with records on 600,000 people who had applied to join the British armed forces over the last decade. The data was, again, unencrypted but, again, that's not the whole point. Why does anyone need all that data? Are there no controls? Is there no policy, and is it not enforced?

Which brings us back to the so-called DLP market. What kind of single product is going to stop the combination of ignorance, carelessness, stupidity and incompetence that the above three examples demonstrate?

That wise industry-watcher, Philippe Courtot of Qualys, observed recently that many companies have a "pill mentality" when it comes to security – if they have a problem, they think they can take a pill (or install a product) and that will make everything better.

But don't count on anything with a DLP label to wash your blues away. As Paul Simmonds, currently head of security at ICI, says: "The canned demos of DLP products always show how to stop Social Security numbers (for the US) or credit card numbers, both of which have a fixed format that is easy to spot." In other words, the products are unlikely to block more subtle company secrets or information.

If a company is serious about data leakage, it needs to take a much broader view and tackle the basics first. John Pironti, chief information risk strategist at Getronics, says the "painful and non-fun things" – asset inventory, process mapping, data classification – need to be endured to enable companies to get a picture of where data sits, and how it moves around.

Once they've gone through the process, companies can then take a proper risk-based approach to protecting what they have. That may (and certainly will) involve encrypting data, using some DLP products, and using the fund of new features in many email systems to prevent secrets going out via the mail gateway.

The companies may use endpoint solutions to restrict the use of USB ports on laptops, and new discovery tools to help them root out forgotten repositories of sensitive data. In the near future, they may even be able to apply tagging techniques to documents and data to help automate the classification process.

But in the end, technology cannot do it all. People have to use their brains and their judgment to determine what should be protected, what should be allowed and how information should move around. Technology can help define policy and it can also help enforce it much more effectively than any army of officials.

But it won't create or decide the policy for you.


Read more on IT risk management