Corporate networks have increasingly grown porous due to the advancements in Web and mobility technologies. As a result, chief information security officers have to ensure a strong Chinese wall defense, without compromising on the flexibility of business operations. This fundamental requirement has prompted Infrastructure Development Finance Company Limited (IDFC), a leading infrastructure finance company, to invest in data loss prevention (DLP) software.
IDFC, an ISO 27001 certified company, has more than 500 employees, and fairly mature information security policies and controls. Although the company has strong network security, role based identity and access management, and security infrastructure hygiene, the information flow across and outside the organization has emerged as a critical issue. “What people do with the information they possess, how and who they transmit it to, are major concerns for us,” says Uma Ramani, the vice president for information technology (IT) at IDFC. Although the company has blocked USB, access to personal emails, and chat URLs, the employees have access to blackberry devices. “Despite the controls, we realized that there is still scope for free flow of information, which can be misused. Hence, we felt the need for DLP software which could provide us with monitoring capabilities,” says Ramani.
Although IDFC has started to evaluate DLP software available in the market, it refrained from naming specific vendor solutions. Describing the critical requirement for DLP software, V C Kumanan, senior director for IT at IDFC explains, “We are clear about implementing a DLP software that provides complete transparency on what’s happening with our information, without hindering flexibility of business functioning.”
Beyond a level, you cannot impede business flexibility with security controls as IT is primarily a business enabler at the end of the day. Hence IDFC wants to move from an open environment to a relatively blocked environment in a progressive manner. “We first want to start monitoring, observe the information flow, understand who is sharing what with whom, and then start progressively locking stuff or putting controls,” says Ramani.
Implementing the DLP software can be really taxing for a huge corporate group like IDFC, which comprises around 10 companies. “It is not just about implementing the DLP software and monitoring, the more important concerns are who will monitor and what policies are required for it,” observes Ramani. IDFC feels that business support for DLP software implementation is critical as the IT department may not be able to understand the significance of confidential information of a specific business unit. Accordingly, IDFC has already started talking with its key departments about the DLP initiative, but it is yet to convince all of them.
In 2011, as part of the DLP software deployment process, IDFC plans to classify its information. This will be sorted on the lines of data at rest, in motion and, in use, and then into categories like sensitive, confidential, public, and private.