One of the reasons why there has been debate on data loss prevention (DLP) is because data gets into so many places and it is so hard to track.
In a recent presentation by network security firm CNS, it was demonstrated to me that an average document can be replicated 30 to 40 times with copies stored as it is sent around. So if this is representative of how typical data creation and retention is, it is no surprise that data loss has remained as one of the main headaches for IT managers in recent years.
DLP can help with this problem, but where do you place the DLP? Do you place it at the endpoint or at a gateway within the perimeter, or even in the cloud? Is this even workable when personal mobile devices access and create data with or without the knowledge of the IT department?
Victor Limongelli, CEO of Guidance Software, said that the huge increase in devices over the past few years is a major cause of this problem. “Thirty years ago there were no computers, no tablets and no smartphones. Now there is no perimeter with the cloud and virtual environments and data ends up in various spots and situations and breaches make the newspapers,” he said.
“Now a new laptop comes into the enterprise and IT does not know about it and on the next day, there is data on the device and incidents happen. There is no visibility. In ten years people will be saying ‘we cannot believe what we did'. We cannot stop losing data but we can get better control.”
Kevin Dowd, director of security assessment at CNS, admitted that on a large network it is almost impossible to control all data access points and there are so many instances and images made of data that it is hard to control.
Dowd said: “People are realising what sensitive data is and are relying on good applications and becoming very certain about centralised data. This is a huge problem that will only get worse but ‘data modelling' is a step forward. Stopping stuff getting out is the biggest challenge, as stopping stuff getting in (with intrusion prevention and anti-virus) is pretty easy.”
A recent campaign from LogLogic saw it put the spotlight on IT data management (ITDM) as an enterprise initiative. It said that this was ‘key to addressing the three cornerstones of the modern, intelligence-driven enterprise: dedicated security threat management; comprehensive data for compliance; and enterprise-wide operational intelligence'.
It said that ITDM expands beyond traditional security information and event management (SIEM) to help enterprises provide forensic information to aid in security threat identification and management and corporate compliance, while helping them make intelligence-based decisions based on the growing mass of IT-based information available to them.
Guy Churchward, CEO of LogLogic, said: “It is common knowledge that over 30 per cent of enterprise data today is IT data, or data about the enterprise's information technology. Complicating matters, that information is scattered across multiple locations, both on-premise and in the cloud. It is difficult to access because of multiple, incompatible interfaces, and it is difficult to correlate without greater context.”
Research by Forrester found that there is no efficient way for IT departments to gather and analyse disparate data from across the enterprise. Bill Roth, chief marketing officer at LogLogic, told SC Magazine that it believed that SIEM will expand beyond borders but it was trying to put borders around it.
He said: “In that IT data, some is audit, some are log files and it is all important to the company, but there are two levels and people are not using it to its full advantage to bring things together.
“In terms of data being everywhere, we find technologies are used for collection, storage and retrieval, but also for reporting. Data collection is important so why spend time pulling files or setting agents to pull data together when there are a variety of things you need to collect.
“We say add the resources together to add some structure to make it easy to search and find data and establish a semantic structure. Unless you are tracking information, there is no way to understand the scope of the damage or the problems that are related.”
Churchward admitted that organisations have data in too many places, particularly with the advent of virtual environments and the cloud. “You need to pull data into a centralised place for reporting with central management. For a CISO it is hard to make decisions quickly as they are taking data and turning it into something,” he said.
Chris Jenkins, security business manager at Dimension Data, said that what companies such as Guidance Software and NetWitness (now part of RSA) are saying is that the forensics of tracking data makes sense.
He said: “You have to make data security high profile within an organisation, show what you are doing with the data and start being open to what you have, where it resides and who is allowed access to the network.
“What per cent of your data is critical and what is outsourced and if it is lost, what is the cost to the business and loss of reputation? It is difficult but what security do you put in place to protect yourself?”
A Dimension Data survey from earlier this year found that by educating staff, 80 per cent of businesses had reduced data security issues, proving that buying more technology is not always the answer, but having control on security best practices may be.
Jenkins said that rather than writing new DLP policies every time something goes wrong, companies need to make DLP part of the solution and understand best practises.
He said: “It is hard to configure but if it is deployed in steps, you can do risk assessment. There is no simple solution and from an Information Commissioner's perspective, a lost laptop without encryption is not best practise.
“You deal with the issue and you will have a level of DLP in place, but the key thing is education and, with massive investment to train and support of technology, to train employees in data security.”
The fact is there is data everywhere and there is probably no simple solution to the problem of keeping track of it. It is up to businesses to understand their own risk and assess that depending on their circumstances. While technology solutions will help, perhaps this is a problem that policy can manage the best.