Data loss prevention - stopping the leak

20 Mar 2015

In today's globally connected world, data enters and leaves cyberspace at speeds baffling to the human mind. A mere 45 years ago, Apollo 11 landed on the moon and, since this historic event, advances in the world of cyberspace have raced ahead to unprecedented levels.

Mohsien Hassim

Enterprises today receive millions of email messages and data files daily, containing sensitive data including the records of customers, business partners, shareholders, staff members, and more. With the advent of cloud technology, an organisation's fear of losing data is amplified if its critical data is hosted outside by a third party and not within its total control.

It is a fact that, in today's complex business world, data is seen as the new currency and can be attributed with a monetary value. However, the damage that data loss can do to an inadequately secured enterprise extends far beyond pecuniary matters, and can include reputation loss, regulatory consequences, a decrease in customer confidence, trust issues, a drop in market share, and the development of trade barriers.

A company that holds the sensitive data of customers, business partners and regulators needs to come to terms of with the responsibility of securing this information. Unfortunately, businesses constantly fall victim to massive data loss, and high-profile data leakages involving sensitive personal and corporate data continue to appear, but are often not publicised - especially in South Africa.

This is something that will change when the Protection of Personal Information (PoPI) Act, which highlights the importance of management and control over data, comes into full operation, meaning that organisations need to take measures to understand the sensitive data they hold, how it is controlled, and how to prevent it from being leaked or compromised.

Leakage and damage

In order to do this, it is important to understand what data loss really is. Data loss can be divided into two overlapping categories: leakage and damage. Leakage occurs when sensitive data is no longer under the organisation's control (such as a loss of confidentiality due to for hacking or identity theft). Damage, or the disappearance of data, occurs when the correct data copy is no longer available to the organisation, resulting in a compromise of integrity or availability.

Data is generally found is three modes: at rest; in motion; and in use. Data at rest includes data that resides in files systems, distributed desktops and data stores/databases; data in use refers to data that being used in end-point devices like mobile devices, USB drives and other end-point devices; and data in motion denotes data that moves through the network to the outside world via email, instant messaging, peer-to-peer (P2P), FTP, or other communication mechanisms. As the digital world evolves and technologies converge, the types of solutions used to move data will become more complex, requiring different treatment of data management.

Data Loss Prevention (DLP) is a strategy to ensure that end-users do not send sensitive or critical information outside of the corporate network. This type of technology requires proper planning and, even more importantly, precise implementation. DLP is a complex issue with no single effective solution; in essence, each organisation has its own challenges, business needs and risk-mitigation strategies. This requires a continuous assessment of DLP requirements on an ongoing basis.

Correct management and use of data is critical

It is imperative that organisations realise that their greatest assets are their people. Unfortunately, people are also a weakness in the system. Creating awareness around the correct management and use of data is a critical element in mitigating risks around data loss. Security awareness training should be mandatory for all staff (including management), thereby establishing a common baseline of security knowledge and removing the 'I didn't know' mindset.

DLP focuses on the three pillars of data security: monitor; protect; and discover. When selecting a DLP solution, it should not interrupt business activities and should operate without deteriorating system or employee performance. DLP products generally come with built-in policies that are already compliant with the relevant compliance standards, like PCI, HIPPA, SOX and so on, but alignment between the organisation's needs and these policies is required.

The key element for a successful implementation of a DLP strategy and subsequent implementation project is to identity the data that needs protection. Adopting a blanket approach across the entire organisation will not work, as the outcome will in a large number of false positives being generated.

Key steps to be adhered to in a DLP strategy roll-out must include:

Data identification - where all confidential and restricted data across the entire organisation is recognised and categorised into the three data classes;

Policy definition - which will help protect the sensitive data identified. Every policy must consist of some rules, such as to protect credit card numbers, personally identifiable information (PII), and identity numbers. The DLP policies at this stage should only be defined and not applied;

Identify information flows and data business owners - an organisation can identify its business information flow by preparing relevant questionnaires to identify and extract all the useful information. It is imperative to identity the business owners of the data as this forms an important step in the planning strategy of DLP. Preparing a list of notification recipients in the case of the loss of sensitive data is crucial; and

Deployment scenarios - deployment follows the three categories (modes) of data, and requires strong technical and deep project management skills for success.

The multitude of DLP products in the marketplace makes it difficult for an organisation to make its choice. These guidelines should assist in this selection process:

DLP is a business requirement not an IT issue, the PoPI Act is clear on this, so check whether there is a business need for a DLP product or service;

The identification of sensitive data or restricted data is a critical element in the DLP exercise. With proper data identification, unwanted false positives will be generated resulting in a waste of time and money. This is an important element of the DLP strategy;

The DLP product must support the data formats of the environment;

The fine-tuning of DLP policies will be required in the DLP operations;

Regular updating of risk profiles and documentation will be required during the DLP exercise as DLP incidents are reported - this is the 'feedback loop' of the exercise; and

Buy-in from senior and top management is a key requirement, and something that will be supported by the PoPI Act, so employ an executive sponsor.

DLP can offer great benefits to an organisation as with greater insight into, and thus control over, its sensitive data. Data management policies can be revised and the ability to manage the risks that relate to data - a key asset - is significantly improved. After all, data is the new currency.