The Truth About DLP

Where business is done: Inside the Wedbush Securities offices
Where business is done: Inside the Wedbush Securities offices

Since HMRC – the UK’s tax collection authority – mislaid disks containing the details of 25 million UK citizens in 2007, businesses and public sector organizations have been on notice to improve their measures to stop data loss. In April 2010, the UK data protection authority, the Information Commissioner’s Office, increased its maximum fine for a data breach to £500,000 ($800,000), in order to tackle the rising problem of the loss of sensitive data.

Although some breaches, such as the one suffered recently by Sony’s PlayStation Network, are the result of foul play, the level of accidental data losses from both commercial and public sector organizations remains worryingly high. Verizon’s “2011 Data Breach Investigations Report”, compiled in collaboration with the US Secret Service, and published in April this year, identified 760 breaches – the highest number since the research began in 2004.

More Breaches, Less Data

The Verizon report does, however, identify a more positive trend: the number of records lost per breach is falling (this, of course, does not include data from the massive breaches thus far in 2011). The number of breaches caused by outsiders, including hackers and criminal gangs, increased sharply over 2010, and the number of data breaches attributed to insiders fell to just 16%.

The survey identified three reasons for these trends: a significant increase in the number of malicious, outsider attacks; a trend for more of the data losses to affect smaller organizations, which are more numerous, but which also hold smaller sets of records; and improvements in data loss prevention (DLP) technologies.

"When an organization develops its information architecture, it should do that in a way that minimizes the risk of data loss"
Steve Jones, Capgemini

Because DLP technology is mostly being used by larger organizations, its uptake has further skewed the percentage of reported data losses toward those affecting smaller bodies with fewer records, which are less likely to deploy DLP.

Smaller organizations cannot, however, escape all of the pressures that are forcing their larger peers to deploy data loss prevention technology. According to Gartner, the industry research firm, the use of “content-aware DLP” is being driven by four factors: regulatory compliance; risk management; the need to protect intellectual property; and “evidentiary support”, or the need to be able to answer queries in civil or criminal law cases.

DLP Catalysts

There is another, higher-level trend that is prompting organizations to look again at DLP, suggests Steve Jones, global head of master data management at Capgemini, the IT consultants. Growing data volumes are making it harder for organizations to police the transmission and use of their data through policies alone. “There is more and more information available, and it is easier to store… so there is more information that can leak”, he warns.

Extensive marketing efforts on behalf of security vendors have also accelerated the adoption of data loss prevention technologies.

"Security is largely automated and hidden from the user, so it’s not something they have to think about every time they need to do something"
Keith Lester, British Waterways

With the larger anti-malware and general IT security companies – such as Symantec and Sophos – as well as specialists such as Websense and even network hardware vendor Cisco, which is active in DLP, firms are better able to buy the technology as part of a suite of applications from a single vendor.

A Marketing Tool

But there is also a danger that DLP could be over-hyped, with disparate technologies – including network traffic monitoring, access and identity management, and encryption – all being labeled as ‘DLP’. Gartner, for example, describes DLP as a “hot market”.

“Terms related to DLP get overused in marketing messages. Vendors reference any capability that can address the loss of data with DLP-related terminology”, warns Paul Proctor, a vice president at Gartner and role service director for risk management.

He adds that Gartner only considers a product to be offering content-aware DLP if the technology is able to look at the data itself. By no means can all products labeled as DLP do this today.

The participation of the larger vendors is, nevertheless, evidence of the growing maturity of the DLP market. Three or four years ago, DLP was largely confined to specific, niche solutions of varying effectiveness.

"Terms related to DLP get overused in marketing messages"
Paul Proctor, Gartner

“DLP, being a fairly new technology, is still fairly immature”, says Mattias Tornyi, director of IT at Wedbush Securities, a Los Angeles-based financial investment bank and brokerage.

“There are a lot of loopholes and a number of ways an employee could circumvent the system. But the market is maturing and there are more solutions available to monitor [activity].”

But Tornyi stresses that DLP is just one layer in the firm’s security technology, along with conventional perimeter security measures, policies, and education. “DLP is one of those things you can enforce through policies. Making sure employees follow those policies is more of a technology solution”, he suggests.

Part of the Furniture

It is this enforcement of policy that is prompting security vendors to roll DLP capabilities into their general-purpose security products. According to Richard Turner, CEO of web and email security vendor Clearswift, preventing data loss is now a mainstream activity for security vendors. “Most information loss today happens over the web or email channels, and most attacks are over the web”, he says. “The biggest risk is at the end point, which is a web browser or email.”

As Gartner suggests, though, DLP is evolving into more than a variation on a set of perimeter protection measures. Content-aware DLP requires CISOs to move from thinking about securing a device, or an application, to thinking about securing specific pieces of data. This, in turn, needs both more granular tools, and a more mature approach to enterprise data management. “When an organization develops its information architecture, it should do that in a way that minimizes the risk of data loss”, says Capgemini’s Steve Jones.

Building data loss prevention into an overall information management plan can also help organizations reduce their risks – and their compliance costs – by restricting access to, or the archiving of, sensitive data (See box: British Waterways).

"DLP is one of those things you can enforce through policies. Making sure employees follow these policies is more of a technology solution"
Mattias Tornyi, Wedbush Securities

To do so effectively, organizations need to develop a deeper understanding of the data they gather and hold – and its sensitivity – says Mike Gabriel, director of the data protection practice at security consultants Integralis.

“The perimeter model, which was effective in the mainframe era, and even extended into the PC era, no longer holds as we enter the cloud [computing] age”, he says. “There is no perimeter that works, because data moves so much.” Instead, encryption and access management tools that understand users’ roles and locations will be needed to protect specific pieces of data.

Facing Reality

The difficulty for enterprises, however, lies in applying such technologies to ever-larger volumes of sensitive data. According to Sean Sutton, a specialist in data loss prevention in the security practice at Deloitte, an approach based on education and policy alone will struggle to scale up to handle data growth, so organizations need to deploy technology.

The technology itself, nonetheless, still needs to develop to the point where it is effective, and cheap enough, to deploy across the enterprise. For now, then, a blend of policy and the selective use of DLP technology is more practical.

“If you deploy data loss prevention around the perimeter, at least you have a better idea of what is leaving your organization”, Sutton says. “Organizations have a better ability to monitor what is leaving, and so can take a more focused, risk-based approach. But it may be that only some parts of a business need those more granular DLP technologies, and that addresses the scalability issue.”



British Waterways is responsible for the canal and river network in Britain, looking after a 2,200-mile mile network used by 13 million people each year. British Waterways also issues licenses for 40,000 boats and moorings, generating an income of $37 million (£23m).

This licensing role means that the organization is handling both sensitive personal data – such as boat-owners’ identities – and the credit card and banking data it needs to process payments.

Boat owners still complete license applications using paper forms, and British Waterways uses scanning technology to convert the paper forms to computer records, and a PDF-based workflow to manage documents.

From a data protection standpoint, however, this raises a number of issues. Scanning in whole forms and storing them electronically is efficient, but it could place license holders’ data at risk by increasing the number of employees who can view it. It would also require British Waterways to treat the entire application form as sensitive data.

To reduce this risk, British Waterways has a multi-step approach to data loss prevention. Firstly, when the scanning system, supplied by vendor Kofax, captures a license form, it recognizes personal details such as addresses, and financial information.

This data is then extracted for separate processing, and redacted – or blanked out – from the electronic facsimile of the forms.

“We are very proactive in removing sensitive information from customer documents as they are processed, and before they are stored”, says project manager Keith Lester.

“The software is clever enough so that, with our own forms, bank or credit card information is redacted before the forms are processed…that is converted to a PDF that also shows only the redacted image.”

A very small team of staff at British Waterways is responsible for keying in credit card details to a commercial credit card system and for setting up direct debits (recurring transactions) from banks.

Document security procedures go hand in hand with strict policies governing other use of confidential data. Data protection policies are documented, with non-compliance viewed as a disciplinary offense.

Emails with sensitive data are encrypted, as are communications with other organizations or institutions. Staff laptops are also encrypted. “Our regulations for information security and data protection are part of our employment terms”, says Lester.

However, by automating security measures – such as redacting sensitive data – and encrypting laptop hard drives by default, the organization aims to cut down on human error too. “Security is largely automated and hidden from the user, so it’s not something they have to think about every time they need to do something”, he says.


What’s hot on Infosecurity Magazine?