A Mandate to Plug Leaks

20 April 2010 10:11 am , Ashwani Mishra

Is Data Loss Prevention (DLP) really a CIO’s need and responsibility? Or is it a vendor promoted theme to cash on corporate fear? We conduct a reality check.

According to the fndings, released late last year, of a UK-based identity theft database provider, Lucid Intelligence, incidences of personal data being stolen and sold online have soared by 230 percent since 2007.

The spurt in data leakage incidences is all the more alarming given that protection of intellectual property, including employee data and customer records, is all the more critical in the current economic scenario. Survey results have revealed that a vast majority of businesses have taken at least some action towards preventing confdential information from leaking.

The need for protection from security breaches has fuelled the demand for a new breed of security tools, many of which fall under the category  of software popularly known as Data Loss Prevention (DLP) software. A DLP software monitors data that is in use, moving on the network and in storage, in order to prevent its unauthorised use or transmission.

However, there has been a lot of debate lately on whether enterprises really need a DLP solution or whether it is just another solution drummed up by the marketing machinery of security providers.

Also, should it be the CIO who decides whether to go in for a solution? And, once the need for such a solution is well established, how does one pick the right product as every vendor is claiming that their products are the best?

Fixing responsiblity
“As the primary custodian of data and information, it's the CIO who should decide on the choice of deploying a new DLP solution or using existing solutions,” says Amol Vidwans, former CIO of Mahindra Holidays & Resorts India Limited (Club Mahindra).

He adds that though there are many vendors who claim to have the best solution, it is the CIO who needs to study and understand the solutions before short listing one that is in line with the organisation’s security and business needs.

Nazir Husain, CISO and VP, Information Security and Technology of US-based Emdeon Business Services, a provider of revenue and payment cycle solutions, has a different opinion on the question of who should initiate the purchase of a DLP solution. He says that only if DLP is mandated by the manager charged with the responsibility of data segregation, should the CIO concern himself with its purchase.

“A CIO or IT head in general is usually not the person who is going to be held responsible for breaches related to leakage of business information. This responsibility usually resides with the legal, corporate communications or fnance departments. In my opinion one of these departments would be the decision makers to drive a CIO to prioritise a DLP implementation or at least defne the need for one,” says Husain.

Others in the industry opine that the big issue here is not about who should be responsible for getting a DLP solution. Getting business users to buy the concept that data is crucial to an organisation is key.

The bigger picture
According to Aaron Goldwater, CEO of Canadian software provider, Jurat Software, some of the security vendors sell solutions to users at a price much lower than the competition, but these are usually second grade ones and so the purpose is defeated. “There have been instances where extremely crucial data is not adequately protected or encrypted using such solutions,” he says. He points out that a DLP only works if the company knows where its data is. “Many major global corporations have no idea where their data resides,” he says.

Take a recent example of how organisations are often clueless about the location of their data and about who has access to it. The Swiss unit of the global banking giant HSBC revealed last month that details of 24,000 bank customers have been leaked in a major security breach. According to an online statement, Alexandre Zeller, Chief Executive of HSBC Private Bank (Switzerland), admitted that the theft was carried out by an employee of the IT department about three years ago and that the case frst came to light only in December last year.

A DLP report released by research from Gartner mentioned that enterprises should plan a thorough data loss prevention strategy before talking to vendors. A proper strategy is essential for the technology to be effective, the analyst frm warns. Without a strategy in place, vendors are likely to sway discussions to specifc aspects of DLP, it said.

The right approach
Today DLP is defned by what a particular solution does. In most cases, the data leak prevention process of the organisation is defned on the basis of the functionality and characteristics of the DLP agent used.

Adopting a policy based on the features of a product is not the right way to go, many security practitioners feel. “Ideally it should be the other way around; we must initially identify the data leak vectors and then fix them,” says Visveshwar Subramaniam, Consultant, Information Security at Baker Tilly MKM, UAE. He notes that the majority of the gaps identifed would be fxed with the help of a DLP agent; however, there would be gaps which have to be fxed using other controls. “The CIO is defnitely the person with the authority to put in place all the controls,” he says.

But merely having processes in place does not guarantee the success of a DLP plan. The process needs to be coupled with the right IT tools.

Companies can go gung-ho about data classifcation and handling guidelines but most of the companies today interact with third party vendors where the controls might not be as tight as they are internally. “The right approach to prevent data loss is to have appropriate policies and procedures with regards to data classifcation and handling as well as tools to enforce them,” says Chetan Sansare, Consultant at Bangalore based information risk management provider Aujas Networks.

The many incidences of lost devices and data breaches make it clear that DLP is very crucial for most businesses. Nonetheless, there is also a lot of vendor-promoted hype surrounding DLP.

Vendor hype or real?
Daniel Ihonvbere, President/CEO at Tech Prognosis, a US-based provider of virtual CTO/CIO services for small businesses, says that having a good DLP strategy is all about identifying, monitoring and protecting data in use, in motion and at rest. This, he believes, is a huge undertaking because it requires the defnition of appropriate use of corporate information (policy creation); the discovery of what needs protection (data discovery); integration with existing systems (tasks such as encryption) and the administration of the process. “As this exercise leads to many changes in IT operations, management has to either commit extra staff (which is almost impossible in small to medium enterprises), or hire DLP vendors to come in and manage the process,” Ihonvbere says.

“So while DLP is important due to regulatory demands (HIPPA, PCI, IT audit etc.), the vendors hype it because of the huge fnancial outlay involved,” he says.

The insider threat may be a serious one, but is it as big as the vendors make it out to be? It appears that some vendors have been playing up the security threat in order to promote the sale of security products like DLP. Nevertheless, it is true that in a business environment where fring of employees at short notice is becoming the norm, employees in return would be more inclined by short term gains, which may include compromising organisational data.

“There will never be a DLP solution that will detect when an insider is seeking profit by leveraging authorised access to information,” says Norbert Nolin, Senior Manager, Information Security at Starwood Hotels & Resorts Worldwide.

The bottom line is fairly simple: even if vendors stress on one technology or product, it is the CIO's role to see the whole picture.

 

 

ashwani.mishra@9dot9.in

rahul.mani@9dot9.in


Related Content
Readers Feedback
Post a comment