CBW, p.43 / Preventing data leaks takes more than just software
You hear from all sides how important it is to prevent data leakage from an organization. Management is expected to arrange for adequate security of employees’ personal information, business data and secrets, bank secrets, etc. And suddenly, an entrepreneur comes to see them with a magic tool for data leakage prevention (DLP), trying to persuade them that “there will be no more data leakage.”
During a recession, organization management faces a very difficult task— decreasing production costs to such an extent that their products stay competitive in the market. Usually, that means decreasing all costs that are not currently unavoidable. And in the area of information security, it is difficult to justify costs for a large DLP solution. Why should management invest anymoney in the DLP project?
The core problem of preventing data leaksmight seem, at the first glance, an easy issue. Nevertheless, at the very beginning we realize that companies’ data is processed on paper as well as electronic form, and it is not exceptional for a company to use hundreds of applications.
Each such application ismanaged by administrators who are, generally, in charge of a large number of servers. Unfortunately, if the administrator fails to set an application’s security configuration thismight not immediately appear to be a big issue. Data leaks may occur several months later, as well.
Users tend to be pushed by their bosses to deliver exceptional performance, which usually requires a work flow adjustment. Such adjustments of procedures are made ad-hoc and do not always correspond to the best practice regarding security. As a result, users often cause data leaks in good faith of acting in the organization’s best interest. And the organization does not detect the data leak unless they “look at the right spot.”
DLP project in organization
Often, DLP is presented as the application of a particular technology worth millions of Czech crowns, after the implementation of which everybody can get a good night’s sleep. However, it is rarely mentioned that the investment in the tool alone is not enough.
Launching a DLP project and leak detection is a never-ending project that is in constant development due to changes in the technologies and processes involved. The lifecycle of the DLP project could be divided into the following phases:
Identification: Identifying all data types we want to protect, and describing the way they are being processed. Without this phase, any investment of time and money in the DLP project is useless.
Assessment of current state: Every system has many configuration options for security parameters. Setting the available security parameters is one of the cheapest ways to “getmore bang for the buck” in the DLP project.
User training: Users are generally the greatest risk factor and must be trained to perform their duties in a secure way.
Identification of requests for a DLP tool: Based on the assessment of their current state, inadequately covered areas can be identified where wemight decide to implement additional controls. This is the right time to decide which DLP tool best meets the company’s requirements.
Tool implementation: The selectedDLP tool and additional controls are implemented.
Monitoring: The efficiency of the implemented controls is monitored. This phase is often underestimated. An insufficient number of specialists to evaluate the detected events results in nobody being informed about the possible data leak, even though an expensiveDLP tool has been purchased.
Determining your organization’s current state
You might be astonished by all that can be discovered by an internal audit of the following areas:
- data leaving the company in e-mails,
- data stored on USB discs,
- configuration of laptops (such as forWiFi and Bluetooth) and its possible use to penetrate into the internal network,
- data security in mobile telephones and PDAs (e.g., in e-mail),
- security configuration of important applications.
As an absolute extreme, there is an example of an organization that had no data about the external firewall users and no logging was activated. Therefore, it was impossible to find out which firewall users were authorized, who the potential attacker was, and whether the whole internal computer network with its very insufficiently secured applications had not already been compromised.
Level of DLP project implementation
The DLP project can have an extensive scope of dozens or even up to hundreds of applications; it might require cooperation froma large number of people as well as include significant investments. On such a large scale, the optimum level of DLP implementation needs to be found by focusing on the only most critical areas.
Priorities for inclusion of a systemin the DLP scope can be based, for example, on the following parameters:
- classification of data processed by the application,
- volume of classified information,
- number of application users,
- number of application interfaces,
- implementation and maintenance costs of security settings,
- costs of the implemented DLP solutions.
Obviously, regarding the character of the issue, preventing every data leak is practically impossible, even by implementation of any tool. All the time we have to bear in mind that there are some weaker spots in the system. However, a suitable selection of priorities could significantly reduce the volume of data leakage as well as its frequency.
Author: Vladimír Sekerka is an information security consultant at Asseco Central Europe