Subscribe

Data loss prevention - stopping the leak

By Mohsien Hassim, security services business unit manager, Datacentrix


Johannesburg, 16 Mar 2015

In today's globally connected world, data enters and leaves cyber space at speeds baffling to the human mind. A mere 45 years ago, Apollo 11 landed on the moon, and since this historic event, advances in the world of cyber space have raced ahead to unprecedented levels.

Enterprises today receive millions of e-mail messages and data files daily, containing sensitive data including the records of customers, business partners, shareholders, staff members, and more. With the advent of cloud technology, an organisation's fear of losing data is amplified if its critical data is hosted outside by a third party, and not within its total control.

It is a fact that, in today's complex business world, data is seen as the new currency and can be attributed with a monetary value. However, the damage that data loss can do to an inadequately secured enterprise extends far beyond pecuniary matters, and can include reputation loss, regulatory consequences, a decrease in customer confidence, trust issues, a drop in market share, and the development of trade barriers, says Mohsien Hassim, security services business unit manager, Datacentrix.

A company that holds the sensitive data of customers, business partners, and regulators needs to come to terms of with the responsibility of securing this information. Unfortunately, businesses constantly fall victim to massive data loss, and high-profile data leakages involving sensitive personal and corporate data continue to appear, but are often not publicised, especially in South Africa. This is something that will change when the Protection of Personal Information (POPI) Act, which highlights the importance of management and control over data, comes into full operation, meaning that organisations need to take measures to understand the sensitive data they hold, how it is controlled, and how to prevent it from being leaked or compromised.

In order to do this, it is important to understand what data loss really is. Data loss can be divided into two overlapping categories - leakage and damage. Leakage occurs when sensitive data is no longer under the organisation's control (such as a loss of confidentiality due to for hacking or identity theft). Damage, or the disappearance of data, occurs when the correct data copy is no longer available to the organisation, resulting in a compromise of integrity or availability.

Data is generally found in three modes: at rest; in motion; and in use. Data at rest includes data that resides in files systems, distributed desktops and data stores/databases; data in use refers to data that's being used in endpoint devices, like mobile devices, USB drives and other endpoint devices; and data in motion denotes data that moves through the network to the outside world via e-mail, instant messaging, peer-to-peer (P2P), FTP, or other communication mechanisms. As the digital world evolves and technologies converge, the types of solutions used to move data will become more complex, requiring different treatment of data management.

Data loss prevention (DLP) is a strategy to ensure end-users do not send sensitive or critical information outside of the corporate network. This type of technology requires proper planning and, even more importantly, precise implementation. DLP is a complex issue with no single effective solution; in essence, each organisation has its own challenges, business needs and risks mitigation strategies. This requires a continuous assessment of DLP requirements on an ongoing basis.

It is imperative that organisations realise that their greatest assets are their people. Unfortunately, people are also a weakness in the system. Creating awareness around the correct management and use of data is a critical element in mitigating risks around data loss. Security awareness training should be mandatory for all staff (including management), thereby establishing a common baseline of security knowledge and removing the "I did not know" mindset.

DLP focuses on the three pillars of data security: monitor; protect; and discover. When selecting a DLP solution, it should not interrupt business activities and should operate without deteriorating system or employee performance. DLP products generally come with built-in policies that are already compliant with the relevant compliance standards, like PCI, HIPPA, SOX and so on, but alignment between the organisation's needs and these policies is required.

The key element for a successful DLP strategy and subsequent implementation project is to identify the data that needs protection. Adopting a "blanket" approach across the entire organisation will not work, as the outcome will result in a large number of false positives being generated.

Key steps to be adhered to in a DLP strategy roll-out must include:

* Data identification - where all confidential and restricted data across the entire organisation is recognised and categorised into the three data classes.
* Policy definition - which will help protect the sensitive data identified. Every policy must consist of some rules, such as to protect credit card numbers, personally identifiable information (PII), and identity numbers. The DLP policies at this stage should only be defined and not applied.
* Identify information flows and data business owners - an organisation can identify its business information flow by preparing relevant questionnaires to identify and extract all the useful information. It is imperative to identify the business owners of the data as this forms an important step in the planning strategy of DLP. Preparing a list of notification recipients in the case of the loss of sensitive data is crucial.
* Deployment scenarios - deployment follows the three categories (modes) of data, and requires strong technical and deep project management skills for success.

The multitude of DLP products in the marketplace makes it difficult for an organisation to make its choice. These guidelines should assist in this selection process:

* DLP is a business requirement, not an IT issue. The POPI Act is clear on this, so check whether there is a business need for a DLP product or service.
* The identification of sensitive data or restricted data is a critical element in the DLP exercise. Without proper data identification, unwanted false positives will be generated, resulting in a waste of time and money. This is an important element of the DLP strategy.
* The DLP product must support the data formats of the environment.
* The fine-tuning of DLP policies will be required in the DLP operations.
* Regular updating of risk profiles and documentation will be required during the DLP exercise as DLP incidents are reported - this is the "feedback loop" of the exercise.
* Buy-in from senior and top management is a key requirement, and something that will be supported by the POPI Act, so employ an executive sponsor.

DLP can offer great benefits to an organisation, as with greater insight into, and thus control over, its sensitive data, data management policies can be revised and the ability to manage the risks that relate to data - a key asset - is significantly improved. After all... data is the new currency.

Datacentrix provides end-to-end security solutions for the monitoring, assessment and defence of its clients' information assets to achieve complete confidentiality, data integrity and information availability, including data loss prevention (DLP) and encryption, vulnerability monitoring, endpoint security and content filtering.

Share

Datacentrix

Ranked by Empowerdex as South Africa's most empowered JSE-listed ICT services company, Datacentrix provides integrated ICT solutions and services across the full information value chain to enterprise organisations. Its philosophy is to drive customers' business strategies through the use of technology. With an established reputation as an innovative solutions integrator, Datacentrix prides itself on its customer-centric approach, consistently high service delivery levels, and strong vendor and customer partnerships.

For more information, please visit www.datacentrix.co.za.

Editorial contacts

Nicola Read
PR Connections
(083) 269 2227
datacentrix@pr.co.za