Being in the data loss prevention (DLP) market while it has evolved has let me watch as requirements have changed over time. Initial DLP products were aimed at solving the problem of acceptable use and specifically looked at what employees were sending out of the organization's network. A couple of years ago, DLP solutions started monitoring channels of communications to detect loss of private data such as Social Security and credit card numbers and identifying how the loss occurred. Data privacy quickly became the predominant reason for deploying DLP, since it became possible to quantify the major effect of data loss: namely, the company becomes headline news, such as the recent breach at the Pentagon.
However, the promise of DLP must be greater than this simplistic goal. The goal of data loss prevention is not only to protect private information that should never be disclosed but also to protect other types of information such as trade secrets and intellectual property (IP) that could have an impact on the business if they were to get into the wrong hands. As vendors and organizations seek to extend the benefits of DLP to detect information with a high business value and prevent it from leaving the network, a number of challenges arise. We can categorize these as follows:
1. The inability of business stakeholders to quantify the impact of information loss. The negative impact of the leakage of private data is easy to understand, and security professionals know what steps to take to prevent such loss. But if other confidential company data were lost, what impact would that have on the company?
2. The inability of information security to define effective DLP policies as they relate to information with a high business impact. Information security, though responsible for safeguarding company secrets, typically has no idea what those secrets are. Nor does information security know who they are protecting secrets from or conversely, who should have access to these secrets.
These two issues are tightly woven together. The first issue is a dollars and cents issue. Enterprises invest money in order to make money or save money. How many organizations have been put out of business as a result of losing IP? Cisco was a notable example; its source code was stolen, but did that really affect its bottom line? In fact, the counter argument to investing in information security typically sounds like this-" I'd love to protect my company's important business information, but the cost of determining what information is important and who should get access to it is so prohibitively high that the economics are not viable."
DLP has been stuck at this point. If you knew what information to protect, then DLP solutions could protect it. But if you, the information security professional, do not know what information to protect, what can you do?
What is needed is a DLP solution that reduces the cost of identifying transmissions that contain information that could result in a material loss. A major problem today is that identifying this information is a non-starter for the information security teams. It requires tedious and time-consuming interactions with business-information owners to create a baseline of the organization's partners, what information they should see, and when they should see it. By the time a map of business-critical information is created it is out of date, as the company has added, changed, and dropped partners.
A second problem is that the information-security professionals often do not work with the operational teams and do not know what information has a high value, which set of users are allowed to handle it, and when transmission of this information constitutes a violation of security policy.
To address this gap, DLP solutions need baseline information-flow models that security professionals can use as a starting point to build effective policies. Information security can also use these models to validate security policies for other infrastructure elements such as firewalls, Active Directory credentials, VPN access control, and more. For a DLP solution to be effective, it needs to be able to digest all historic information flows digest all historic information flows and build a baseline of content classifications and communication parameters. Security professionals can use this baseline to build hypotheses about what effective DLP policies should be.
DLP as we know it today has achieved its goal, namely protecting known data from disclosure. The future of DLP is bright, but reaching it requires a change in philosophy. It is not enough to protect known information; information security professionals need a solution that lets them determine what information MUST be protected, even when they do not know what that information is.
Ratinder Paul Singh Ahuja is CTO of Reconnex.