InformationWeek Analytics: Data Loss Prevention

New communication channels make it ridiculously easy for employees to lose corporate data. Security professionals understand this and realize that a paradigm shift is under way, from endpoint and network protection toward safeguarding information itself.

But as we discuss in our InformationWeek Analytics Report, "Risk Intolerant: Defense In Depth And The Rise Of Data Loss Prevention," the trick for IT is keeping multiple constituencies happy. Your knowledge workers want access to their data at any time, on the platform of their choice, using their preferred sets of tools and applications. The CEO wants to ensure your organization won't be the next data loss poster child, without impacting productivity. Auditors want proof that sensitive data is accessed only by authorized users. And the CIO wants some aspirin, because it's shaping up to be another trying budget season. The CFO? Just show her the ROI.

Emerging systems for data loss prevention (DLP) can help meet all these mandates.

Technology To The Rescue
In our report, we discuss challenges early DLP adopters face, informed by our ongoing InformationWeek Data Loss Prevention Rolling Review. We also map out a battle plan, complete with tools, technologies, and best practices that can keep information assets from slipping through your fingers.

Perhaps the biggest roadblock right now is gaining funding. DLP products are expensive, but then, so is a data loss incident. Fortunately for security groups, helping ensure regulatory compliance is something DLP vendors are continually focusing on. And as we learned in our InformationWeek Analytics Executive Security Priorities Survey of 326 business technology professionals, when asked about factors that most influence the direction of corporate information security programs, IT directors and executives alike ranked industry and government compliance at No. 1.

Our take: Aggressive growth industries all share one thing in common--a catalyst. Remember when oil hit $140 in the summer of 2008, or when the price of gas shot past the magic $4-per-gallon barrier? The ensuing outrage sparked a renewed call for conservation and alternative-energy development. In the case of DLP, the catalyst is clearly the outrageously complex and ever-changing regulatory environment in which we all participate. Funding follows regs. And it's not just public companies--healthcare providers and retailers that need to worry about strict data privacy regulations. Increasingly, the small pizzeria owner in Boston and the city librarian in San Francisco also need to pay attention to state-driven data privacy laws.

More often than not, according to our survey on data loss prevention, the need to facilitate and prove compliance with data privacy or other industry regulations is a catalyst for purchasing an enterprise DLP package, along with risk avoidance. Just 11% of respondents say the penalties associated with noncompliance don't justify the cost of purchasing DLP, while 14% believe they aren't subject to any regulations.

We want to know where they live.

Once funding is secured, the next challenge enterprises face is matching a broad, and oftentimes vague, set of regulatory requirements to specific DLP features, products, and suites. One pertinent example is the new Massachusetts Data Privacy Law. Known to lawyers as 201 CMR 17.00, this relatively new reg is widely believed to be the most far-reaching state-mandated privacy law in the country.

While the legislation is a victory for consumer-protection advocates, it's an absolute nightmare for IT. Why? The regulations were conceived by legislators who largely have no idea how difficult and costly it is to execute on the myriad vague requirements set forth in the bill--and probably wouldn't care if they did. The enforcement date of CMR 17.00 has been pushed back twice; it's now slated to take effect on Jan. 1, 2010. These delays resulted from push-back from private-sector entities confused about how to approach compliance, and concerned about the cost.

Despite the outcry, we expect more states to adopt similar laws. There's also discussion of a national privacy bill. Legislators are clearly hearing loud and clear from constituents that identity theft and credit card fraud are huge issues that need to be addressed. They're tired of companies that they perceive as playing fast and loose with their personal information.

Stop That Data!
As expected, when we asked what, exactly, our poll respondents are most concerned about protecting, the overwhelming majority cited the type of information you can be fined for losing, including consumer credit card and Social Security numbers. We also asked respondents to rank a list of seven DLP product capabilities from most to least important. Given that e-mail is of the greatest concern as a leakage vector, we weren't surprised to see content security, defined as the ability to scan e-mail and attachments for content that violates policy and take action as necessary, ranked No. 1.

Does this mean that data centers worldwide will begin to implement National Security Agency-like wiretaps of all corporate communications? Of course not, but to the degree that technology allows organizations to manage their exposure to leaks and minimize the risk of lawsuit, you can bet that the insurance policy that is network DLP will continue to gain popularity.

The top questions then become: What's the best way to cost-justify DLP in a tight budget season? And what's the best way to implement such protection at the e-mail gateway so as not to interrupt operations with thousands of false positives?

We cover ways to minimize help desk calls in our full report. In terms of ROI, data discovery--the ability to crawl data sources, including file shares, e-mail databases, and endpoint hard disks, for information deemed vital for corporate and customer security--is a windfall for IT shops with stringent security needs, lots of e-discovery requests, and strict compliance requirements.

However you make the budget case, enterprises that lay the groundwork now for increased government intervention will be ahead of the game. Our strategy for tackling DLP, developed while working on our InformationWeek Rolling Review of DLP systems (four tested, two to go), can help.

Get the full-length
Analytics Report at:
dataprotection.informationweek.com

>> See all our Analytics Reports <<

We've found that successful DLP programs have a few common traits: They cut across a wide range of disciplines. They enjoy support from the very top of the organization. And they employ not just technology but firm usage policies and procedures that are enforceable, understandable, and accepted by all parties. A multitiered approach to protecting key data and systems ties together a number of big-picture technologies, which we'll also discuss in depth.

Randy George has 13 years of experience in enterprise IT as a senior-level systems analyst and network engineer.