JOHANNESBURG – June 01, 2011 – The regulatory environment means that monitoring the information leaving your organisation is as vital as protecting it from external attacks. E-mail is one of the most likely routes by which data may leak, maliciously or more often accidentally.
A successful Data Leak Prevention (DLP) system deals with the issue of e-mail by policy, in a way that integrates with the systems a business has in place to address governance, risk and compliance rather than through a series of standalone tools.
According to Mark Edwards, director of product and services at technology solutions and people resources integrator, Intuate Group, security is a holistic issue.
“It’s not your network you need to protect, it’s the information inside that network and that means guarding against data leaks as well as network intrusions. E-mail has become a critical business tool, but it is also the easiest way for information to escape from the confines of a business,” he says.
In a recent eMedia survey, commissioned by Mimecast, 94 percent of IT managers said that their organisations have no solution for preventing data leakage through e-mail, which represents a problem in an increasingly punitive regulatory environment, where leaks can incur fines as well as damaging an organisation’s reputation and business relationships.
“Turning e-mail from a risk to a source of business value needs more than point security solutions; it requires an integrated approach that implements policies for governance, risk and compliance. Used correctly, an e-mail DLP solution can correct honest mistakes, safeguard evidence in cases of malicious action, educate users in policy and best practice and help improve procedures that impact productivity and encourage inappropriate sharing of information,” says Edwards.
Information security is, however, a complex problem that can’t be addressed by technology alone, but a successful technical solution can help by enforcing policy, supporting business processes flexibly and making it easier to manage staff without damaging productivity or adding complexity.
The emphasis in many traditional security systems has been on blocking external threats that might get into the network, but in today’s environment that’s only half the story.
Organisations need to stop the information in the network from getting out to the outside world, whether by accident, ignorance or malice.
“Sending attachments can reveal information employees didn’t realise was in the file, from names of internal servers and printers, to the original version of an image in the thumbnail preview; as well as who opened, saved and edited a document, what a file was previously called and who it has been e-mailed to,” he says.
As well as making sure data leaks are blocked, being able to track who is trying to send unsuitable information by e-mail is a valuable tool for understanding where productivity and employee satisfaction can be improved by revising tools and procedures.
“DLP may appear to be just another buzzword, but it’s actually a mix of well-understood security techniques and tools. The underlying components of DLP solutions aren’t new, and have been around in various forms within the information security industry for years. What we now call DLP brings together these technologies and adds a specialised policy engine. While the features aren’t new, what has changed is the attitude of companies, along with an improved understanding of the threat and the environment,” says Edwards.
DLP solutions can be classified as: solutions that provide host-based protection, solutions that offer network-based protection, products that are designed around DLP and products that solve other problems but have DLP features.
Host-based DLP solutions run on desktop PCs and servers and aim to prevent unauthorised copying of data. Using these tools, data cannot be transferred to USB sticks or burned to a CD-ROM – and even if data escapes through the boundaries it’s protected by strong encryption.
Encryption is an important part of the host-based DLP story, as it helps reduce the risk of data leaks through stolen laptops or mislaid USB memory devices. Without the correct keys encrypted data is useless and attempts to retrieve the information stored in files are uneconomic.
Network-based DLP solutions sit in the network and monitor traffic looking for protected data – preventing the transmission of unauthorised data into the wider network. Often used to implement regulatory compliance, network-based DLP systems are typically installed at network boundaries and build on familiar firewall platforms and techniques.
Policy-enforcement rules monitor network packet content and ensure that protected information only routes between authorised recipients and systems.
DLP products focus purely on the technology of DLP and often implement strict rules that are hard to manage in the context of a modern flexible business.
Edwards says that the result is an island of protected data, where as soon as information leaves the boundaries of the DLP environment it becomes unprotected and unmonitored – putting the business as much at risk as if it had no DLP solution at all. Integration is a key issue, and standalone DLP systems can be hard to combine with other security systems, increasing the complexity and reducing the effectiveness of any overall information-centric security policy.
“The result should be a holistic solution that avoids having to bring all policies down to the lowest common denominator of what one point solution can support. One can increase governance by catching internal e-mail leaving the organisation, or reduce operational risk by removing credit card numbers from messages – with the added bonus of increasing regulatory compliance,” he says
While it’s still necessary to manage the integration of specific solutions to minimise overall risk, this is much easier to do with business-focused services or solutions than dozens of technology-focused enablers. Solutions also need to consider business continuity – and any implementation needs to cover all aspects of security and document management in order to maintain governance, risk management and compliance policies.
“The data protection problem, however, goes beyond what can be achieved with technology alone; policy, processes and people management are all key,” concludes Edwards.
ABOUT INTUATE GROUP:
The Intuate Group is a privately owned, broad-based IT company that focuses on providing professional integrated technology – and people resources solutions. Its services include project management, IT strategy and consulting, the supply and implementation of best-of-breed IT solutions, business intelligence, managing and supporting IT infrastructure – specifically storage and server consolidation – as well as the provision of resources. The company’s offering is based on four pillars – project management, managed services, product solutions and people solutions. For more information, please visit www.intuategroup.com
Intuate Group, Mark Edwards, (011) 302-1200, firstname.lastname@example.org