Please share your comments; critics make life meaningful!

Tuesday, July 6, 2010

Data Loss Prevention : The search for a Silver Bullet

Whereas, deployment of a comprehensive DLP solution should be a risk mitigation measure which emerges from a systematic Risk Assessment based on business and security objectives; the reality is that it is resorted to mostly as a remedial measure in the aftermath of a particularly nasty incident. Sometimes, a DLP comes about when business does well and security gets an opportunity to push through a big security investment. One does not see too many instances of DLP implementation from pure selling either; despite aggressive selling from DLP solution providers. The practical experience is consistent across industry sectors; and the essence is that while Data Loss concerns are mostly real, remedial measures are mostly reactive and almost always ineffective.

Management wakes up to Data Loss threats almost always after significant data which is important to management has been lost or a major incident has resulted from an instance of data loss. While the lost data itself may not have been very important in the perception of management, the incident may have caused grave concerns which is unacceptable to management from strategic perspective. On the other hand, Information Security function/department is typically engaged with more immediate concerns; and when it gets alive to the threat of data loss, it gets entangled with a silver bullet DLP solution. However, DLPs cost big; and in the absence of a sensitised and informed environment, the idea of a full blown DLP solution does not find much favour. So security has to wait for a bad incident or good revenue year!

Management wants DLP to do mail filtering with a view to analyse content and prevent undesirable mail from going out. For some reasons, management believes that mail is the most potent and viable medium through which data can be leaked. Many operational departments including IT, sometimes even Information Security, concur with this thought. As a result, the DLP that gets deployed with such mindset ends up doing email/content filtering. It's a different thing that even the full blown DLP solution eventually ends up with similar restricted usage, more of this later.
When a DLP is eventually deployed, we expect a miracle solution and we could not be further from the truth. It has a steep learning curve, a long gestation period including setting up policies with contextual content which does not come from business very easily. Once we have it deployed, it detects more nuisance than data loss; tweaking them to reduce false positives takes forever. Unintentional data loss gets detected while planned data theft can be one step ahead of the policies set up in the DLP to detect the same.
A deeper analysis of data loss leads to the understanding that there could be several data leakage avenues, beyond emails. Mass storage devices are a big concern. They are either not disabled, or if disabled (through group policy or end point solutions), a lot of exceptions are provided with no expiry and with tracking through exception management. Also, there are a lot of holy cows with admin privileges who then are free to work around such disabling. As one can easily guess, the big boys comprising of senior management, IT administrators, marketing & sales stars etc, are all exempted. Admin rights provisioning itself is another big culprit. It not only lets the person enable use of mass storage, if disabled; it also permits a whole lot of policy reversals, silencing end point, initiating P2P traffic, enabling execution of exe files, downloading software etc. And of course there is no tracking of these exceptions as these are not treated as exceptions in the first place. All IT guys, security folks, and everyone in management who is anyone worth mentioning has admin rights in a typical dysfunctional (security-wise) organisation. Indiscriminate dissemination of information to all and sundry is also a common causal factor for potential data loss. The golden principle of need to know is rarely followed; resulting in a lot of information being possessed by a lot of people much beyond their business requirement and role privilege. Uncontrolled internet access is again a big hole contributing to very efficient means of massive data loss. With no logging, no control on uploading files and no monitoring of access; it is often the most used and least known about.

None of the above threats require a while elephant DLP to be treated. Many of them require a strong management intent and effective security drive to be implemented with telling effect. For example, revoking admin rights and disabling USB mass storage go a long way to prevent data loss from an office environment. Controlling and logging internet access and disallowing data upload is not as challenging activities as deploying a DLP but provide much more effective data loss prevention capabilities. And need to know is a culture issue which can be enabled though sound technology measures such as making efficient & easily accessible shared space available and popularising them through crafty programs.
Data loss is a critical issue for today's information/data driven business; it is vindicated by the increasing number for data loss related incidents and the increasing cost of those incidents to corporations. Implementing a compressive and effective DLP program may be a long term solution but there is a lot that can be done before that and a lot needs to be done with the DLP itself to make it useful.

Deepak Rout, CISO, Uninor

No comments: