In spite of the big headlines about external hacks or insider attacks leading to data loss, it is true that most of the corporate data that gets exposed is through messaging systems. Employees accidentally sending out confidential information through email, instant messaging or simply forgetting to use the proper encryption.
Adoption of full spectrum Data Loss Prevention (DLP) technologies has been historically low however, due to complex or costly vendors. Realizing that most of the lost data occurs around messaging, many gateway device providers ‘have begun preaching that the DLP capabilities in their security appliances can provide a much simpler approach to the same problem.’
All the while the debate rages on the extent of cover that is needed, writes Matt Hines for Inforworld.com, who sheds light on the case for ‘DLP lite’ tools and full DLP. For DLP Lite, the main argument is that most companies have neither the time nor the money required to set up and run a functioning end-to-end DLP system.
Most companies can protect themselves simply by relying on their messaging gateway and using end-point control tools that block unauthorized data transfer to USB and portable devices. This simple approach can prevent 90% of accidental data loss, without requiring the huge sums of money needed for a full system.
Though perhaps the biggest argument against a full end to end DLP system is the huge effort that traditional DLP tools require in creating the policies necessary around data usage. This plays into the hands of the messaging gateway vendors who maintain that people get scared of software that takes a long time to build policies – implementation as a separate infrastructure is incorrect and unnecessary.
On the other hand, while email protection can be effective in addressing the low-hanging fruit full data protections requires covering the end point, the network and discovery as well. Many of the larger players predictably argue that data loss is not just an email problem, but encompasses data problems across the whole IT infrastructure. For example, Rich Mogull, an analyst with Securosis argues that “one of the biggest drivers of DLP is content discovery. You need that knowledge of your data in motion, at rest, and in use, and in consistent policy enforcement across all of that.”
As systems integrate further and large organizations incorporate access for supply chains and external users, it is becoming obvious that the problem of DLP cannot be covered simply at the messaging gateway level. The increasing level of integration means that data is more exposed than ever, so necessarily requires greater protection.
The security principles set forth in industry standard ISO/IEC 27002 provide a framework for effective security, built around the cycle of Plan, Do, Check, and Act (PDCA). Many good security products are on the market, but all are designed to meet specific threats – and will not block other threats. At GRT Corp. our security philosophy is built around these words by noted security expert Dr. Bruce Schneier: “Security is not a product, but a process.”