Does DLP Mean ‘Discipline’s Loss Prevention’?

The recent study “Cost of a Data Breach” by the Ponemon Institute which was published this year for five leading Western economies including the US, Germany, the UK, France, and Australia confirmed that the damage to enterprises across the globe from data breaches continues to grow.

The same trend is also occurring in the SMB market. According to the Symantec 2010 Global SMB Information Protection Survey , SMB organisations rank data loss as the top security threat to their business. This is hardly surprising when you consider that the average annual cost of a cyber attack for SMBs was found to reach almost 190,000 US dollars.

Three main factors have shaped and strengthened this alarming trend. The first one is consumerisation of corporate IT – the ubiquitous proliferation of high-end consumer technologies such as smartphones, tablet computers, and Web 2.0 software into the corporate IT environment. Undoubtedly, social media and peer-to-peer networking, instant messaging, blogging, and webmail have proved to be highly-effective instruments in the modern Internet-centric economy and are already indispensable for internal corporate use.

But from the information security standpoint, all these communication tools create new data leakage pathways that neither conventional network security, nor anti-virus solutions can control. How big the industry’s concern is with regard to the misuse of social media in corporate IT became clear in May 2010 when a leading IT standards promotion association ISACA released a special white paper “Social Media: Business Benefits and Security, Governance and Assurance Perspectives” with recommendations to organisations on how to secure the use of social media in their IT systems.

But it is not just social media that is cause for concern, no less dangerous for businesses are peer-to-peer (P2P) technologies. Early in 2010, widespread data breaches due to inappropriate use of P2P file sharing were uncovered by the Federal Trade Commission in almost 100 U.S. organizations.

Secondly, over the last ten years external threat vectors to corporate IT security have strategically shifted from targeting the IT infrastructure to hunting the data, or, to be more precise, valuable data. The cybercrime industry has become well organised and commercialised with its current annual turnover around 1 trillion US dollars. Modern cyber-threats commonly target endpoint computers because they are less protected than servers but, at the same time, store a vast amount of sensitive private and corporate information.

External attacks are becoming increasingly sophisticated: cutting-edge software and network technologies and the power of social engineering are combined to infect endpoint computers with commercial malware. Just one careless click on a link in a spam email and the corporate computer gets infected with a small program that could sniff out data of required types buffered in its RAM, hide and store captured information and later on send it through available communication utilities to a destination in the Internet.

Finally, the third factor of data breaches, inherent to humans – and therefore the most dangerous –remains to be insider’s behavior. Misconduct and negligence are an essential phase of most endpoint data leak scenarios. Despite all corporate regulations and policies, special training, administrative sanctions and penalties, human nature will not change: even loyal employees will continue making accidental mistakes, curious ones – do something they are not supposed to, and malicious insiders will deliberately hunt for a high-value information.

This is why the data communications and storage security discipline on corporate computers must be enforced by something that does not depend on human nature – an automatic tool which will transparently allow all user actions in the scope of their job functions while blocking any accidental or deliberate attempts to do something outside of the preset bounds.

This is exactly what endpoint data leak prevention (DLP) solutions are aimed at.

It is their main function to precisely implement the principle of “least privilege” when granting user rights for data transfer and storage operations and enforce the established data protection discipline right at the employee’s computer. As a result, endpoint DLP solutions preemptively eliminate all data leak scenarios related to excessive user privileges for communications beyond the scope of their duties. From the risk management perspective, this immediately reduces the risk of sensitive information uncontrollably flowing from corporate computers, whether due to simple negligence or malicious intent.

The ability to analyse the content of allowed communications and filter unauthorised data off is another feature of DLP solutions that significantly increases their efficiency as a tool to enforce security discipline on corporate endpoints.

Advanced endpoint DLP solutions not only block restricted operations and data but also keep their detailed records and – if necessary – shadow copies in a central database available for security compliance auditing and incident investigations. Besides its primary purpose – to trace back, identify and penalise negligent or malicious insiders – this feature creates a great implicit stimulus for employees to not breach the rules of established data security policies.

Because every one of them knows that their endpoint communications and data transfers are monitored and logged, the perception of “being watched” develops a self-controlled layer of subconscious discipline enforcement – an internal mind-resident “DLP agent”, which often protects corporate data more reliably than the most sophisticated technologies.

The inward self-control adds a sizeable – although intangible – quantum to the DLP discipline aggregate and doubles its performance. Notably, the reliability of a DLP system is also increased because the internal “DLP agent” remains on duty all the time and serves as a virtual backup for the system component when it is temporarily down or in maintenance.

Naturally, in the field of information security the leak of data and the loss of discipline are so much intrinsically interrelated in terms of context, processes, and impact that a solution that neutralises one of them consequently mitigates the second.

It might look like just a play on words but it is fully meaningful to spell the “DLP” acronym out as “Discipline’s Loss Prevention” and recommend to CSOs and CISOs to carefully consider the discipline and self-discipline aspects of DLP solutions at all the phases of a DLP project. On top of everything else, this will also help them manage expectations of executive management and end users, as well as realistically evaluate and properly interpret the project results.

SHARETweet about this on TwitterShare on LinkedInShare on FacebookShare on Google+Pin on PinterestDigg thisShare on RedditShare on TumblrShare on StumbleUponEmail this to someone

Alexei Lesnykh is responsible for international business development and product strategy at DeviceLock. With over 10 years of experience in the infosecurity industry he has been helping Russian software startups grow their businesses globally since the mid-late 1990s. Before joining DeviceLock in 2006, Alexei was an independent analyst, developing product and business strategies for several international high-tech companies, as well as evaluating various investment opportunities for Russian and international venture funds. He holds M.S. degree in computer science from Moscow Institute of Electronic Technology (MIET) in Zelenograd, Moscow, Russia.