Data-Loss Prevention Software Takes Security Up A Notch

Vendors offer more options for protecting data throughout its travels. We'll put their claims to the test.

Randy George, Director, IT Operations, Boston Red Sox

January 22, 2009

7 Min Read
Dark Reading logo in a gray background | Dark Reading

Not long ago, CIOs faced an uphill battle trying to convince their organizations of the need for enterprise spam protection. Today you'd be hard-pressed to find even a small organization that hasn't implemented some sort of integrated spam/virus protection strategy.

Antivirus protection is crucial, but the growing list of very public data leaks and their often-expensive aftermath show that stopping external attacks isn't the last word in protecting valuable information. The need for more safeguards has spawned a new class of protection, dubbed data-loss prevention, or DLP.

Granted, only a small percentage of businesses have to worry about safeguarding millions of records containing credit card data. But every organization holds confidential data of some sort that must be protected--whether it's a spreadsheet with payroll data or the design for a top-secret weapon being built by a defense contractor. Therefore, all organizations have significant motivation to protect key digital assets.

End-To-End Awareness
However, if the need for safer data is clear, the definition of DLP isn't. What constitutes DLP? Any piece of backup software, disk encryption software, firewall, network access control appliance, virus scanner, security event and incident management appliance, network behavior analysis appliance--you name it--can be loosely defined as a product that facilitates DLP.

For the purposes of this Rolling Review, we will define enterprise DLP offerings as those that take a holistic, multitiered approach to stopping data loss, including the ability to apply policies and quarantine information as it rests on a PC (data in use), as it rests on network file systems (data at rest), and as it traverses the LAN or leaves the corporate boundary via some communication protocol (data in motion).

Locking down access to USB ports or preventing files from being printed or screen-captured isn't enough anymore; organizations require true content awareness across all channels of communication and across all systems.

DIG DEEPER

Risk Meets Reality

Build a comprehensive vulnerability management program that works.

Download this InformationWeek Report

>> See all our Reports <<

Forward-thinking firewall vendors like Palo Alto Networks are beginning to package DLP capabilities in their appliances, but generally speaking, you can't ask your Cisco PIX or Check Point firewalls to examine the content of a spreadsheet being sent via FTP to a business partner to determine if a business rule is being broken.

In an environment where IT is expected to beef up security while users demand increasingly liberal usage policies, how are IT managers supposed to ensure data integrity? Clearly, most corporate IT departments are in no position to implement strict usage policies. Implementing DLP at the endpoint only is the most practical approach. Most organizations, however, live in a big house with many open windows, so an increasing number of organizations are turning to vendors that offer protection and awareness of data as it moves through the network as well.

Prices for DLP run the gamut, ranging from around $30 per seat for endpoint encryption products to six figures and beyond for end-to-end systems.



(click image for larger view)

Illustration by Jupiter Images

Time To Break Into The IT Budget
Data breach horror stories, regulatory pressure, and more options have created a hot market for DLP. This in turn has led to market churn as large players acquire the original thought leaders in the DLP arena. So it's not surprising that many organizations are sitting on the sidelines waiting to see how things shake out. Others are very interested in DLP but have unanswered questions. And for every company sitting on the sidelines, another has been forced to make the investment because of strict security or regulatory requirements. This Rolling Review will help organizations get unbiased information about the state of DLP as well as their options.

Each of the vendors in this Rolling Review claims to have (or soon will have) the ability to protect data at rest, in use, and in motion. Code Green, McAfee, RSA, Safend, Symantec, and Vericept have made commitments to participate in the testing, and at press time we were waiting on final approval from Websense to round out our group of participants.

To test enterprise DLP products, we'll unleash chaos on the fictional legal firm we built for our virtual desktop infrastructure Rolling Review, Bits and Bytes Legal Services. This fictional legal startup has a staff of about 100 in four offices across the country and shares high volumes of data on a variety of pipes. Using a combination of proprietary intellectual property and private customer information, we'll simulate various attacks to see how well each product can detect, report, and remediate each one.

It's impossible to protect your data with 100% certainty, of course, but in reality, DLP is often about making your security capabilities just strong enough to send hackers on to the next potential victim. Simulations will test how well the vendor can protect against data loss on handheld devices and PCs, prevent intellectual property leaks via IM, or prevent data leaks via e-mail, FTP, USB thumb drives, prohibited printing, and screen capture.

The Essentials

THREE MUST-HAVES
FOR EFFECTIVE DLP

1. Communication Lockdown Your data can be pickpocketed from any number of communication modes. Make sure your DLP system has an answer for each contingency and can protect you both at the endpoint and in the network cloud.

2. Data Discovery Done Well Your solution's data discovery capabilities must be robust enough to crawl all file systems, devices, and structured databases necessary to reveal points of exposure.

3. Reporting Look for capabilities that connect a potential data breach to a violation of a regulation, industry standard, or custom business rule.

Measuring the ROI of a large security investment in today's budget-strapped environment is critical, so we'll pay particular attention to the reporting capabilities of each product.

While some of the marketing hype tries to portray internal employees as evil security threats, our investigations and interviews with DLP vendors reveal this isn't the case. More often than not, a data leak that originates internally is the result of an accident or a broken business process. Unfortunately, accidental data leaks are just as damaging as intentional ones, so products also will be evaluated on whether they can determine if a leak broke an internal business rule or government regulation, such as PCI or HIPAA.

We'll also play close attention to how easy it is to deploy and manage, because few companies can stomach adding staff or a boondoggle of a professional services engagement tacked onto the final bill.

When deploying DLP, one of the biggest challenges that organizations encounter is knowing where all their confidential data resides. Given how important data discovery capabilities are to DLP tools, we'll closely scrutinize each vendor's ability to accurately classify where critical data resides. As a result, each vendor must have a methodology for detecting, for example, files or databases that contain unencrypted Social Security numbers or credit card numbers.

At the conclusion of this Rolling Review, we'll report our big-picture findings, with an emphasis on pointing out any gotchas that system administrators will encounter as they deploy these leading solutions, or others, in real-world implementations.

Rolling Review: DATA-LOSS PREVENTION

Business value An ounce of loss prevention can be worth thousands of dollars of remediation and lost corporate reputation. We'll test DLP options' ability to detect, report, and remediate trouble on handheld devices and PCs.

Rolling Review participants: McAfee, RSA, Safend, Symantec, and Vericept

About the Author

Randy George

Director, IT Operations, Boston Red Sox

Randy George has covered a wide range of network infrastructure and information security topics in his 4 years as a regular InformationWeek and Network Computing contributor. He has 13 years of experience in enterprise IT, and has spent the last 8 years working as a senior-level systems analyst and network engineer in the professional sports industry. Randy holds various professional certifications from Microsoft, Cisco and Check Point, a BS in computer engineering from Wentworth Institute of Technology and an MBA from the University of Massachusetts Isenberg School of Management.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights