Data Loss Prevention – The People & Technology | Optiv
October 28, 2013
Data Loss Prevention (DLP) as a competency has received its share of bad press. While the concept of a magic bullet solution to keep an organization’s data safe from nefarious threat actors is noble at face value, we must consider the context of the objectives that are expected and remain mindful of the three primary drivers of a solid information security solution: people, process and technology. Without all three components, the solution is likely doomed before the ink dries on the purchase order. Unfortunately, the tendency seems to focus on only the pieces that can be quantified easily for a CFO or financial comptroller.
In this blog series, I will focus on the overlapping areas of the primary drivers of people, process and technology to provide insight on things that can be accomplished to position a DLP solution for the greatest chance of success.
Consider a traditional Venn diagram with components labeled people, process and technology.
Take a look at the current state of overlap between these three areas, and rhetorically ask yourself if the DLP solution that you have considered or already purchased addresses the overlapped areas and to what degree.
Let us begin with the overlap between technology and people. (We’ll cover the other overlaps in future posts.)
The overlap between technology and people is one of situational awareness, education and technical aptitude to deliver on the value proposition claimed by the DLP solution. Situational awareness is only possible through a well-defined and relatively static rule set or the expertise to understand the ramifications of a specific practice or action on the organization’s security program.
The latter can be accomplished through out-of-the-box educational programs. However, education is often limited to the attendance of the DLP administrator at the DLP vendor-specific training course. While it is important for your DLP administrator to be up to speed in the specific product, true education goes beyond this, reaches into the core of the organization’s culture, rips out the specific use cases and applies a risk lens to determine the proper course of action. Finally, technical aptitude assumes that the staff responsible for the DLP solution is in a position to apply their talents in a manner that allows the DLP solution to be realized. In other words, not taking on so much water that stabilization is the only clear objective.
So how can your organization leverage the overlap between the technology and the people?
In my experience, I would begin with an exercise of data classification. On the surface, many people would suggest that data classification seems simple. We are informed that a Social Security Number is bad to expose to the public. But what does that really mean? As you consider data classification matrices, are you considering both content and context? Does a random number such as 123-45-6789 mean anything? Sure it looks like an SSN, but without context, it is useless.
Therefore, when considering business rules and what it is that the organization is trying to protect, perhaps it is more effective to combine simple pattern matching with some additional piece of information (i.e. name) to truly make the information personally identifiable instead of making a blanket statement that SSN is taboo.
Another suggestion is to educate on practical digital hygiene. I cannot count the number of times I have run across a homebrew Microsoft Access database with a timestamp of 2001 or 2002 chock full of legitimate personally identifiable information. Employees and data custodians must work with their applicable legal and privacy teams to set expectations and scan workstations for stale data and purge it if it is no longer needed.
In short, a good rule of thumb is as follows: the data that you are storing locally must have more value to you (as an individual) than value to the organization. If it does not, it should be in a centralized area, such as a shared network folder or controlled website.
Finally, among my big wish list for application software providers is to help educate data custodians and users of data about potential sensitive data constructs. For example, if I misspell a word in a Microsoft Word document, I get immediate feedback from the application in the form of a red squiggly line. We all appreciate this functionality (at least most of the time). Why is it that applications cannot implement a regular expression utility that identifies data that matches sensitive data field patterns, such as social security numbers and credit card information and places a squiggly under it as well? It doesn’t seem that difficult to implement.
These are just a couple proposed ideas and are not intended to be exhaustive in nature. This is where you, the reader of this blog post come in.
What ideas do you have to produce a solid overlap between people and technology? Where am I wrong? Hit me up and let’s all make a better mousetrap. Stay tuned for the next episode when I tackle the overlap between people and process.