Data security is not one-size fits all.
For example, if the threat scenario is an attack on your customer self-service Web application – obfuscating or encrypting fields in database tables is not an effective security countermeasure; you need a network DLP solution to prevent leaks of clear text data and a software security assessment that will help you get rid of the bugs that make your Web application vulnerable. On the other hand, if the threat scenario is sales representatives working in stores in shopping malls using unmanaged PCs and leaking customer data; you need an agent DLP solution.
How do you decide what is the DLP solution for your business?
Data security is the task of ensuring confidentiality and privacy, integrity and availability of the data you use to run your business. It includes DLP, DRP, data retention and backup but the essence of data security is it’s approach: data security employs a direct data-centric approach as opposed to traditional IT security which focuses on protecting networks and systems or risk and compliance management which focuses on assuring processes and compliance to regulation.
The confidentiality and privacy component of data security is well-addressed by DLP (data loss prevention) technologies. Roughly divided into two kinds of products – there are agent DLP products from companies like Verdasys and McAfee and network DLP products from companies like Fidelis Security Systems and Symantec (formerly Vontu). At the beginning of 2009 – Websense introduced an integrated agent and network DLP product, and I’m expecting that Mcafee will release their integration with Reconnex sometime in H1 2010. It’s a bit too early to say if the integrated approach to DLP is the best of both worlds or the worst of both worlds – but that’s material for another discussion.
The question is not at all what DLP solution you should choose, but how DLP technology and data security practice fits into your business.
Consider that data loss prevention is a subset of the wider discipline of GRC – governance, risk and compliance.
Data loss prevention is a highly effective supplement to patch management, server hardening, rights management and permissions. Being data-centric (as opposed to network-centric), a DLP data security countermeasure mitigates multiple threat vectors from trusted insiders, malicious outsiders or business partners with access to line of business applications.
But TANSTAFFL – there is no free lunch. Data security comes at a price because unlike servers, your data is everywhere. The price is that if you want to protect your company’s valuable data, you must be able to identify your data threat scenarios and valuate your data with a financial price tag. With valuation – you will be able to justify an investment, and implement the right data security in an effective way.
Before valuating the data, you must first identify your key threat scenarios or use cases – in any company, there are no more than 3-5. A threat scenario will be basically a verbal description of the threat, the data being attacked, the vulnerabilities that the threat exploits and the countemeasures that mitigate the vulnerabilities.
Here is a typical threat scenario:
Customer data loss
a)The asset is credit card data.
b)The company installs a Web-based reseller application that enables a reseller to take orders and enter them into the system. The software developer who wrote the Web application is not strong on software security and doesn’t encrypt the payment card transactions sent to the company’s ERP system. The vulnerability is transmission of payment cards in clear text to other system interfaces. The threat is an attacker that may be able to capture the clear-text payment cards by copying temporary files or sniffing data on the network (see the case of Hannaford supermarkets)
c)The data security countermeasures are:
Monitor for credit cards in clear text in the DMZ and on the network segment before the VPN.
Perform a software security assessment of the reseller application and require encryption of all credit transactions sent to external system interfaces (for example the ERP system and the payment processor).