A few years ago I did some work for an Israeli startup called nLayers that did applications, servers and devices discovery. They were later acquired by EMC. I thought it was a brilliant idea at the time, since large IT organizations don’t really know what assets they have in their IT portfolio.
Therefore, it should be no surprise to anyone that a similar situation exists where large companies don’t realyl know what, where, when and how their data assets are located.
This is given rise to a relatively new concept called “Data Discovery”.
Symantec has one of those cute 4 step risk management processes for data loss prevention – discover, monitor, protect and manage. Security vendors have a predilection for this sort of a 4 step cycle, often presented on a circular chart but sometimes in a box or on a line.
Why is data discovery the first step in the endless 4 step wash-cycle designed to maximize product subscription revenues for companies like Checkpoint and Symantec instead of minimizing customer data security risk for organizations like the British NHS.
Data discovery may be a good idea for the vendor but it may be a very bad idea for the customer.
It appears that the rationale for starting with data discovery is primarily related to sales quota although it has product potential as well. So here are 3 reasons to start with data discovery in a data loss prevention project – none of which has anything to do with minimizing value at risk.
Reason no 1) If you can’t dazzle them with brilliance, baffle them with bullshit
For a big organization, data discovery is a herculean task – once you get into a data discovery project – you won’t have enough time to discover that the monitor and protect steps don’t work. This is a good strategy for companies with weak content-analytical and prevention capabilities like Symantec.
Reason no 2) You will discover the mother lode
This is a wet-dream for any salesman: get the customer to pay you for discovering all of the possible opportunities to sell them product. Oh yes – you need endpoint DLP, and then 500 network DLP appliances for all the branch offices and then new backup and data storage management software. It’s a brilliant sales strategy. I’m sorry I didn’t think of it.
Reason no 3)Find a smoking gun
Data discovery may discover a smoking gun that will help the vendor scare the management into buying their solution. The only problem with this strategy is that after a nuclear Korea, soon-to-be nuclear Iran, Bin Laden, 9/11, Iraq II, Lebanon II, Operation Cast Lead and Afghanistan – people do not buy into security FUD tactics.
So – why IS data discover a good thing for data loss prevention?
I’m not sure.
a) If the data never leaks – who cares if it’s on someone’s workstation or not. If you can be PCI-DSS 1.x compliant – you are good to go. PCI DSS doesn’t require data discovery – it just mandates not storing payment cards. 99 percent of world merchants self-comply anyhow.
b) If you discover (for the sake of argument) credit card data in plain text in a number of legacy applications, are you capable of reengineering the business process and the software applications? I want an honest answer here….
c) You did data discovery and found a passel of sensitive data on workstations. Now what? Write policies? Punish people? Install Verdasys end point DLP with encryption on demand to mitigate the problem because you can’t reengineer the business process?
Personally, I think monitoring at endpoints or the network edge (depending on the business and network situation) for 1 asset (that one asset that the CEO lives and dies for) is more effective than all the data discovery Symantec will ever do.
But – if you’ve been paying attention – the discover, monitor, protect and manage wash-cycle doesn’t include quantifying and valuating your asset and putting data loss prevention into a business context – your business context.
And without business context – security products are worth about as much as Bounce in your washer. Nice to smell, make the clothes fluffy but not much more.