When I was a solid state physics grad student at Bar Ilan, I had two advisors – Prof. Nathan Aviezer and Prof. Moshe Kaveh (who is now the President of the university). Aviezer was fond of saying that he only does simple things. I was calculating electrical conductivity of aluminum at low temperatures and due to singularities of the 2OPW approximation of the Fermi surface – it was anything but simple. Still – doing simple things is a life lesson that I’ve tried but not always suceeded in keeping.
So – how do we make data loss prevention (DLP) simple, or at least a lot simpler than it is today?
DLP is too complex today
The trend in DLP / data loss prevention – preventing unauthorised network transfer of digital assets from inside the network is complex regulatory, technical and procedural solutions. The DLP solutions I’m seeing in the market (like Websense Data Security Suite, Verdasys Digital Guardian or Fidelis Security Systems XPS Extrusion Prevention system) are complex products with a lot of functionality. Companies like Mcafee, Websense and Symantec are trying to make the solutions even more complex by combining end-point and network DLP techologies. Verdasys and Fidelis have stayed true to their original approach of agent DLP (point of use as Verdasys calls it) and network DLP (extrusion prevention as Fidelis calls it). McaFee are hard at work integrating Reconnex and their Onigma-based agent DLP technology and I certainly wish them success but I’m not sure that the market really needs an integrated agent DLP, network DLP solution – I’ll be writing about why I think integrated agent DLP/network DLP is a really bad idea in another post.
Mcafee and Websense owe a good deal of their DLP solution success stories to their reseller channels – that are able to cross-sell/up-sell a content filtering or endpoint security solution to include another product – namely DLP.
However – a distribution channel does not make the solution simpler and attempts to equate agent DLP with anti-virus are doomed to failure – imagine that an organization would have to write and maintain their own AV signatures and you get a picture of where agent DLP products are today.
A good reseller makes it simpler for DLP vendors to sell DLP but it doesn’t make it simpler for the customer to implement DLP (data loss prevention).
The 64Gig question is how to Escape the Hamster Wheel of Pain
So – it seems to me that we need to take a step back and make DLP simpler and more cost-effective and not just conceptually simpler during the pre-sales process. The Install, deploy and prevent, lather, rinse and wash cycle is guaranteed to grant you grief, not data threat mitigation.
Here are 3 simple and cost-effective data security countermeasures (note that 2 out of 3 are people-based).
- Speak softly – monitor for data leakage using network DLP and a set of default best practice policies like alert on Microsoft Office files that are posted to public blogs
- Carry a big stick – write a 1 page acceptable usage procedure and explain to employees (at all levels) that if they violate the AUP they will be fired without compensation.
- Make data protection awareness training a mission for management, not HR nor security departments. Every manager from the CEO down must be capable of delivering 1:1 training to their direct reports and selected managers should personally deliver 2-3 hour short course on data security awareness. The impact of the CEO delivering courses on data security will be far greater than the impact of a 7 figure DLP solution implemented by PwC.
Speak Softly and carry a big stick – (Roosevelt described his style of foreign policy as “the exercise of intelligent forethought and of decisive action sufficiently far in advance of any likely crisis.”)