This article presents a systematic method for selecting and cost-justifying data security technology to protect  intellectual property theft and abuse.

The original presentation was given at the October 2, 2009 DLP-Expert Russia meeting in Istra (just outside of Moscow)

Click here to download the presentation

In a complex global environment, pharma do not have control of computer platforms that local sites use – yet there is an expectation that file and information sharing should be easy yet there are three areas where current systems break down:

1. People forget what files had been shared and with whom they have been shared

2. People have difficulty sharing files with colleagues in a way that is accessible to everyone – firewalls, VPNs, enterprise content management, DRM, corporate data security policy, end point security, file size – these are all daunting challenges when all you want to do is share a file with a colleague in Berlin when you are working in a hospital in Washington.

3. Notifications – how do you know when new information has been added or updated? Not having timely notifications on updates can be a big source of frustration resulting in team members pinging other members over and over again with emails.

Over the past 10 years a generation of complex enterprise content management software systems have grown up – they are bloated, expensive, difficult to implement, not available to the entire multi-center team and in many cases written by English speaking software vendors who cannot conceive that there are people in the world who feel more comfortable communicating in their native tongue of French, German, Hebrew or Finnish!

We are developing (currently in beta with a Tier 1 bio-pharma in EMEA)  a Web-based, agile collaboration system with a light-weight, easy to use, simple architecture, that saves time and reduces IT and travel costs – and literally gets everyone on the same page.

The system resolves the 3 breakdowns above while recording all user activities in a detailed audit trail in order to meet internal control and FDA regulatory requirements.

The system also provides significant cost benefits in addition to improving information collaboration:

• Reduces travel costs: Using online events, integrated media and file sharing and discussions, the clinical trial team and investigators can conduct program reviews, education activities and special events.

• Eliminates proprietary IT: No proprietary software or hardware and no IT integration. No extra investments in information technologies, CRM, sales force integration and data mining.

If this interests you – drop me a line!

At a recent seminar on information security management, I heard that FUD (fear, uncertainty and doubt) is dead, that ROI is dead and that the insurance model is dead. Information security needs to give business value. Hmm.

This sounds like a terrific idea, but the lecturer was unable to provide a concrete example similar to purchasing justifications that companies use like: “Yes, we will buy this machine because it makes twice as many diamond rings per hour and we’ll be able corner the Valentine’s Day market in North America.”

The seminar left me with a feeling of frustration of a reality far removed from management theory. Intel co-founder Andy Grove said, “A little fear in an organization is a good thing.” So FUD apparently isn’t dead.

This post will help guide readers from a current state of reaction and acquisition to a target state of business value and justification for information security, providing both food for thought and practical ideas for implementation.

Most companies don’t run their data security operation like a business unit with a tightly focused strategy on customers, market and competitors. Most security professionals and software developers don’t have quotas and compensation for making their numbers.

Information security works on a cycle of threat, reaction and acquisition. It needs to operate continuously and proactively within a well-defined, standards-based threat model that can be benchmarked against the best players in your industry, just like companies benchmark earnings per share.

In his classic Harvard Business Review article, What Is Strategy?, Michael Porter writes how “the essence of strategy is what not to choose … a strong completive position requires clear tradeoffs and choices and a system of interlocking business activities that fit well and sustain the business.” The security of your business information also requires a strategy.

Improvement requires a well-defined strategy and performance measures, and improvement is what our customers want. With measurable improvement, we’ll be able to prove the business value of spending on security.

Ask yourself these questions:

1. Is your information asset protection spending driven by regulation?
2. Are Gartner white papers your main input for purchasing decisions?
3. Does the information security group work without security win/loss scores?
4. Does your chief security officer meet three to five vendors each day?
5. Is your purchasing cycle for a new product longer than six months?
6. Is your team short on head count, and not implementing new technologies?
7. Has the chief technology officer never personally sold or installed any of the company’s products?

If you answered yes to four of the seven questions, then you definitely need a business strategy with operational metrics for your information security operation.

Now let’s look at three steps for developing a business justification for spending on information security.

1. Choose a business unit strategy

• Take a break from the daily firefighting and choose a competitive strategy for infosec operations. Is it low-cost? Is it single-vendor? Is it Linux desktops?
• Start by implementing a consistent set of activities, for example, standardizing on diskless thin clients, remote desktops and Windows Terminal services.
• Then think how activities can reinforce each other, such as installing personal firewall software that reports on intrusion attempts to a central server so that you can plan your response to future attacks.
• The most productive strategy identifies sets of activities that optimize your efforts. Perhaps you have a flat spaghetti network of servers and workstations. Segment the network into virtual LANs, put the application servers on one segment, the data servers on another and client workstations on departmental segments and so forth. Performance and security will improve, and you’ll be able to monitor content effectively. You’ll spend less time firefighting and more time thinking how to optimize the operation.

2. Add business value and measure your results

There are widely practiced models and metrics that work for all kinds of business units. For instance, if you want to evaluate cash flow, then measure cash flow from operations or free cash flow (FCF), which is cash from operations minus capital expenditures. FCF omits the cost of debt, but it is an objective indicator that can be measured every day.

• Set up indicators and publish them once a week on the company intranet for everyone to see. Start with three indicators: the number of network anomalies your intrusion-detection system found that week, the current patch cycle time and how much overtime the team worked.
• Do continuous security audits. Purchase a tool for network auditing and run it once a week on a different part of the network. The guys over in the warehouse stopped doing full physical counts once a year 15 years ago. They count a little bit of inventory every day with bar-code terminals. Have a consultant help you set it up and run audit yourself.
• Run security awareness programs. Make training hours an indicator.
• Build a threat model and maintain a database of assets, threats and vulnerabilities. Start today. Check out the SANS Institute for tools.

3. Drive the message home

Send out your CTO to install your company’s products himself, follow customers back to their offices, observe howthey do the install and take notes. Update the threat model with the CTO’s findings. He’ll sign your next purchase request for software security tools in a flash. Trust me.

1. Preventing information security events is an admission of weakness. Why spend money on technology when the first step is admitting that you’re vulnerable?
2. We live in an age of instant gratification. Need music – go to Deezer. Need security – go to Checkpoint. Strong security is hard work.
3. Walk on the safe side, not on the wild side. Why be an early adopter and / or spend 6-7 figures on several point solutions that requires a risk assessment from someone who isn’t your accountant, a complex policy implementation by people who need to learn your business, integration with internal procedures and processes with employees who could care less, and buyin from a CEO who is scrappling for survival with the board during the biggest financial crisis in 80 years?

I posted this question  on the LinkedIn Information Security Community forum about 6 weeks ago. It was an experiment in collaborative writing;  I’ve collected the comments and edited them (hopefully faithfully), attributing credit to each contributor.

Darian Stultz reminds us that people are the weakest link and brings some insights into organizational politics.

Both psychology and technology are equally important. From a technology perspective, vendors tend to promise the world, but people install, configure and operate the security technology.

Systems are vulnerable to incorrect configurations, mis-cabling, or open unnecessary  open ports. The best training for employees may not be sufficient to handle all possible configuration scenarios and use of external/internal experts can mitigate these risks through discovery, and a remediation plan. This costs money. External Auditing is more costly, but provides a politically neutral assessment because the auditor is more likely to report findings. For the manager who hired the auditor, an external audit can be stressful since the auditor wants future business from upper management, and is likely to prove his worth by high-lighting even small issues.

From a psychology perspective – prevention of security events is not a sign of weakness, but of resolute strength. Yes, prevention costs money. The larger the scope of the business, the more opportunities there are for security risks. The optimum (utopian) way to handle security is for the CEO to support fully efforts to secure the business from internal and external security threats. The sell from middle management is easier with full buy-in. Most companies I have worked for or consulted for have a “middle ground” where a security department exists, but was an afterthought of the business. Therefore they jockey for human resources, and funding for projects to secure vulnerabilities.

Michael Seese agrees that people are key to understanding security vulnerabilities

Just as Willie Sutton said that he robbed banks because “that’s where the money is,” attackers will go after end users because that’s where the valuable information is.

As security technologies continue to improve, attackers will focus on the weakest link: our people. The quick and cynical explanation is that people are more easily prone to being fooled by a scam or to become lax in following procedures than technology solutions.

People have emotions egos. They want to help, if they can, when asked. They don’t want to be yelled at. They trust. They get busy and they get stressed out. In some cases, they get greedy. But oftentimes, they simply don’t realize the value of what, to them, seems to be a trivial piece of information.

Gabriel Bar-Giora feels that psychology  is more important than the technology side of security but stresses the need for an integrated management approach

A company must integrate both aspects, getting managements to define and implement security policy, translated into budget and manpower and regulations, then – and only then – the product pieces will start falling into place – VA, DLP, DRP, HA etc.

Joe Peck is director of product management at Code Green  Networks and brings a perspective of a vendor selling DLP solutions in a tough economy  and competitive market space.

Most companies did not allocate 2009 budget for a DLP project. That’s neither a technology or a psychological constraint. It’s an issue  of having  budget for new requirements. Some customers have been able to use budget for email encryption or content filtering use it to purchase our data loss prevention solution. As awareness of information protection grows, I expect more companies to allocate 2010 budget explicitly for DLP.

The market is still pretty early. Many customers don’t know yet what DLP really is and how it fits into their security portfolio so there is a need for educating IT on the need for data-centric security as opposed to traditional system or network-centric security.

DLP is hot and the marketing hype has resulted in many vendors slapping a DLP label on their product and providing incomplete or even irrelevant solutions (e.g. device control solutions with no data inspection capability or email and web gateway solutions that can do keyword matches but will generate a false positive flood when an employee shops at Amazon).

Even with knowledgeable customers, some folks prefer not to be early adopters, they want to be a technology follower as a way of reducing risk. That has both a technology and psychological aspect to it.

Finally – data security crosses organizational boundaries – it’s not just the network security team. It often involves Legal, Compliance/Audit, the data owners, and the IT group. That slows down the evaluation, justification and purchasing process significantly. DLP is not a standalone IT solution.

John Martin, a security practice leader at IBM NZ reminds us that people are not machines, they need technology safeguards.

People cannot be trusted to make the right decision 100% of the time? Given the current economic recession, more cases of fraud emerge every day. Techniques such as DLP, can make up for the the human factor or re-enforce what is on the spur of the moment conveniently forgotten. Understanding the psychology assists us to appreciate the appropriate technological solution(s) from a risk management perspective and during the justification – business case.

Kyle Quest who works for Vericept reminds us that  human behavior is the main driving force behind most things in life, not just security, but he is pessimistic about a company’s ability to utilize security technology effectively.

Look at the GFC for example, Alan Greenspan thought that companies would follow logic and wouldn’t engage in risky financial activities… The results were not forecasted and have affected the entire world.

There is one key reason for data loss events: the checkbox mentality. “Need to have a firewall.. check that… now we safe”. Obviously, this is an oversimplification… This checkbox mentality creates an illusion of security. It all starts from the top. Executives don’t really care about data security. They’ll either ignore the issues or do just enough to get a piece of paper that says that they are secure. As a result, even when money is spent on the data security technology, customers don’t get anything useful ROI.

Data security is not even on the third place when it comes to running a business (yes, there are exceptions, but I’m talking about the majority of customers. The security process in the enterprises is broken. Marcus Ranum does a great job talking about this subject in his “Anatomy of Security Disasters“

Jerry Bell is a Technology strategist at IBM and believe that without the psychology in place, you cannot deliver the technology.

Done right, controls mitigate weakness, whether they are technological or people controls. No technology or “management support of security” platitude is going to reduce risk on it’s own. By definition, security is about making trade-offs that the organization must make based on their risk profile. The risk management part of managing a company starts with the CEO. Good CEO’s hire CIO/CSO’s that they trust to ensure that the business in soundly controlled. Other CEO’s hire CIO’s to simply keep the wheels from falling off the car.

If security is not a business priority after a presentation of the risks and possible securit ycountermeaures, there isn’t a lot to do. Keep good records of the discussions and risk assessments presented to use as defense to keep the job after a security breach happens.

Sadly, most companies don’t find religion around security (or disasater recovery) until bad things happen.

Richard Ryan – an independent security consultant notes that regardless of technology, the entire organization needs to have a culture of security.

It takes everyone working together to create a secure organization and then its only secure as its weakest link, which can be people, technology, or a combination of both.  The psychologies of some people are geared to take advantage of someone else’s weaknesses. For some reason, their desire to have more than someone else takes over, and the scheming starts, flaws are found, and security is breached.

Nicholas Key is an independent security consultant from the UK wishes that people could assured secure.

People are the first line of defence in security policy and normally overlooked. Although there is assurance and certification of security technology like C2 and Common Criteria, there is no facility which gives assurance that ‘our people’ have a first-class level of security awareness.

DineshBareja has yet to see a client who says – please go out and raise the awareness factor in my organization.

Usually the implementing team cobbles together a bunch of sad slides that are passed off as awareness programs for the purpose of compliance with the certification program. The will to spend on professionally designed programs which will be really effective is (sadly) very weak, and organizations are losing out on their security investment.

Outside the chemical and pharmaceutical industries, the cost of litigation far exceeds the benefits of patent protection. (See “Patent Failure, How judges, bureaucrats and lawyers put innovators at risk”, Bessen and Maurer, Princeton University Press, 2008 pages 130-156, “The cost of dispute”)

There are also many classes of assets not protected by patents: new products in R&D phases, manufacturing process recipes, internal financials and  information such as board of directors.This data  is typically shared by many people in the company as well as with outsiders: customers, ontractors and researchers. Typically protected by NDA (non-disclosure agreements),  a company can sue a person who leaks information, seeking damages. Even though the direct legal costs are high, the business costs of litigation for the company can be much higher, not to mention that you first you have to apprehend the discloser.  Information leaks require managers and researchers to spend their time producing documents, testifying, strategizing with lawyers and appearing in court.

In this respect – Data Loss Prevention (DLP) technologies are an ideal tool to monitor for abuse or theft of IP over the network by an employee or outside contractor/business partner. The ability to detect the information leak and produce the forensics not only mitigates the risk but also provides the data you will need if you do have a violation and have to go to court.

The reason that DLP is perfectly suited for the IP abuse monitoring role  stems from the fact that DLP is a data-centric security control, independent of users and rights management.  From this perspective – it doesn’t really matter if you implement a network DLP solution (like Fidelis Security Systems or Websense) or an agent DLP solution (like McAfee and Verdasys).  Like they say at Nike – Just do it!

Read more on data loss prevention solutions and by all means drop me a line and tell me what you think.

Data security is not one-size fits all.

For example, if the threat scenario is an attack on your customer self-service Web application – obfuscating or encrypting fields in database tables is not an effective security countermeasure;  you need a network DLP solution to prevent leaks of clear text data and a software security assessment that will help you get rid of the bugs that make your Web application vulnerable.  On the other hand, if the threat scenario is sales representatives working in stores in shopping malls using unmanaged PCs and leaking customer data; you need an agent DLP solution.

How do you decide what is the DLP solution for your business?

Data security is the task of ensuring confidentiality and privacy, integrity and availability of the data you use to run your business.  It includes DLP, DRP, data retention and backup but the essence  of data security is it’s approach:  data security employs a direct data-centric approach as opposed to traditional IT security which focuses on protecting networks and systems or risk and compliance management which focuses on assuring processes and compliance to regulation.

The confidentiality and privacy component of data security is well-addressed by DLP (data loss prevention) technologies. Roughly divided into two kinds of products – there are agent DLP products from companies like Verdasys and McAfee and network DLP products from companies like Fidelis Security Systems and Symantec (formerly Vontu). At the beginning of 2009 – Websense introduced an integrated agent and network DLP product, and I’m expecting that Mcafee will release their integration with Reconnex sometime in H1 2010. It’s a bit too early to say if the integrated approach to DLP is the best of both worlds or the worst of both worlds – but that’s material for another discussion.

The question is not at all what DLP solution you should choose, but how DLP technology and data security practice fits into your business.
Consider that data loss prevention is a subset of the wider discipline of GRC – governance, risk and compliance.

Data loss prevention is a highly effective supplement to  patch management, server hardening, rights management and permissions. Being data-centric (as opposed to network-centric), a DLP data security countermeasure  mitigates multiple threat vectors from trusted insiders, malicious outsiders or business partners with access to line of business applications.

But TANSTAFFL – there is no free lunch.  Data security comes at a price because unlike servers, your data is everywhere. The price is that if you want to protect your company’s valuable data, you must be able to identify your data threat scenarios and valuate your data with a financial price tag.  With valuation – you will be able to justify an investment, and implement the right data security in an effective way.

Before valuating the data, you must first identify your key threat scenarios or use cases – in any company, there are no more than 3-5.  A threat scenario will be basically a verbal description of the threat, the data being attacked, the vulnerabilities that the threat exploits and the countemeasures that mitigate the vulnerabilities.

Here is a typical threat scenario:

Customer data loss
a)The asset is credit card data.
b)The company installs a Web-based reseller application that enables a reseller to take orders and enter them into the system. The software developer who wrote the Web application is not strong on software security and doesn’t encrypt the payment card transactions sent to the company’s ERP system. The vulnerability is transmission of payment cards in clear text to other system interfaces. The threat is an attacker that may be able to capture the clear-text payment cards by copying temporary files or sniffing data on the network (see the case of Hannaford supermarkets)

c)The data security countermeasures are:
Monitor for credit cards in clear text in the DMZ and on the network segment before the VPN.
Perform a software security assessment of the reseller application and require encryption of all credit transactions sent to external system interfaces (for example the ERP system and the payment processor).

One of my pet peeves with security vendors like Symantec, Vontu, Websense and Checkpoint is marketing collateral that totally disregards the basics of security – it’s like they hired an English major straight out of school and told them to start writing. Sensitive assets, confidential assets, proprietary assets – you can make a total mishmash as long as you mention compliance, SOX and HIPPA at least 3 times in the article.

Since the business situation, corporate culture and IT infrastructure of every company is different, we believe that it is incorrect to choose security countermeasures on the basis of product features – especially when vendors provide pseudo-risk-management justification for their offering – read Andrew Jaquith on the hamster wheel of pain

We submit that selection of security countermeasures requires measuring their effectiveness against a particular threat. Read  more about this revolutionary idea on Preventing intellectual property abuse and you’ll see exactly how to choose a security product using a practical threat model – visit Practical Threat Analysis and download the free software.