For information that has not been classified and/or is not residing in known information stores, a DLP solution can be employed. As critical content is detected by the DLP solution it can then be properly classified, moved to the appropriate information store and become subject to enterprise DRM policy and governance.
The last element of any information and data protection program is to employ encryption on any and all high risk devices in the enterprise. This typically means laptops and mobile devices. It is important to identify all types of information that exists in the enterprise that may not be subject to the DRM solution or by its nature not be detectable by the DLP solution at some point in its life cycle.
Those are the areas that require traditional encryption solutions. Examples of this type of information might be data that is received in batch transmissions from customers for processing or analysis that enters the environment in an unencrypted format due to customer preference. Once that data is on your organization's systems, your organization may be responsible for it unless specific language in a legal agreement states the opposite. As this data is passed through an organization, the source data is often unclassified and only the output of the processing or analysis is classified. This again is an obvious requirement to have encryption for all places that this data might end up. A combination of both full disk and volume encryption on laptops, files servers and mobile devices will provide maximum protection of this type of information.
By using these solutions in combination with good user awareness and training, appropriate policy and process, an extremely well thought out solution to reduce the risk of information and data leakage can be accomplished, resulting in a set of reasonable controls against these risk areas.
In summary there are several things that drive the need for protecting information and data in addition to infrastructure:
- The change in mentality and motives of hackers and cyber criminals.
- The realization that it is the information and not just the infrastructure that needs to be protected.
- The increase in a technologically savvy workforce that use every conceivable tool and utility to bolster their productivity and connectivity to others at work, at home or on the road.
- The intentional break down of enterprise perimeters and the increased collaboration between partners, customers and suppliers.
- The ever increasing regulatory pressure to manage the information and data that exists with an organization.
To achieve a reasonable level of information and data protection requires that the following are in place within an organization:
- A work force that understands the importance of the various types of information and data in the enterprise;
- Consequences for the individual and the organization for the misuse of this information;
- Understanding all of the information egress vectors that exist in a given enterprise;
- Developing the proper controls to address the information egress vectors that have been identified; and
- Implementing the proper technology solutions to monitor and enforce those controls over time.
The basic elements of a data leakage prevention program consist of:
- A data classification policy
- A user training and awareness program
- Inclusion of security in general and data leakage/protection of critical information in employee policy acknowledgements and as individual performance objectives
- A mature identity infrastructure
- A Digital Rights Management (DRM) Solution
- A Data Leakage Prevention (DLP) Solution
- Encryption on targeted devices based on risk
- A mature incident response capability
Many organizations have at least some of these elements in place and at some level of functionality already. Based on an organization's risk tolerance, consideration should be given to adding those elements not already in place to any long term security strategy.
Jason Stradley is a senior security consultant for BT, providing executive-level strategic security and business consulting to Fortune 500 clients. He can be reached at firstname.lastname@example.org or by phone at (630) 525-1834.
Join the CIO Australia group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.