|
Lead
Data leakage prevention
Data Leakage Prevention (DLP) has become a major area of
concern for organizations across the globe as M&A activity has birthed mega
companies with more diverse workforces and greater employee turnover increasing
the risk of insider theft. By Abhinav Singh
 Recent
times have seen an increase in the incidence of internal threats to organizations
in every industry while externally hackers have changed their focus from attacking
IT Infrastructure to attacking data in any organization. Data has become the
centerpiece of attraction for hackers within the enterprise who are looking
for monetary gain by stealing business sensitive corporate information. To address
the threat towards data loss, organizations in every industry are adopting DLP
solutions that help them to prevent the loss of confidential enterprise data
wherever it is stored or used. DLP solutions discover and protect sensitive
data stored on file shares, Web servers, databases, laptops and other data repositories,
as well as monitor and prevent confidential data from being sent via e-mail,
Web mail, Instant Messaging or other Internet communications and stop it from
being copied to USB drives, CD/DVDs or other removable media. A beginning has
been made and HDFC Bank and Wipro Technologies are using some elements of a
DLP solution from Symantec. Additionally Websense is running ten pilot projects
for its DLP solution in India.
Fear of data leakage
Although the market for DLP is in a nascent stage and no proper estimates are
available for the Indian DLP market, a lot of interest has been generated around
this
market. Surendra Singh, Regional Director India and SAARC,
Websense said, “We have observed that customers are becoming paranoid about
their data security and they are looking towards a comprehensive solution in
safeguarding their organization against data losses and security breaches. We
at Websense believe that let employees in an organization do whatever they want
in the office premises but data should be protected at all times.” These
days a large number of hackers are also moving towards acquiring data. Singh
added, “Hackers and criminals have been able to acquire money from banks
by hacking their passwords. They have also been able to acquire online bank
loans by stealing customer’s social security numbers in the United States.
DLP is mostly happening in the United States and Europe and the Indian market
is new to this concept but it is an important development to watch out for.”
|
 "Employees
are sharing critical and sensitive company data through USB drives, through
e-mail and FTP etc"
- Vishal Dhupar
Managing Director,
Symantec India
|
 "We
have observed that customers are becoming paranoid about data security"
- Surendra Singh
Regional Director India
and SAARC,
Websense
|
A proper framework
Despite being a nascent market concerns about DLP exist even in India. Recently
during a seminar organized by Websense, CIOs had shown great attention while
discussing DLP. It was observed that that security threats in a ‘connected
world’ were bound to penetrate companies with ease and there has been a
rise in the incidence of data theft—both internal and external. There have
also been accidental instances of data leakage and cases where it had been the
handiwork of a company’s own employees. It was emphasized during the discussion
that in order to be foolproof, a proper security culture had to be imbibed and
that employees should be trained in the basics of data security. The gathering
agreed that such a step could play an important role in preventing instances
of data leakage. Vishal Salvi, Senior Vice President and Chief Information Security
Officer, Information Security Group, HDFC Bank said, “In a bank access
controls for each and every transaction are required and need to be monitored
regularly. Access to the Internet needs to be restricted to employees in order
to make the organization more secure.”
Many organizations are also of the opinion that they should frame security policies
whereby they can restrict their workforce from using the company’s IT infrastructure
for personal use. Within organizations employees had access to internal information
and were accessing the same through personal devices such as personal notebooks
and PDAs and the like. Many emphasized the need to subject their employees to
physical checks during their entry and exit. Satish Das, Chief Security Officer,
Cognizant Technology Solutions, said, “End-point security has been a key
issue and a challenge as more and more personal devices carried by employees
are intruding into the workplace. There should be an alert mechanism in place
in an organization to access the level of data leakage that happens at any point.
Thousands of employees in an organization have access to e-mail and there is
always a risk as they can forward sensitive company-related information to outsiders.”
Concern about insider threats
In India, the recent trend in the DLP market has shown that organizations are
increasingly interested in employee computer activity and are often more concerned
about sensitive information leaving their premises than about people getting
viruses through e-mail or using the Internet inappropriately. Firms have realized
that it is absolutely crucial for organizations to avoid the malicious or inadvertent
disclosure of sensitive data, such as personally identifiable or personal health
information of employees and customers, intellectual property, trade secrets,
marketing plans, legal documents, and other private information. The build out
of a digital business to encompass outsourcers, partners, and offshore centers,
combined with the motivation of increasingly sophisticated hackers and identity
thieves, puts more sensitive information at greater risk than ever before.
There have also been concerns that traditional content security products no
longer suffice and specialized solutions aimed at DLP should be implemented.
In the past, protecting personal data like personally identifiable information
(PII) and personal health information (PHI) had been key but today the protection
of Intellectual Property (IP), trade secrets and other confidential data is
at least an equal priority. With this development, data fingerprinting is no
longer sufficient, and the market is seeking additional analysis capabilities.
Vishal Dhupar, Managing Director, Symantec India, highlighted
the fact that there was movement in the workforce and said, “Employees
are sharing critical and sensitive company data through USB drives, through
e-mails or through the File Transfer Protocol (FTP) and the like. Controls should
be in place to map and get a singular view as to what is happening to company
data and systems, which are accessing this data. All this should be done with
a holistic approach so that a comprehensive data protection policy can be framed.
We help companies identify their areas of information risk and define the policies
to mitigate those risks.”
|
DLP technologies should be deployed on both the
network and the desktop. In order to successfully defend against data
and information leakage, DLP products must reside on the desktops of those
who have access to highly sensitive information and monitor file transfers
to and from peripherals such as USB drives; copying and pasting of information
across applications; and the use of output channels such as printing and
faxing. Context, in addition to content, is also critical for analysis
and classification and capturing full context requires a desktop agent.
Network monitoring fills the gaps with users who pose less risk for information
leaks and in a partner/outsourcer environments where one cannot feasibly
deploy a desktop agent. The network is also the more practical point for
actions such as archiving and encryption, as it requires interfacing with
other IT systems.
DLP solutions possess the seeds of technology that
can address more than just security challenges. It already performs certain
functions, such as selective encryption and archiving, that extend its
value beyond pure 'leak prevention' to broader secure information management.
DLP can play a major role in information governance and life-cycle management
by performing real-time classification of information as it is created
or received and then applying policies, such as submitting the content
to data archives, document management systems, collaboration environments
like SharePoint, and ERM (E-Resource Management). As DLP expands its ability
to classify data and apply broad policies beyond blocking, it will climb
up the IT importance ladder.
|
Comprehensive policy a must
|
 "Due
to the mobile workforce there has been an increase in remote log-ins and
employees are accessing corporate data remotely which calls for a comprehensive
policy for data protection"
- Mahesh Gupta
Business Development Manager – Network Security Cisco, India &
SAARC
|
There has been an ever-felt need by organizations to define
a comprehensive security policy around data to counter data breaches. Data breaches
are costly in financial terms, and also come at a price to the business’
reputation and customer confidence. Dhupar explains, “For any organization
there should be a comprehensive policy towards DLP by which they can identify
their areas of information risk and define the policies to mitigate those risks
and implement, automate and monitor controls around those policies. The policy
will also help define and provide a real-time mechanism to aggregate, correlate
and analyze the behavior of different systems and applications in an organization.”
According to a recent IT Policy Compliance Group report,
business losses for a reputed organization can be significant if a breach is
reported. Benchmarks reveal that a business experiencing a publicly reported
data loss can expect to see an 8% decline in customers and revenue, an 8% decline
in the price per share for publicly traded firms, and additional expenses averaging
$100 per lost customer record for firms that publicly disclose data losses and
thefts.
Mahesh Gupta Business Development Manager–Network Security Cisco, India
& SAARC, said, “Due to the mobile workforce there has been an increase
in the remote log-ins and employees are accessing corporate data remotely which
calls for a comprehensive policy for data protection. A proper data risk assessment
activity has to be ensured that the corporate data in an organization is well
protected and that it adheres to the security policies of that organization.”
Organizations also need to define a comprehensive policy and classify data and
attach a sensitivity tag to crucial data in order to protect it. Gupta added,
“Unless an organization understands what information is critical to it,
closer risk assessment of security threats cannot be properly gauged and the
change in application behavior will not be ascertained properly.”
A beginning has been made towards raising concerns about data protection. With
an increase in digitization of data and the growth in the mobile workforce accessing
sensitive data, DLP calls for much more attention both from vendors and organizations.
abhinav.singh@expressindia.com
|
