DLP remains high on the list of cybersecurity policies

Data loss prevention (DLP) has been a part of Internet security almost as long as the Internet has existed. Sometimes, though, it seems like old hat, a not very cool older uncle that is irrelevant in the face of other, sexier security solutions. But as recent high-profile events have shown, it still needs to be the focus for most organizations.

A breach at the giant retailer Target in late 2013 allowed attackers to steal millions of the company’s client credit card records. In the end, Target will pay hundreds of millions of dollars to banks to reissue credit cards, to upgrade its payment terminals, and to cover other costs. More damaging in the long run could be loss of customer confidence, something that has already cost the company’s chief executive his job.

Home Depot recently reported a similar breach, the cost of which is still unknown. Numerous less prominent breaches happen each year, and government agencies and organizations are by no means spared. Verizon, in its “2014 Data Breach Investigations Report,” ranked the public sector second on the list of industries with confirmed data losses in 2013, behind finance and ahead of retail.

The National Security Agency/Edward Snowden affair in 2013 is probably the biggest example of data loss from government, certainly since WikiLeaks. But there have been smaller though still significant breaches since then, such as an August 2014 breach of HealthCare.gov.

The reasons for government data loss are numerous, with Verizon tagging the catchall of “miscellaneous error” as the leader of all losses at 34 percent, followed by insider misuse at 24 percent and criminal malware 21 percent. Attacks and threats have become more targeted in the past few years. In its “2014 Internet Security Threat Report,” Symantec said public administration has one of the highest risks of being targeted by spear phishing, at 3 to 1.

A number of products from companies such as Symantec are supposed to protect against data loss, but an effective solution requires several things to work in combination.

The SANS Institute, which publishes a list of 20 “Critical Security Controls,” says DLP is a comprehensive approach that covers people, processes and systems that identify and protect data in use (i.e., at the endpoint), in motion across the network and at rest in storage systems.

“DLP controls are based on policy, and include classifying sensitive data, discovering that data across an enterprise, enforcing controls, and reporting and auditing to ensure policy compliance,” the SANS report states.

In a recent survey of government organizations, SANS found that a majority had already adopted its controls as a basis for their security. Many agencies have also formally adopted the National Institute of Standards and Technology (NIST) Cybersecurity Framework, published in February 2014, which makes DLP one of its core concepts.

Two essential technologies are needed for any comprehensive DLP solution:

  • Data loss or leakage products and software that help monitor, manage and protect data by classifying it and matching access to it with user authorizations. These tools can also restrict such things as copying, printing or e-mailing of the data.
  • Encryption that prevents intercepted or stolen data from being read by users that aren’t authorized to have it.

A survey by the 1105 Public Sector Media Group found that agencies are also looking for other solutions to go along with DLP, including content filtering to control what content people can access, especially when delivering that content via the web, and content management that combines anti-virus, anti-spyware, anti-spam, web filtering, and information protection and control.

To be effective, respondents said, a DLP solution must look at all types of traffic, including e-mail, web traffic, file transfers and instant messaging. That same survey, however, pointed to the problems organizations have with deploying DLP. Only 18 percent of respondents said their organizations had already invested in DLP, while others said they were thinking of it.

But the changing information technology landscape may be forcing the issue. As agencies and other organizations push more of their data into the cloud and more uncertain environments such as the bring-your-own device (BYOD) program proliferate, agencies will have to increasingly look to DLP as part of their underlying strategy for deploying these technologies.