By Adi Ruppin,
Data leakage incidents have become
increasingly visible in recent months, with the likes of the colossal WikiLeaks
incident, public posting of TSA screening manuals and many other events of the
same nature. Why is this? It is in no small part due to the fact that sharing
of data and collaboration has become a must in today’s increasingly mobile and
global world. The challenge is that some documents have to be shared and some
must be kept confined within the organization’s boundaries. Today’s various data loss prevention (DLP)
and content security solutions do not address these requirements of this more
complex world in which we live.
Let’s further define the problem;
organizations need to make sure documents are easily accessible by their
authorized recipients and yet do not leak out and get into the wrong hands. In
a single organization, there might be some documents designated for viewing
only by human resources, others for finance and legal, and still others for
partners only. The collaboration needs
of these various parties bar an organization from the option of indiscriminately
blocking all documents from leaving the company or encrypting them on a hard
drive. These are not viable DLP
strategies. Most organizations’ goals
include protecting documents throughout their lifecycles, wherever they may
reside. Perhaps DLP should stand for “data lifecycle protection,” which is the
real holy grail for which enterprises are searching.
Neil MacDonald, a vice president and fellow
at Gartner, recently wrote that data lifecycle protection is a more
accurate term for describing the real problem in data leakage. He said:
Data protection is the process of identifying and
understanding where and how sensitive information is created, consumed,
processed, moved, shared, stored and retired and protecting it throughout this
There are a myriad of security controls and policy
enforcement points that map to this process: full drive encryption, file/folder
encryption, content monitoring and filtering at email and web security
gateways, application-level encryption, end-user activity monitoring, sensitive
data discovery tools, digital rights management, … and, yes, sure (why not?) –
even an IPS or AV scanner that is programmed to look for sensitive data.
might also add to this list the ability of the data owner to deny or assign
permissions for copying, printing and forwarding files, as well as the
visibility to track documents and determine who views them.
Generation DLP and DRM Fail to Solve the Problem
Traditional DLP can only look at documents
and decide whether they can go out or not. It’s a binary process. However,
today’s world is not a binary one. And neither are most businesses. Even worse,
it is exceedingly hard for any IT professional to define a policy that accurately
describes the enterprise requirements, without generating an unreasonable
amount of “false positives”. As a
result, many DLP deployments fail or never get started seriously.
Finally, there’s the question of what happens
to the data once it is distributed. A DLP solution obviously does not
address this issue. But once data has left an organization, nothing prevents
the recipients from forwarding it to unauthorized users or saving it onto their
thumb drives. This is why the term data lifecycle protection is so important,
and is the only comprehensive solution to the problem of information leakage.
Let’s also take a quick look at legacy
digital rights management (DRM) solutions. There is a great deal of confusion
in the market about DLP, DRM and other forms of data security. Legacy DRM,
which makes sense architecturally, embeds security within the documents as they
move around, but still has serious drawbacks. First and foremost, like DLP,
it’s mostly built for protecting data inside an
organization and is difficult to use in the context of external sharing and
collaboration. Second, it’s cumbersome to deploy and use.
Critical Concern For Executives
In a recent survey of C-level executives and IT professionals
in pharmaceutical, healthcare, semiconductor, software, insurance and IT
organizations, many respondents pointed to document security as a top concern, yet
the actions these decision makers reported taking to combat leaks were mainly
flawed or incomplete.
Sixty-five percent of those who responded to
the survey reported that they share sensitive data, and more than 50 percent
said they do so on a regular basis. That
need to collaborate seemed to weigh heavily on their minds. Among the respondents to the survey:
- Ninety-six percent said they are concerned or extremely concerned
about data getting into the wrong hands.
- One in three admitted to having had at least one incident when
- Eighty-five percent said these leaks had not occurred due to
- Eighty-three percent ranked document and intellectual property
security as veryimportant, ahead of anti-virus and network security.
- Only 12 percent reported use of DLP or DRM.
Of course, current approaches to DRM and DLP,
at least under its “data loss prevention” definition, would not solve the root
problem at the core of executives’ valid concerns about data leaks. To get document security right, it will take
a new paradigm that retains the effective elements of DLP, DRM and other
technologies to come up with the new DLP
that solves the rights problem: document lifecycle protection.
Adi Ruppin is vice president
of marketing for WatchDox (www.WatchDox.com), a software-as-a-service (SaaS)
solution that enables the confidential sharing of important or sensitive
documents in an easy and secure way.
Only registered users can write comments.
Please login or register.