An employee sends an unencrypted e-mail that contains sensitive information. Another downloads private data onto a USB storage device that he later loses. Yet another has a notebook stolen from his home. These are but three examples of a growing problem that data leak prevention technology seeks to address.
Although DLP technology is still emerging, large security manufacturers that recognize its promise have made a spate of acquisitions. WebSense and McAfee kicked off the buying spree in late 2006, acquiring PortAuthority and Onigma, respectively. More recently, RSA, the security division of EMC, landed Tablus; Trend Micro grabbed up Provilla; and Symantec acquired Vontu.
The manufacturers have integrated these DLP products to varying degrees with their larger security suites. Although the technical approach of DLP products varies, the technology is evolving into a network appliance that monitors all outbound communications, inspects it for sensitive data and enforces data policies.
Meanwhile, client-side technology applies policies to removable storage devices and media. The most advanced DLP suites from companies such as Symantec and WebSense can discover, analyze and classify such data, using techniques such as data fingerprinting, lexical analysis, partial document matching and statistical analysis.
Once set, policies can be applied to data as it flows through and out of the organization (data in motion) and also as it is stored (data at rest) and manipulated in-house (data in use).
At least that’s the premise of DLP technology. Today, the reality is more modest: Organizations across levels of government have specific risks they must address before fully engaging in discovery and the creation of multiple policies.
The city of Lake Forest, Ill., is a case in point. “We had unauthorized USB devices all over the place,” says Joe Gabanski, network administrator for the city. With 350 end users and approximately 500 end points to consider, Gabanski and his IT staff needed a way to keep track of devices coming into the network and what information was leaving on them each night.
“We didn’t want to prohibit USB storage devices altogether. The good thing about them is that they’re cheap, they hold lots of data, and they’re convenient for end users,” Gabanski says. “From a security standpoint, the trouble is that they’re cheap, they hold lots of data, and they’re convenient for end users.”
Lake Forest compromised by deploying Lumension Security’s Sanctuary Device Control on PCs and notebooks. This software automates the oversight of USB databases by monitoring and controlling the peripheral devices that can connect to each end point, while enforcing data use policies managed by a central server. IT must now approve USB devices that connect to a system. In other words, removable storage is welcomed, while portable music players are not.
Next, Sanctuary applies policies when users add or remove devices. Data must be encrypted and access is password-protected. “Once a device is approved, that doesn’t mean it escapes our notice. Sanctuary’s logging features show us exactly what data is transferred to and from the device,” Gabanski says. “This ensures that removable storage media is limited to appropriate city business only.”
While Lake Forest intends to adopt additional DLP features in the future, such as e-mail encryption, IT started small and addressed its most immediate concern. Sanctuary Device Control is priced at $25 per user, with volume discounts available.
“The step-by-step approach makes sense,” says Jon Oltsik, senior analyst for information security for the Enterprise Strategy Group in Milford, Mass. DLP tools currently available are good at making sure that organizations aren’t releasing sensitive data openly. What they do less well is analyze volumes of data stored in disparate applications. “When it comes to determining exactly what data is floating around the enterprise, classifying it, and then figuring out who is using it and for what purposes, the technology has a long way to go,” he says.