"No one can go it alone in this area," HHS CISO Dan Galik says. "The challenges are so complex, and everybody needs help."

Aug 03 2011

Plugging the Leaks

With broader use of DLP, agencies make the move toward complete network protection.

As well-publicized leaks continue to compromise networks, privacy and classified information, data loss prevention has become serious business for agencies.

IT teams find that taking a step-by-step approach helps tackle ever-­changing cyberthreats and meet government compliance goals and regulations. That's certainly true for Dan Galik, chief information security officer at the Health and Human Services Department.

"No one can go it alone in this area," he says. "The challenges are so complex, and everybody needs help."

Galik is part of the HHS team that created the department's Computer Security Incident Response Center (CSIRC), which serves all component agencies from a facility located on the Centers for Disease Control and Prevention's Atlanta campus.

When the center began overhauling the department's security infrastructure, HHS bought a number of products: HP Tipping Point for intrusion protection and Websense for web filtering and malware detection, as well as incident management and network monitoring tools.

Despite these efforts, full DLP remains in the future, says Galik. "Each of those things are new technology, and you can absorb only so much technology at once," he says.

Organizations that have experienced a data loss in the past year

No. 2
Where securing all fixed and mobile endpoints ranks among organizations' 2011 security priorities

SOURCE: "Understanding Security Complexity in 21st Century IT Environments" (Check Point Software Technologies–Ponemon Institute survey of 2,426 IT practitioners, February 2011)

What makes DLP different from other security applications, says Eric Ouellet, research vice president at Gartner, is that it's content-aware. DLP products look at the data leaving an agency's network and can find sensitive or confidential information, whether it's in an e-mail, on a USB drive or notebook computer, or at some other location. Then, DLP can take action, such as quarantining data, encrypting it (with the help of an encryption tool), or blocking data and notifying the sender of the breach. DLP tools can also help classify data and monitor and report on its movements. They can protect data wherever it is, even if the file type changes, Ouellet says.

Micro and Macro Approaches

The U.S. Mint started using DLP earlier this year, says Goutam Kundu, the agency's CIO. The Mint implemented the tools to comply with White House mandates and to make sure that personally identifiable information processed by the agency is protected. Kundu found that a thorough pilot and a proto­typing phase were key to success in rolling out DLP.

"Our approach has been client-based," he says. "We use an agent with pop-up warnings." This not only protects data but also helps users become more aware of security, he says.

Another approach to DLP focuses on the gateways of an organization's network. "If you want to deploy with no impact on users, the perimeter approach is great," Ouellet says. That means that DLP will monitor only activities related to what's leaving the network. This approach also eliminates the need to train users or install software on their machines. But for monitoring USB drives, CD drives or copy and paste functions, for example, a client-based approach is necessary to keep an eye on local data.

One major value that DLP brings is in educating users about potentially risky behavior, Ouellet adds. "DLP can be used for training individuals based on their daily actions," he says.

For example, DLP can be a reminder or a help tool each time a user tries to post on Facebook or share a file externally. The software can bring up notifications if a user tries to do something against policy, or can ask for a justification to be entered before the user completes the action.

Many data loss episodes are "oops" moments, Ouellet says, rather than malicious or intentional breaches. "Lots of times, people are rushed to finish something, and they send e-mail or share files inappropriately" without meaning to, he says.

From All Sides

At the Department of the Navy, HP has begun an initial analysis of DLP products for the Navy Marine Corps Intranet, but the service doesn't yet have formal requirements or funding in place for the tools. Part of the service's information assurance drive over the past few years included a focus on data at rest. It deployed a Symantec encryption product for full-disk encryption for hard drives, plus removable storage encryption for notebooks and desktops.

To learn DLP tips and also why NASA is planning to adopt DLP, go to fedtechmagazine.com/

The Navy has taken other security steps with device control, deploying a McAfee host-based security system suite. These applications monitor and detect known cyberthreats and monitor external drives connecting to work­stations, including the type of device, to ensure they are authorized.

Security in Numbers

HHS' Galik recommends a team approach to security in today's environment. Working with other component organizations, along with the ­Homeland Security Department and intelligence community experts, was essential to CSIRC's success, and has helped HHS on its path to total security and loss prevention.

"Being able to rapidly respond and talk through what we're seeing is definitely a team effort," Galik says. "Partnerships are the only way we'll be successful in the never-ending battle of computer security."

<p>Photo: Randall Scott</p>