By Ellen Messmer
Though data-loss prevention gear is proving a boon for corporate security, its "see all, know all" style of content monitoring can cast a harsh glare on business practices and legal issues that end up putting IT staff on the spot.
DLP content-monitoring equipment often gets rave reviews from security managers deploying it because it can give them a view they never had before into their organization's daily business communications. It may present the big picture, zeroing in on where sensitive data slipped out and who did the deed. But chief security officers with months of DLP experience caution all this newfound knowledge can be disruptive, spotlighting internal data-management practices that incite concern about possible regulatory violations.
"You move from ignorance to compliance jeopardy," acknowledged Tony Spinelli, senior vice president of information security at credit information services firm Equifax, describing one impact that deploying DLP -- in this case, the Symantec Vontu equipment -- made at his firm. "A lot of regulations say when you know what's leaving your network, you have to disclose that."
Spinelli, who spoke on a panel at last month's RSA Conference in the US on the topic, said in spite of the initial disruption caused by finding out about internal business data practices that had to be fixed, Equifax is now so accustomed to DLP content-monitoring that it's now considered just part of the security "hygiene," he said.
DLP also has played a role in bringing together the human resources, legal and security groups at Equifax to coordinate content-monitoring policy, he added.
Two other security managers who joined Spinelli at the RSA panel to discuss DLP also cited its disruptive influence.
"How do you look at your data, know your data and understand what you have? We never had tools to tell us what was happening and we relied on anecdotal evidence or audits to find out," said Patrick Lefemine, chief information security officer at US-based Lincoln Financial Group, another Vontu user.
Lefemine acknowledged the initial piloted use of DLP "scared the hell" out of both management and IT staff, especially the time it spotted the CEO's salary, Social Security Number and home address being inadvertently transmitted. "That got us the funding for this project," he added.
Lefemine said one of the toughest realizations imparted by the hard wisdom of DLP was the need to stop the sharing of even a single unencrypted Social Security Number with business partners -- a demand pressed by Lincoln Financial Group's audit department after it discovered how powerful DLP was in monitoring content.
The third panel speaker, Rhonda MacLean, global information security officer at Barclays Bank, said use of the Vontu DLP highlighted the difficulty of conforming to the many cross-border data-flow regulations of Europe and elsewhere.
"The problem has gotten more complex," she said, noting Barclays Bank operates in 67 countries. "One incident could [set in motion] regulation dominoes." Though DLP can shed more light than you might like on corporate data practices, she commented, it does offer "a source for truth for data" so that needed changes can be made.
MacLean said one drawback Barclays has noticed in its DLP installation is that it's "CPU-intensive" and might impact some real-time communications. But she also noted DLP's broader capabilities are only beginning to be explored as a tool to monitor how business partners, such as outsourcing firms or call centers, treat sensitive data that's shared. "You have to be able to put in your own castle walls with your business partners," she said.
The range of host- and network-based content-monitoring products (also sometimes called "data-leak prevention" or "data-loss protection") is growing.
MedStar Health, which operates hospitals in the Washington, DC area, two years ago almost deployed the solution gear in its Maryland data center area to make sure that no patient healthcare data covered under the federal Health Insurance Portability and Accountability Act would leak.
But according to Ron Baklarz, the former director of information systems there (and now Amtrak's chief information systems officer), DLP turned out to be a general education tool about what people were doing. Sometimes that meant finding out that employees were doing things online that had to be stopped, such as downloading pornography.
Getting the attention of legal staff or others on the business side wasn't always easy in terms of DLP, said Baklarz, but probably the best approach he found was to set them up with a log-in to the console so they could see what was going on. "You need to partner with them on compliance," said Baklarz, noting the business people need to be active participants in data monitoring, not leaving it to the IT department.
"People once used to think what you don't know won't hurt you, but what you don't know will hurt you,' said Baklarz, adding he found DLP so important, he plans to bring it into Amtrak for use there, too.