Content analysis underlines DLP's strategic scope

By Khoo Boo Leong | Jun 25, 2009

Data loss prevention or DLP as we know it today is poised to embrace a broader, more strategic scope as organizations tap content analysis capabilities to address not only security concerns but also knowledge management (KM) and information governance needs.

“DLP is the next step in identity and access management (IAM) and we’re starting to hear terms like content-aware IAM which combines IAM and DLP,” said Gijo Mathew, vice-president of Data and Resource Protection Security Strategy at CA. “Unfortunately, the global view of DLP is basic and limited because the term DLP only describes one use case but not the technology’s potential for broader prevention of data misuse and abuse.”

Up till now, DLP has been predominantly a security-driven initiative entrenched in the security professionals’ world. When defining sensitive corporate data, these professionals readily include obvious information like employee social security and ID or customer credit card numbers.

But to business managers, less tangible information like intellectual property or sales and marketing intelligence is as, if not, more important. “Such information is much harder to find and analyze,” said Mathew. “As a result, the security professionals have mainly stuck to basic DLP [on employee or customer data].”

Beyond basics

"Yet, many organizations are moving beyond this basic level or what I’d call Phase 1 DLP to look at other types of information and a broader set of risks,” he added. “When you read about the cost of a breach to an organization, most of those studies are really only done around loss of customer or credit card information.”

Since breach notification laws in the US require any breach of personal information to be made public, research groups can easily quantify the cost of a breach as well as how much the company spends on remediation of a breach.

For example, according to the 2008 Ponemon Institute’s annual study on data breach costs, the average cost of a data breach increased from US$182 in 2006 to $197 in 2007 to $202 in 2008. The average total cost per reporting company per breach has grown from $6.3 million in 2007 to more than $6.6 million in 2008. Costs come in the form of lost business, legal ramifications, and rectification measures.

Even then, Mathew sees a bigger issue. “I would argue that losing competitive information or intellectual property costs more to the organization than losing customer data. The problem is that companies do not have to disclose intellectual property losses so it’s harder to get the metrics.”

To understand Matthew’s point on how DLP will evolve, businesses need to look at it as complete protection across different technologies from a data- or information-centric perspective.

“As an industry we call ourselves information security specialists but in reality, we don’t really secure information but we secure the infrastructure around the information,” he explained. “For the longest time, we’ve been trying to get closer to the data. We start with firewalls, then IAM programs, then better access management to get to the data.

“Now, with DLP, we can push policies down but with an understanding of what people are doing with data. We can make better decisions about roles and access privileges in the organization.”

Content analysis

But what is really exciting lies at the crux of DLP technology – the ability to do content analysis – which has uses beyond security. “I should be able to tag or index the content, retain it or manage it,” said Mathew. “Content analysis is the common link among DLP, information governance and knowledge management (KM) technologies. If my action is encryption, it is a security thing; tag for retention, it’s governance; store to repository, it’s KM.”

So, an organization may scan all repositories of information for security reasons but the same technique and tool can be used to push critical business information such as strategic plans and legal documents to knowledge management. All these hinge on the content analysis capability.

“If we can exploit this, we should be able to scan information or a piece of data once and determine the security implications, the knowledge requirements and the management requirements,” said Mathew.

Three layers

CA’s overall security architecture promotes the holistic approach to realize this vision. Its products and services span three major layers: Governance, control and audit. At the governance layer, it offers a Role & Compliance Manager, an acquired Eurekify product to help manage users’ roles and identities. That flows into application and infrastructure controls like OS and web access control as well as information controls where its DLP technologies come in.

“Our governance capability should be able to tell us what you can or cannot do [leading to policies in the control layer],” Mathew said. “Then, we can audit all the controls through a centralized layer. The feedback loop between control and audit technologies gives us deeper intelligence integration amongst all our products.

“For example, I could change attributes of the users and based on their changed identities, I change their application and infrastructure access which in turn change their access to data. Then, based on feedback from the audit, we can drive smarter processes and governance of the infrastructure.”

Three modes

From a DLP operations perspective, the technology manages three different data modes: Data in motion which is data traversing the network or in messaging servers; data at rest in repositories; and data at the end point on the laptop or desktop PC.

“At the end-point, we support Windows,” said Mathew. “For data at rest, we support any system that the DLP can map to, including SharePoint servers. For data in motion, I can look at any email, web or file transfer protocol. Organizations can implement one or more of these DLP modes depending on whether their priority is PCI compliance or email vulnerability.

“What we want people to do is think strategically then act tactically. People should be looking at what the DLP phase 2 issues are going to be.”