Friday, July 13, 2007

Data security and leakage prevention landscape

I've been focusing purely on this data security game for 2 months now (hence my lack of blog posts in June) so I thought it would be a good time to take a snapshot of my views. I didn't think it was appropriate to do it after a month because it was still too early for me to have an informed view of the marketplace and what the issues really are. At the 2 month mark, I've seen quite a few customers and am now able to understand what the typical use cases are, the varied approaches and attempts at solving the issue and how much demand there is in the market for solutions.

A few high level views I have of this space are as follows:
  • It's the Wild West - Everyone tries to solve the issue in different ways. This includes organisations trying to prevent data leakage and vendors trying to solve the issue with their solutions. The reason is because it's a very new area and everyone's just coming to grips with the enormity of the task at hand. As a result, there's many a vendor who claims to solve the data leakage problem, but most are point solutions and any organisation wanting to make a decent attempt at tackling the issue will either need to come up with a holistic approach and plug the gaps with the point solutions or purchase a product that does most of what is required and decide if they want to spend money on plugging whatever holes remain. This concept and landscape is nothing new of course. Every new type of issue exhibits this early stage characteristic and as maturity of the marketplace sets in, you inevitably see consolidation and more holistic and complete approaches. The most recent example is obviously the Identity and Access Management industry. Just look at how the large vendors built their product suites. Needless to say, I'm in the camp that says the most holistic approach is the way to go. Don't buy point solutions because a year or 2 from now, you'll find that the next version of the 10 different products you just bought will overlap like crazy and upon further analysis, you realise you only needed to spend half as much...and that's not including the integration costs you had to bear by trying to tie all the disparate products together.
  • Deja vu - Agents vs Agentless. Sounds frighteningly familiar. Identity and Access Management vendors had many a debate about the 2 approaches and which was actually better. Before that, it was the Systems Management bunch. It's the age old architectural and management simplicity vs visibility on the targets. In this case, it's the argument between having a network appliance watching network traffic between nodes and at the network perimeter and deploying agents at all relevant endpoints. If you monitor the network, you don't need to install anything on the endpoints. Problem is, you lose complete visibility once machines are no longer on the network. You are also blind to anything users do that doesn't involve the network (consider leakage via USB devices or CD burns). In the modern IT environment, there are too many mobile users that aren't on the network most of the time to ignore this as an issue. In trying to gain ease of deployment and management of the IT infrastructure, you lose security at the endpoint. On the other hand, placing agents on the endpoints means that your systems management and software distribution/asset management costs go up. There are more moving parts and it's yet another thing for the operations team to worry about. That is offset by the fact that you have visibility of your users regardless of whether they are on the network and whether they perform network operations. In this scenario, you are almost always protected (I'll explain the "almost" in the next point). I know which approach I'd rather take. In case I need to spell it out, consider that the concept that there is a perimeter around your organisation. It just isn't true anymore. You need to open up the network to do business. So just monitoring the network won't cut it. You need to place a virtual perimeter around your data to prevent it from going where it should not. This means you need agents.
  • It is almost impossible to stop someone If they REALLY want to steal something - It's simple. Take a picture. No agent will be able to stop that. Until the day where each monitor has a sensor that can sense when an image capturing device (e.g. a camera) is being used and feed it back to the operating system, this cannot be fully stopped. You can however, slow down the speed at which thieves can get at the data. They may still get what they need, but it'll take them quite a bit longer and by then, you have a good chance of catching them because any solution worth buying will be able to tell that someone is doing a lot of things they shouldn't be doing. For example, for someone to realise that there is a way around the system, they would have had to either have lots of inside information (in which case the problem is not technical, but social) or have tried many things on the system to figure out where the gaps are. All the attempts should be noticed and relevant administrators notified. What this does is buy you time to catch a thief. 1 out of 10 may still get away with it, but you've stopped the other 9.
  • It's an educational process - Most employees want to do the right thing. Problem is, most don't have time to read the 1000 page corporate data security policy. Putting measures in place can at least alert managers when employees do things they should not be doing or tell the users themselves. How many times have you emailed something to your home email account because it was the easiest way to get it there to work on it? Most people may think this is ok, but any experiences security professional will tell you that doing such a thing is probably a policy breach of some sort. If you just tell the users that are doing the wrong things that they should not be doing them, they'll usually stop. After all, who wants to get into trouble? Because of the lack of user education, many data leakage incidents are accidental. They don't know any better.
  • At the forefront of everyone’s mind – Almost everyone is at least thinking about data leakage and what they can do to address the issue (see my notes from Infosecurity Europe 2007 days 1, 2 and 3). This does not mean organisations have the budgets to implement anything yet. There are still many that are stuck in the 90s and busy playing with firewalls and anti-virus/spyware products and have not moved on to other activities because of budgetary constraints. That being said. even these organisations are thinking about data leakage. The media obviously has a lot to do with this sentiment in the market thanks to constant reports of major incidents in all sorts of institutions (TK Maxx anyone?) and the fines being dished out to the organisations due to their lack of appropriate measures. It’s a real issue. Organisations will inevitably have to address it one way or another. This is also not just limited to large companies anymore. We have the PCI data standards to thank for that. Compound this with the fact that people are also thinking about identity theft (not always caused by data leakage, but data leakage usually leads to identity theft) and everyone has a real compelling reason to act.
  • Not just about compliance – Sure this is a driver, but it’s not always the compelling reason. In fact, compliance as a justification for data leakage solutions is less common than most might think. Actually, I worry when a company wants to protect data simply because they have to be compliant (a good security department should not be driven only by compliance). More commonly, it’s about knowing what’s going on and just plain old good security best practice. Of course, there are those that use compliance as the official reason, but often that’s for budgetary reasons rather than any actual real business or technical reason.
  • A good leakage prevention solution enables business – Why has security always been so hard to justify when it comes to asking management for a budget? Because it’s not easy to show return on investment (ROI). Security is also seen as annoying. After all, it just stops people from doing work right? That’s exactly what a draconian security environment does. Productivity suffers because things are just difficult to do due to security measures put in place. With data leakage prevention, the ROI is a little easier. I’m not saying it’s easy, but it’s much more effective when you go to management and say “if we don’t protect our data, we get fined millions if a single piece of information gets out.” Also, wouldn’t it be nice if you could let people do slightly risky things to be more productive as long as there’s accountability? Traditional measures take an all or nothing approach. The main reason being the inability to track fined grained activities. Yes, it sounds like authorisation/entitlement management. Why? Because that’s exactly what it is, but using a data centric view instead of an identity centric one. If only you could monitor, control and react (if required) to all user activities when dealing with data. Controls could be loosened slightly.
So what issues are there to consider? How can these issues be addressed? How does one go about the journey down this path? That’s material for another day.

No comments: