A mile of run a day will keep the fat away.

Data Loss Prevention – What’s the Problem?

In the last few weeks I have talked with several customers about their data loss prevention initiatives. It seems that most of the programs are focused on inadvertent data loss. These are issues such as employees sending spreadsheets with PII data to their Gmail account so they can be productive at home (a VPN is such a hassle). Another example is even more basic – sending email with PII data in the clear to business associates. http://smartwebsiteideas.com/

What I have heard from customers is that they are deploying DLP systems from companies like Symantec (Vontu), EMC/RSA (Tablus) and Intel/McAfee (Reconnex) to solve these problems. It strikes me that these systems are expensive (both from an acquisition and operational point of view) and heavyweight solutions to a problem that might be better addressed through additional investment in security awareness training.

The other issue I have is that it seems most of these systems have been deployed for compliance purposes, in hopes that they will help meet some regulatory criteria (look at the money we are spending, we must be addressing the problem). Yet, most often there is not enough planning being done around the supporting workflow and security processes. As a result, these systems tend to address a fairly narrow information protection requirement and lack integration with other security systems and processes. One has to wonder why DLP isn’t more tightly integrated with rights management systems, SEIM, identity and access management systems…even GRC.

But the real problem, as I see it, is that the DLP vendor community hasn’t addressed the most important areas. While the number of incidents associated with inadvertent PII data loss is high, the dollar value isn’t that significant. The bigger problem is associated with malicious insiders and skilled attack teams (that look like malicious insiders given that they can compromise users and steal credentials). The volume of incidents in this space is low, but the dollar value impact is very high. To address this problem requires an investment in security processes and skilled people.

About Redspin –¬†http://www.redspin.com

Redspin delivers the highest quality Information Security Assessments through technical expertise, business acumen and objectivity. Redspin customers include leading companies in areas such as healthcare, financial services and hotels, casinos and resorts as well as retailers and technology providers. Some of the largest communications providers and commercial banks rely upon Redspin to provide an effective technical solution tailored to their business context, allowing them to reduce risk, maintain compliance and increase the value of their business unit and IT portfolios.


Leave a Reply

Your email address will not be published. Required fields are marked *