Three Pillars of Internal Data Security
Data Loss Prevention (DLP), Information Rights Management (IRM) and Data Classification are 3 aspects of data security that are interlinked. Many times, a lot of implementations fail for reasons that are beyond technology, i.e. the lack of understanding that technologies are just tools and part of the process but not the process itself.
In my experience, dealing with these technologies, their vendors and end users have given me an insightful perspective as to how and why attempts to introduce what I term as “Secure data workflow” fail and I would like to share this in a series of articles. Before I begin to explain how and why the process fails, I would like to define, in simple terms, the basic understanding of these technologies and its individual primary objectives.
DATA LOSS PREVENTION (DLP)
Data Loss/Leakage Prevention is a term used to define various different types of solutions. Endpoint DLP, Network DLP, Mobile DLP, Email DLP are all terms and gimmicks used to market the different solutions available.
However, the primary objective of the DLP solution should be ensuring that end users should be able to transfer, without authorisation, data that is sensitive to the organisation or in many cases, any data at all. The breakdown of DLP thus, in my opinion, must be broken down into 2 categories of transfers.
Transfers to physical storage devices, often referred to as Device Control, is perhaps the most basic and necessary for of DLP that organisations should have. This Device Control capability of reducing large amounts of data to leave the organisation onto unsanctioned USB sticks, DVD Drives, mobile phones and even memory cards.
This drastically reduces the surface area for “data loss” as individuals either use this device to abuse data for monetary or business benefits and lost/misplaced devices significantly can cause harm to corporations. I feel that this is the first step of DLP that has to be taken.
The second aspect of DLP is what is known as Content Aware DLP. This the “smarter” section of DLP. Content Aware is where technologies are used to implement data loss policies to block or monitor data which are contraband or sensitive to the organisation. This could be personal data, financial data, Intellectual property, business plans and many more. Content Aware technology can be used on applications, devices, file transfer tools, and even at the email gateways. The objective of this form of DLP is to look at content and based on policy and then decide if it’s suitable to exit the endpoint.
Data Classification started off as a digital enhancement to an age old process. Stamping physical documents with a classification level so that the process of how the physical documents are handled can be defined. However, data classification in the digital world has more power and value.
Data classification now provides a platform where users, IT administrators and security folks can now provide a tangible value to data. This can differ from organisation to organisation but in essence, it gives the ability to users to get involved into the process of securing the data, by deciding what’s important.
Be it manual classification or automatic classification, Data Classification now provides a platform for inclusive data security for the people who understand the data, the creators (end users). Data Classification provides a process for security teams and end users to talk a similar language. Data Classification is now a basic tool even in the protection of personal data.
INFORMATION RIGHTS MANAGEMENT (IRM)
Information Rights management (IRM) was born out of a need to protect the crown jewels of the organisation. It is, ideally, a technology used to encrypt and put controls on how, what, when, why and where the data can be used and in what form.
IRM, as a technology brings the ability to differentiate between the very important to the not so important of data. With IRM, just like airport security checks, there is a slight inconvenience if you want to implement this type of security, but it is worth it if it’s to protect the crown jewels of the organisation but perhaps not effective if applied to every type of data that data classification does.
Now that we understand the basics of these 3 technologies, why do you think organisations fail to implement them?