Real-world DLP: people are a problem

In this week's Security Levity, the second part of my interview with Abhilash V. Sonwane, vice president of product management at Cyberoam. Abhilash has extensive experience building data-loss-prevention solutions that help organizations keep their sensitive data confidential. I'm sure you'll agree that he brings some thoughtful insights into real-world data loss prevention (DLP).  

Abhilash, give us a sense of where you see the main threats to an organization's confidential data?

In a word: endpoints. We can't simply rely on keeping data locked up in secure data centers. Users need to work with data on their desktops, laptops and smartphones. They want to transfer it using tools they have available, such as email and USB-key sneakernet.

  So what should organizations think about when data is outside the relative safety of the data center?

Firstly, how long does data stay on users' endpoints? Confidential or potentially embarrassing data might sit on endpoints indefinitely, out of reach of data security administrators.

Second, who has access to this data? Data security is compromised by users routinely placing data within a shared folder, and giving rights to all network users. Finally, how and when is the data modified, deleted or transferred? Lack of tracking can lead to loss of critical data.  

I'm guessing you're going to tell me that there's a software solution to these problems?

An endpoint data security solution that protects the organization's endpoints from data leakage through identity- and group-based policy controls, encryption, shadow copies, logging, reporting and archiving... yes. I'd argue that it's an immediate need for all organizations. It enables organizations to limit insider access to trusted devices and applications when sharing data.

  But surely, DLP software can't protect against a really determined insider, intent on stealing a company's secrets. Or can it?

Well, there are always limits to technology, but the main threat isn't deliberate information theft, but accidental leakage. Employees are often unaware that their actions are unsafe, leading to data loss. That's often because businesses don't properly communicate corporate security policies to new employees. Even with existing employees, you should periodically re-communicate security policies so that employees take them to heart.

  Wait, are you saying training is an adequate substitute for DLP software?

[Laughs] Well, if you can implement perfect training, and your employees never make mistakes, then be my guest. For everything else, there's DLP!

Look, data security is only as good as the user. Organizations with the best security practices implement clearly defined data security guidelines. While they may educate users on safe data security practices, user endpoints are still vulnerable to error and theft. Security guidelines can only effectively protect data in the presence of a strong end point data security solution that overrides the threat posed by end-user behavior.   So, in summary, people are a problem?
Tight access controls over data centers give a false sense of security to organizations. With valuable data lying at employee endpoints -- in most cases without the knowledge of data 'caretakers' -- risky actions by employees caused by lethargy, ignorance and errors lead to data vulnerabilities.

Coupled with easy availability of removable storage devices and data sharing applications, the result is often silent data loss.

 
When he's not interviewing DLP experts, Amir Lev is the CTO, President, and co-founder of Commtouch (NASDAQ:CTCH), an e-mail and Web defense technology provider. MORE...

 
Disclosure
: Cyberoam, a division of Elitecore Technologies, has been a partner of Commtouch since 2007, when the company licensed the Commtouch RPD anti-spam engine as part of its identity-based UTM appliance.

Computerworld's IT Salary Survey 2017 results
Shop Tech Products at Amazon