More companies are finding that despite their technology investments, effective data protection remains elusive. Data protection technology has become as commonplace as anti-malware technologies and most organizations implement it as a standard desktop endpoint and gateway security. The technology works using a combination of document 'fingerprinting', key words, and policies defined around what is allowed and what is not. The technology has matured to support endpoints and email data leakage risks as well as social networking risks. However, even with a mature technology and rigorous implementation, organizations often can find their data protection is ineffective.
IT departments are able to quickly implement a data protection technology, but struggle with effectiveness. They are unable to bridge the gap between implementation and effectiveness, and end up with large numbers of data leakage 'incidents', which usually turn out to be false positives. In many cases, organizations end up operating DLP tools in ‘audit only’ mode which completely defeats the tools’ purpose.
This gap is usually due to the approach taken to data protection and not to the organization itself. Most organizations identify data protection as a risk and IT/IS department choose a vendor for implementation. The vendor usually 'scans' the file stores for 'important' files and policies are created to safeguard those files deemed important. While this approach seems simple enough, it is the root of the problem. IT organizations are basing policies on their own interpretation, rather than on what is important or appropriate for the business.
Data, even if critical, may need to be exchanged with outsiders for valid business reasons. The challenge is to establish policies that allow the business to operate seamlessly while stemming the data leakage. Another challenge is to build an ecosystem that supports this on an ongoing basis. The solution ideally integrates technology, process and a governance framework.
The first step is a data classification policy that clearly establishes how to classify data within the organization; the users should be made aware of how the classification policy applies. Next, the data flow within business processes should be understood to identify the type and nature of data, its classification and authorized data movement of 'important' data across organizational boundaries. Also, the important files, templates and data base structures that were identified during this exercise should be 'fingerprinted'. The policies should then be configured and applied based on the authorized movement of data.
Taking these two steps will help improve data protection technology effectiveness because it incorporates business rules for data. However, it still is a point-in-time exercise that does not address the fluid business data environment. To sustain the data protection, a governance process is required. One approach is to integrate with the data governance framework if one exists within the organization. If a data governance framework does not exist, a similar structure can be created. An additional benefit of this approach is close integration with data governance when such a framework is actually created.
The governance function should be responsible at a high level for both the strategic and operational management of data protection. At a strategic level, the function should look at how data flows and is managed and its impact on data protection technology employed. At an operational level, the function should look at how data protection incidents are managed, false positives reduced, user awareness on classification and protection improved. Many organizations also employ active data protection with the use of data/digital/information rights management tools which require users to 'protect' based on allowed rights, time limits and expiry dates. Though the above approach remains the same for these technologies too, organizations have to spend more efforts on user awareness as their cooperation defines the success or failure of the technology.
Though data protection technologies have changed the data confidentiality playing field completely, effective data protection cannot be achieved by the technology alone. It requires a focused lifecycle management approach for it to be more effective and sustainable.
