The phrase data protection conjures up all kinds of TLAs like DLP (Data Leakage Prevention) or DRM/IRM (Digital/Information Rights Management) or the newest DAM (Database Access Monitoring). What will annoy the reader more is that I am referring to all the above three letter acronyms and much more. I am referring to data protection as a state of mind rather than technology! Let me make myself clearer.
Data protection consists of three simple things, preventing undesirable disclosure, preventing unauthorized changes and ensuring availability when required (yup, and no points for guessing that I am referring to the classic 'C','I','A' triad - Confidentiality, Integrity, Availability). This sounds simple, but try adding a couple of qualification criteria like ensuring only 'authorized' people have access to data or to changing it in an 'approved' manner and see the effect.
What will really get your goat is that while 'C' and 'I' have always been important, the erstwhile misfit and much ignored 'A' of the triad has assumed enormous significance, enough to put organizations in significant legal discomfiture. In most countries, with regulators (and even industry groups) ganging up and clamping down on how organizations treat data usage (general terminology for collect, use, transmit and store or otherwise), it is becoming important for organizations to figure out ways to safeguard themselves.
Organizations are quick to point out that they have security controls based on ISO27001 and have implemented automated DLP (Data Leakage Protection) tools to prevent data leakage. Unfortunately the problem continues to fester with symptoms such as large number of positive & false positive leakage incidents, DLP perpetually stuck in monitoring mode, uncertainty surrounding the protection of the management team from legal hassles by the various three letter acronyms.
Technology is great at solving problems, but one must realize that the problems they solve are usually of automation, agility or enforcement. In its current avatar, technology is not mature enough to learn, bridge, and solve business problems on its own. It is precisely this problem that comes back to bite organizations. It is important to ensure that the technology works effectively when a whole host of background activities and processes have to be in place and run efficiently.
For a start, the organization needs to put a data classification & handling policy and guideline that helps its users identify, categorize and then manage classified data appropriately. The guideline should help the user community to identify if any law or regulation protects the data and if there are certain precautions that need to be taken while handling such data.
The organization then needs to identify an appropriate strategy for selecting, implementing and sustaining technology solutions for data protection along with the right set of 'rules', logging and reports. Last but not the least, the organizations have to implement technology and processes to enforce the policies, identify potential violations, and help in investigation and closure of the findings.
While the solution has been covered in a simple single paragraph above, the devil is in the implementation details. The classification policy is easy to create, but ensuring its implementation is tough. Employees have to be taught the why, what and how behind the classification policy and measures should be taken to ensure that they will actually follow the rules. Selecting the right technology can be a challenge too as in many organizations, it is hardly about the technology but mostly about minor features and use cases that disguise good old financial logic.
Today the market is full of DLP players with barely any differentiation in their offerings. The critical technological decision though is determining the correct mix of DLP/IRM that is needed and whether a technology like DAM makes sense. The implementation can be the stuff of nightmares too, where all those fancy features promised by the technology vendors come to a naught for arcane reasons like users did not have managers assigned in the Active Directory!
The rules require a deep understanding of the business processes and the data that they process and move. Don't get that right and an organization can be sifting through tens of thousands of incidents a day; DLP rules are a combination of trigger (keyword, regular expression, fingerprint), logic (and, or, else) and actions (allow, quarantine, encrypt, block, etc.). DRM and DAM rules just add additional layers of complexity.
While the idea is simply to help organizations make better decisions by bringing to light the various facets of data protection, maybe practicing meditation will help tide over the taxing time of getting the data protection strategy and practice right. Alternatively, you could give me a call!
Practice Head – IRAS, Aujas