Protecting Sensitive Data

Following on from the themes raised in his article (opposite), Derek Brink kindly offered to put some questions to a pair of data protection experts.

Uzi Yair, CEO of GTB Technologies, and Christopher Bolin, CTO at McAfee, Inc. – to get some vendor perspective on what they think the issues are and how the security industry is addressing the thorny issue of protecting sensitive data.

Derek Brink is VP and Research Director for IT Security at Aberdeen Group. Before joining Aberdeen, Derek was RSA Security’s VP of Strategy and Corporate Development, and was earlier the product line director for RSA SecurID. Prior to RSA, his experience includes roles at Gradient Technologies, Transarc Corporation, Sun Microsystems and Hewlett-Packard.

Uzi Yair is CEO of GTB Technologies, a Newport Beach, California-based company that designs, develops and markets information leaks prevention systems. He has over 20 years’ experience leading startup software companies to success. Before GTB, Yair was CEO of Proxyconn Inc., Redwood Software, Magic Software Enterprises and Liant Software Corp.

Christopher Bolin is the Chief Technology Officer and Executive Vice President of Product Development for McAfee, Inc. In this role, he is responsible for the worldwide development of all McAfee products, reporting directly to CEO and President David DeWalt. With more than 10 years’ experience at McAfee, Bolin has been instrumental in driving international growth.

DB. In the past, organizations tended to keep sensitive data in one location, and tightly controlled access to that location. Today, they are trying to balance the need to provide ever-broader access to information with the need to protect the data wherever it is – at rest, in motion or in use. In your view is this an accurate description of the change in perspective, and if so what approaches do you see companies taking to address this balance?

CB. Yes, the perspective has changed. Today, employees are more mobile. They work in the office. They work from home. And they work while on the road. As the volume of electronic data increases, employees demand greater access to maintain productivity. These demands challenge information security to provide ready access to data while ensuring that confidential enterprise data is protected.

Therefore, securing access is not enough. This is because there is no visibility or control on confidential data after it has been accessed and downloaded onto the laptop or desktop. Will the employee email it to an unauthorized recipient? Will the employee print a hard copy? Will the employee copy it onto a USB? Protections must be in place to ensure that data is protected on the laptop itself. Organizations realize this gap exists. Today, the market is clearly moving towards data loss prevention solutions because security teams need visibility and control over the mobile workforce. This is because employees conduct business on their laptops regardless if they are connected to the corporate network or not. All data loss originates on the host. It may leave over a network, but it can also leave via USB keys, laptop hard drives, printouts, CDs, iPods, etc. To completely cover both managed and unmanaged machines, a combination of host and network inspection is essential to effectively implement data loss technology to match the intent of the business.

UY. Corporations are in the midst of an information explosion. The Brookings Institute estimates that 80 percent of intellectual property is no longer represented as tangible products, but as intangible assets like source code, R&D strategies and engineering diagrams. Sensitive data is no longer controlled under lock and key in datacenters or file cabinets. Sensitive data is everywhere. It’s downloaded to USB storage devices. Outsourcing partners in India email it to their branch offices in China. Employees at headquarters send it out of the datacenter over webmail to work from home.

New data protection strategies are necessary and 100 percent accurate protection from data leakage is the goal. Companies turn to GTB Data Loss Prevention (DLP) products to protect sensitive data in real-time. Because of its unprecedented speed and accuracy, GTB allows you to encrypt, redact, block, quarantine or simply report where sensitive data goes to protect your business.

DB. In your businesses, to what extent do you see companies motivated to protect sensitive data to be in compliance with internal policies, versus to be in compliance with external (industry or government) regulations?

UY. It’s bigger than compliance; it’s the anxiety of finding your company in the right-hand column of the Wall Street Journal for data breach. Companies want to do the right thing when it comes to protecting the data that keeps them in business. But, the underlying fear that pushes many enterprises to go above and beyond compliance requirements is their desire to keep security problems off the front page. Why? Because the damage of a headlining security breach causes real business pain and compromises a company’s brand and reputation while negatively impacting shareholder value. All this negative exposure adds up quickly and instead of a $300,000 fine, the company in the headline can pay hundreds of millions of dollars in fines and negative exposure like headline-maker TJ Maxx who is now paying $125 million in fines for exposing over 40 million customers to potential identity theft.

CB. Until recently, companies were more motivated by the external pressures of regulatory compliance. This was especially the case for those in highly regulated industries such as financial services, healthcare, and others. With looming compliance deadlines and executive mandates, companies were motivated to avoid fines, penalties, and interruptions to daily business as a result of noncompliance. The prospect of increased costs for more frequent security audits was also a deterrent for the ‘wait and do nothing’ approach. Also, mandatory disclosure laws, such as California SB1386 and other equivalent state privacy laws, drive data protection requirements.

With recent news stories about Boeing losing 320,000 files to a disgruntled employee downloading to USB and TJX compromising 45.7 million credit and debit card information, companies realize that a single public data breach can prove devastating. A recent study published by a large European analyst firm found that 69 percent of companies believe that a data breach will significantly damage their brand. 30 percent believe that it can put them out of business. Companies are highly motivated to meet internal data protection polices to protect against the risks of financial loss, brand damage, and lost consumer trust. Increasingly more companies realize that protecting intellectual property is essential to maintain competitive advantage. They realize that protecting personal customer data is important to maintain consumer confidence and to retain customers.

DB. Many companies have deployed one or several point solutions for data protection where specific needs exist. When (if at all) do you expect to see these ‘islands of protection’ begin to be connected or replaced by an integrated, enterprise-wide view of protecting sensitive data, as part of an overall information security strategy?

UY. Protecting sensitive data is not a ‘nice to have’ feature – it is a critical need. Out of this necessity, a number of young, aggressive companies have filled the data protection void missing from the big security vendors. There is no doubt that the market will force holistic solution offerings that protect data through its entire lifecycle through consolidation.

All of this will all take time. Until then, it is fortunate that many data protection technologies – DRM, DLP and encryption products – already work together to protect data throughout the entire data lifecycle. GTB, for example, works with encryption gateways out-of-the-box. As an industry, we should have more interoperable demos to prove that vendors do truly integrate. Industry analysts could host these demonstrations – too often they have the power to influence buyers without ever having to deploy, test or integrate a single product in the real world.

CB. The process of integrating data protection in an overall security strategy has started. Many analysts support this market direction. Moreover, many of our customers have expressed their desire to leverage their current security investment by protecting their data within the context of a security risk management platform.

For example, McAfee Data Loss Prevention integrates with ePolicy Orchestrator utilizing a single agent and a common management console. This console manages virtually all the solutions in McAfee’s security portfolio. This approach allows customers to realize a number of costs savings and efficiencies. This includes ease of management for the security risk management portfolio. Decreasing the number of management consoles reduces training costs and IT resource requirements. Savings also result from consolidating network infrastructure requirements. And overall, economies of scale are reached in dealing with fewer vendors and support teams.

DB. Our research shows that companies are deploying more enabling technologies to protect their sensitive information – what evidence have you seen that indicates they are generating the expected results (e.g. fewer breaches, achievement of compliance, reduced cost) from these investments?

UY. Company deploying DLP products witness fewer breaches and better compliance daily. The first time a breach is stopped there is palpable sigh of relief that the investment made just saved the business. Each breach thwarted, literally pays for the entire investment in the product and then some.

The majority of enterprises are currently in the analysis phase, meaning enterprises are just beginning to see where they are leaking sensitive data, where it is going and why it is being transmitted or downloaded. This will give birth to the prevention phase, where the most accurate DLP products will stop breaches in real-time. Performance and accuracy will be the key in building confidence. I predict that very soon, instead of reading about breaches in the headlines, more brave companies will be talking about the breach they thwarted because GTB protected the data in real-time.

CB. Based on customer reports, implementing technologies to protect confidential data has provided tremendous value. For example, Partner Communications Company Ltd (Orange) –listed on the NASDAQ, London Stock Exchange and Tel Aviv Stock Exchange – deployed McAfee Data Loss Prevention to support its Sarbanes-Oxley compliance efforts. According to Orange: “At the same time, it automates a number of our processes that are currently performed manually [to save time and costs] and now improves our protection from potential data loss.”

Visibility by itself has proven invaluable to enterprises. Visibility provides insight into data transfer patterns and broken business processes that threaten enterprise data. This allows the security team to take corrective action before results become devastating. Control is also essential in protecting sensitive data. The result is fewer data loss events. Enforcement reduces risk by stopping daily data loss activities, most of which result from accidental misuse by employees. Enforcement also protects data from being exposed unnecessarily and ensures that only authorized personnel can use this data. Customers are also using data loss technologies, including the visibility and control aspects, to demonstrate compliance. By using technology to protect data and to automate many of their processes, companies can gradually reduce compliance resource requirements.

DB. Some say that the biggest gap in data protection involves not technology, but the human factor – a lack of awareness and accountability at the individual user level. To what extent do you see companies combining deployment of data protection technologies with awareness training for security and compliance?

CB. There are several steps companies must take to improve security and demonstrate compliance. They must start with a written security policy. They should use training as the primary way to inform the employees about the policy. Training in most cases is a major component companies use to demonstrate compliance. Companies use technology investments to enforce the policies and to reinforce training. Many solutions can be used to educate employees by automatically alerting them, and potentially their manager, with a customized message when the employees commit a policy violation. These messages can remind employees about the company’s security policy. Also, it can refer them to the company handbook.

Companies today realize that technology and training are both needed as part of an effective security and compliance plan, so they are moving in that direction.

UY. When it comes to the human factor, the old adage ‘rules are made to be broken’ applies. This is an example of the Pareto principle (the 80/20 rule) at work: 80 percent of security breaches come from 20 percent of the end-users who break compliance rules to get their job done. While end users are often forgiven for not understanding compliance policies, it is entirely unacceptable to leave the business exposed to innocent end-user mistakes that damage brand and destroy customer trust. This is one area where technology can help tremendously.

Despite rule-bending end-users, GTB can protect sensitive data without slowing down the business or frustrating employees trying to do their job. Because of its unprecedented speed and accuracy, GTB allows you to encrypt, redact, block, quarantine or simply report where sensitive data goes to protect your business and enforce policy decisions in under a nanosecond – and it’s often cheaper than training.