In today’s successful businesses, information is everywhere. Business is global – the biggest opportunities are found in global markets. Business can therefore not be confined; it takes place on desktops, within devices, along networks and around the world. Data and information must span systems, countries, languages, and borders. Supply chains need to be connected and optimised across the globe to meet customer and market demands.

This is the extended enterprise – and organisations are working to harness the potential of global time zones and new service models to improve customer service and relationships, increase business resilience and enhance overall productivity.

Yet in the extended enterprise environment, data protection is more important than ever. No one needs to be convinced that we need to protect data against data loss, theft or leakage. However, in the extended enterprise environment, IT as a function becomes increasingly more and more complex. And this can have a profound effect upon security. One has to ask with increasingly complex networks whether it is possible, or more to the point feasible, on a business sense to protect all files. Is it actually necessary to secure all files or just the most business-critical data? How do you know which data is business-critical? And most fundamentally, do the traditional recognised boundaries of the enterprise actually exist any more and if not how can firms effectively protect their assets and prevent data loss?

Is the complexity of the extended enterprise jeopardising your security?

There are ultimately a number of different ways in which businesses can improve their security environment to effectively reduce the risk of data loss or leakage. All information security professionals strive to accurately assess the value of the information assets they own. This value can, and of course does, rapidly change – but unexpected information disclosure is guaranteed to lead to a downturn.

However, keeping data safely throughout the extended enterprise is not a trivial task. Not only is there an increasing risk to the business from malware and other forms of electronic attack, the intrinsically complex nature of the extended enterprise can also bring about security concerns.

In terms of general attacks, there are several threat vectors that could allow information to be inadvertently disclosed, and not all of them involve malicious behaviour. A simple configuration error could cause data to be exchanged through an unencrypted channel, or potentially even sent to the wrong recipient.  In a recent Verizon Business 2008 Data Breach Investigations report 62 per cent of breaches were found to result from significant errors, such as poor decisions, misconfigurations, omissions or process breakdowns.[1] 

As such, protecting against data loss is more than just protecting against data theft. It requires comprehensive monitoring capabilities that are able to provide situational awareness on where data is located, be it at rest, in transit, or even in use.

A few years ago, a fringe market appeared related to the awareness of the limitations of defensive capability. This didn’t concentrate so much on attacks moving into the corporate network, but rather on data being moved out. Intrusion Detection System (IDS) technology, which had introduced pattern matching to the masses, was already well known and quickly became a logical first step in detecting data theft. Data-in-transit (or in-transit) detection of intellectual property had become a fact.

However, the limitations of pattern matching quite quickly became clear. Detecting the code name of a highly protected project in outbound mail is easy; detecting documents based on, but not copied from, intellectual property was quite another challenge. Several other techniques were thus developed and quickly implemented, such as cyclical hashing and statistical analysis.

One solution was to focus on identifying concentrations of data in places where it didn’t belong, or even monitoring users’ actions when data was visible.  This required detection of data both at rest and in use, and required much more complex techniques to assess data presence such as end-user agents or even rights management applications using unique, hardened clients.

However firms have to face up to a fundamental problem: the traditional recognised boundaries of the enterprise don’t actually exist any more. The successful extended enterprise will inevitably be based upon a large-scale unbounded network that acts as part of an orchestration of networked communities, where the traditional restraints and boundaries do not apply. In this ‘cloud-based’ approach, users will act as network nodes and traditional views about security must change.

So given the new way of working, how can firms effectively protect their assets and prevent data loss? Managing risk at an increasingly complex and increasingly porous network level now implies almost impossible cost and danger. The journey from simple hardware based security towards a multi-layered approach that can potentially lead to and unsustainable solution set comprising: hardware-and domain-based technologies; firewall ports relying on known IP addresses; increasingly complex rules through defined ports; signature based detection of malware; the use of encryption for some categories of data, at best to protect data at rest.

Other methodologies ratchet up the complexity. For example, there is the overlay of heuristics for pattern matching to provide additional intelligence in fending off zero day attacks. Then there is the overlay of traffic assessment and log management and assorted decode-based analyses that probe deeper into packets and move from hosts to end points.

But because the new extended enterprise is multi-layered and has added complexity, such overlaid solutions introduce latency as well as being more difficult to manage effectively. There has to be a better way of working.

Effective and manageable data loss prevention

If the traditional borders and boundaries approach to security is no longer sustainable then what models should firms adopt? Even though the transition to user-based security is underway, it should never be forgiven that the primary task is to focus on the most important thing that needs protection: that is data itself.

And in doing so the industry has created a buzzword: Data Loss Prevention (DLP). But what exactly is DLP? How did it evolve and how can it be implemented within the extended enterprise?

DLP encompasses data leak prevention, data monitoring and information content protection. Driven by compliance and breach notification regulations, organisations started deploying major pilot projects to see how data loss could be minimised. Not surprisingly services industries, healthcare and insurance were amongst the first to deploy, closely followed by virtually all industries that are heavily dependent on their established intellectual property base. For these organisations in particular, any theft or even inadvertent disclosure of data would significantly impact their bottom line.

Today, the DLP market consists of two main industries: the first deals with database audit and protection and the other focusing on data monitoring. The former was conceived on the principle that data should be protected at its origin. By checking access and identifying requests that are “out of place”, a compromise can easily be detected. These types of tools are deployed to monitor access in front, or even inside, the database application. They look, for example, at when data was changed and how the actual content changed. By taking all of these factors into account, a picture of normal behaviour can be obtained, anything unusual can be flagged. Some see it as an advanced form of database auditing.

Data monitoring can be categorised as having two different approaches: one aims to prevent the loss of data by tagging it, essentially adding a signature that remains with the documents, wherever they go, and uses custom clients to prevent unauthorised reading or tampering. However, this approach encompasses an inherent weakness in that it relies on employees to assign appropriate rights and privileges on documents when they are created.

The other approach focuses on the principle of monitoring the data streams. Modern DLP solutions allow an organisation to index data, scan endpoints and servers for its presence, and then apply deep inspection rules to gain a comprehensive view of its location within the enterprise. These tools have adjusted to meet detection needs on many channels, including e-mail, Blackberry devices and more recent business applications such as enterprise instant messaging.

Get a policy; categorise; classify; act

Given DLP’s relative immaturity, many organisations are not quite sure how to proceed with its implementation. Before data can be protected it has to be categorised and classified. There are a number of challenges, not least of which the fact is that most of the data that firms have is in an unstructured format and also the sheer scale of the data that they have to manage and ultimately protect. Not only do firms have to contend with information that they generate and store themselves but they also have to take into account what comes in from the vast, thriving and self replicating reservoir of information contained in cloud-based Internet communities.

So before protection begins firms need to consider what type of data they need to run their business; how to make it easily understandable to both users, and tools; how to identify different data elements, no matter where in the organisation they are stored. The latter could incorporate a manual discovery process, using interviews and workshops with employee representatives, or, where possible, an automated process that involves scanning file servers and desktops to see where data is located.

The truth is that it’s a hard task to implement successfully a DLP strategy but it’s not an impossible one. The most important consideration is to reflect upon the current situation of the organisation before rushing into a project, and to have a clear objective in sight. Without a clear goal, or even a coherent data protection policy, projects can become costly failures, providing little impact on the overall level of data protection.

There are basic places to start: first of all, companies need to establish a DLP policy and then data encryption at the host. Next there is the management of encryption keys and managing access at the network level, with encryption at the end points covering disks, devices, USBs and through to document and mail encryption.

Organisations also need to design their data protection policy. Once the various data classification levels are known and understood, policy has to be developed to mark how that data should be handled. This policy, which defines expected user behaviour, can then be used to define a technical enforcement and detection architecture.

Developing this type of policy, and perhaps even more importantly, making sure users understand it, is one of the most difficult issues to resolve. The problem is not one of information security per se, but rather one of understanding business needs. Business owners need to be involved in data classification, and executive management also has to clearly articulate an organisation’s appetite for risk. What’s more, this needs to be an ongoing effort. But most importantly of all, DLP and data protection must be carefully integrated into any incident response process. If it is not, it will be a swift return to the early days of IDS deployments: policy violations will be carefully logged, but no-one will be listening.

Conclusion
The end goal for any organisation is, of course, data protection, and this requires an effective and swift response to any incident. Depending on the individual business’ requirements, this may require 24/7 follow-up of alerts generated by the solution, and fine tuning to incorporate changing business requirements. This is especially important in the new extended enterprise where new business relations are often born in the field, and are not always directed from the top of the organisation. Transactions will be flagged as exceptions by any DLP tool that enforces the data protection policy, and will need to be validated by the business.

Safeguarding critical business data requires a holistic approach encompassing consultancy, technology and monitoring services. Choosing the right partner can be project critical. Organisations should look for a partner that is vendor-neutral and able to provide a total solution, complementing DLP technology with expertise and processes in information security.

At the end of the day, information security is about reducing risk and protecting a business’ most critical assets. Implementing DLP technology alone will not address the full spectrum of risks created by the extended enterprise. However, it certainly helps to reduce both a company’s and its customers’ overall risk exposure by enabling the accurate positioning of overall security posture. DLP has a crucial role to play in protecting and controlling data flow, an absolutely critical part of security risk management.