At last! I have some time to write another post since October last year. I apologize. (BTW: I converted my business survival book into the Kindle format and it turned out to be a HUGE mission to convert more than 430 pages (Letter/A4 size) with so many tables… BUT the “fat lady can sing now”!
In my previous blog post I discussed a method to calculate profit erosion due to intellectual property (IP) theft – as more and more companies experience IP data leakage. A business owner should be able to calculate the current and potential negative financial impact on his/her company. Today I would like to discuss Data Leakage Prevention (DLP) software as a possible countermeasure (solution) to IP theft.
Since IP is created today by using computer tools (i.e. IP is created first in a logical format), it does make sense to start protecting your data against data leakage at the logical level. In order to do exactly that, we believe that there is only one robust countermeasure to protect IP today, namely Data Leakage Prevention (DLP) software.
Although it does require diligent administration from Business Management and specifically the IT department, it would place your company in a position to obtain fairly reasonable assurance that data leakage in logical form would either be prevented or detected. It would, however, depend on the risk appetite of an owner and his/her management when it comes to a final decision whether or not to implement Data Leakage Prevention as well as which service provider’s software solution.
Coupled with proper processes (policies, procedures and standards), data classification, data ownership allocation as well as security conscious personnel, a business should be in a position to ensure the confidentiality of their (as well as Partners’) IP as well as the long-term prosperity and profitability of the company.
We, however, want to stress it that we don’t believe that normal “management” controls (e.g. policies) would be able to prevent and detect IP theft at an acceptable level. If you are serious about IP data protection, a technical control like Data Leakage Prevention software (in addition to policies) should be implemented.
By selecting a true Data Leakage Prevention software solution, you would be able to protect information at the binary level, thus utilizing a solution that has knowledge of the data, as opposed to recognizing folders, files and/or devices (as is the case with other solutions which are device-oriented). A further consideration is to eliminate the user as a potential cause for security violations (as is the case with permission-based operating systems and applications). True Data Leakage Prevention software would provide a company with comprehensive protection of data against unauthorized use and distribution by authorised users, according to policy, fully, across all channels, with detailed auditing of all transactions indefinitely.
Simply defined, Data Leakage Prevention is the tracking, identification and protection of confidential/sensitive information during:
- Storage (data at rest).
- Use (data in use).
- Movement (data in motion).
The benefits of Data Leakage Prevention software, as an integral part of the total security infrastructure, are exponentially more than the sub components of the existing IT infrastructure, as Data Leakage Prevention software provides protection capabilities in an area where no other IT component can or does. Data Leakage Prevention software is a business imperative for companies with their own IP; ensuring longevity and long-term prosperity for the company.
A true Data Leakage Prevention software solution can literally lock down specific data elements (e.g. a confidential company document) on the majority of IT platforms and in different applications and allows for extreme granular customization, such as setting policy/defining rules per data element to determine:
- Who may/may not access a classified folder/file/document?
- Who may/may not modify/amend a classified document?
- Who may/may not print a classified document?
- Who may/may not email a classified document as email content/email attachment?
- Which devices are permitted/not permitted to ‘receive’ classified data, such as printers, USB, external devices?
- Which applications may/may not be engaged with classified data?
- Who may access classified data from a remote location?
- Whether data may be transported in unencrypted format?
- Allow/prevent the activation of the clipboard (copy and paste) in order to create derivatives of a classified document.
- Ensuring that classification label is not ‘lost’ when file is renamed/ file extension is changed.
- Real-time notification of attempted violations.
- Retrospective analysis of user activities pertaining to classified data.
Data Leakage Prevention software can address all concerns, regarding logical risks. Although it cannot protect physical IP once it is printed (e.g. a strategic plan), it can provide information on the users who have printed the document over a period of time (which can be used for further investigation).
In a case where a disgruntled employee has resigned, for example, a history of actions can be retrieved to determine if any irregularities occurred in the past or not.
We believe that a company can prevent IP leakage to a certain extent. Over investment in preventive controls would result in inefficiency. In order to conduct business, personnel need access to certain IP – either in “soft” copy or “hard” copy. As a result, detective controls should compensate for the lack of a “total approach” in preventive controls. Detective controls should enable your business to detect current and past actions of users – for use in possible disciplinary as well as legal action. Data Leakage Prevention software can assist a company to do exactly that.
We believe that certain companies require a robust Data Leakage Prevention software solution that:
Any one of the above in isolation would be ineffective. It should be “business as usual”, but with the peace of mind that your company’s core asset is fully protected from abuse in any form or shape.
Finally, a business should also classify data and allocate ownership of data to specific users. One of the Data Leakage Prevention software providers, Perimetrix, assists their clients in doing exactly this – in addition to implementing Data Leakage Prevention software. Without proper data classification, Data Leakage Prevention software cannot be implemented.
If you have any questions on Data Leakage Prevention software, you are welcome to contact us at firstname.lastname@example.org
Michiel Jonker, CISA