Thursday, March 27, 2008

What strategies to follow after you have implemented a DLP solution

If you deployed a DLP strategy, you have probably deployed it in your high risk areas, and if you have become somewhat mature in your current DLP deployment, the next is how to grow the deployment so that you can secure more areas. As you are becoming more successful, your management, or clients within business groups who is not currently enjoying the protection a DLP solution can give, will ask you to protect their areas as well.

So, the question becomes, how do you grow both horizontally and vertically? You can grow horizontally by putting in place in place more monitors, but you will quickly find yourself in a situation where your current rules/policies does not meet the needs of the additional areas where you are now scanning, or maybe the business model you deployed for the corporate roll out does not meet the needs of the business unit you are now supporting in addition to the corporate roll out.

Do you invest in data in motion along with data at rest? Do you invest in end point protection? How about managing different departments ranging from your HR department, to your credit card processing department to your research and development arm. For each one of these, different business problems arise, and different solutions must be put in place. For HR, your main concern is probably the loss or disclosure of personnel data, from your sales organization, customer PII, and from your R&D department, loss of your future bread and butter.

So the discussion becomes the one of head count, and centralized versus de-centralized. Which model is right, and how to ensure comparable results between them? It is a discussion which will be had in many organizations in the upcoming years. Many IT security shops will have the idea that you should have a centralized approach. This will become increasingly difficult for several reasons. One, only the users/business owners in the respective areas will have an understanding of what is valuable, and needs protection, and what doesn’t. Then you have the issue around different IT departments controlling collaboration and messaging. Each one is important for securing your information. I think the right answer is a mix between centralized/decentralized, where information security runs the majority of the tools, but the business owners and IT collaborates on how to identify IP and business secrets, and create and manage policies dependent on roles.

There is one undeniable fact. The amount of information is growing, in fact according to IDC, it is growing by 60% a year, with new regulatory requirements means that IT will have to invest more in managing the information for disclosure, protection and retention.

Demand for storage capacity has grown by 60% per year and shows no signs of slowing down, according to research company IDC. New disclosure laws, which require more data to be preserved and retrievable, also are making storage management a bigger job. http://www.networkworld.com/news/2008/032108-storage-revolution-jobs.html

Thursday, March 13, 2008

New concerns regarding health care information misuse. In an article from MSNBC: http://www.msnbc.msn.com/id/23392229/ they highlight the impact an impostor can have on your health when your information is abused.

This should bring attention to the need for medical facilities, and anyone keeping medical information, to be prepared to ensure the accuracy and integrity of the information, as well as protecting it from loss.

A shift from paper based information management to electronic management, enables greater efficiencies of information management, including sharing of information, but also enables loss of information at a much greater level than anytime before in history.

Organizations which have not moved to encrypted storage for sensitive information should do so as soon as possible, and improved authentication and authorization models must be put in place where they are lacking.

Systems must be put in place that ensures that the identity used is that of the person receiving health care, and that only the information needed is available to personnel who provides care, or otherwise handles the information.

According to FTC, 3% of identity theft victims have had someone else use their medical benefits. With identity theft growing, and medical care becoming more expensive, leaving more out, and the move towards electronic health information management, we are poised for the perfect storm.

Monday, March 10, 2008

Information loss prevention and operational risk management

An operational risk framework which would take input across the organization, which also manages exceptions to policy would be a huge benefit to overall risk management. As business users demand web 2.0 applications, easy to use cell phones with dual use capabilities (read using as email client for work purposes and view video and listen to music for personal use), and exceptions given to systems regarding patch level and security reviews.

Roll up operational risk summaries would be the only way to measure the aggregate operational risk in the organization. This married with information flow views, which outlines what objects access what information would make the risk decisions easier to make. If you knew who had access to what information where and when on what device, it would be easy to see what the true risk was, and if a request for an exception came in, it would be easy to determine if the additional risk was substantial, or minimal. It would be also easy to envision a self service model , where the user would be allowed to accept some risk, but if the risk moved above a threshold, a manager or security operator would have to grant it. Each business leader could then set an acceptable threshold within the organization, and its policy would then flow down to the individual users.
It has been a busy few days, and for information loss prevention, a few areas are worthy a highlight. iPhone 2.0 is still questioned if it meets the regulatory requirements for data protection: http://computerworld.com/action/article.do?command=viewArticleBasic&articleId=9067319&intsrc=hm_list. Furthermore, here is a link to an article discussing how BlackBerry servers are ripe for the hacking. Yet another concern for IT security personnel who needs to protect sensitive information on all devices serviced by the organization: http://techworld.com/security/news/index.cfm?newsID=11663&pagtype=samechan.

Sunday, March 09, 2008

Information control

Maybe I should rename the blog from information protection, as it is just as much about information control. DLP products along with DRM products, firewalls and other security controls are mere solutions in place to control the flow of information. It is put in place to prevent flow of information to systems or personnel who should not have this information, and allow the flow to systems or personnel who should have access.

DLP tries to identify the type of content, and based on rules, apply various protection mechanisms to the information. In some areas, context is also evaluated. However one area which DLP has not fully gone into is the area of mapping social graphs to ensure that information does not flow from a highly trusted source to a trusted albeit less trusted than the first source downward in the hierarchy towards an untrusted source.

Clear areas of such downward flow can be stopped by reducing the access to broad access groups, however human nature is such that obstacles to sharing information usually is overcome, especially if it is easier to circumvent the control than it is to obey it.

Willful loss of information can only happen if technology, processes and people (the majority) is aligned. The processes much be such that they enable secure sharing to the proper objects, and people must buy into the idea that the value of protecting certain types of information is higher than the cost of loss caused by reducing sharing.

This can seem contrary to many, as we want to communicate, and we will fail in most of our
endeavors if we do not collaborate, at least within the group we belong. The problem is of course that most people belong to many groups, based on work, ideology, hobbies, neighbourhoods, etc. This means that just looking at the objects who have, had, or can access the information is not enough. You also need to look at who these objects are connected to, and who they are in turn connected to. You need to map out objects that form hubs versus spokes (power law distribution), and where these again lead to.

One trick used to track such information is to use a 1x1 pixel, to see who receives certain information. This is however not included in most information as it traverses networks, storage areas, end points, data bases, applications etc. Only when you can marry a map of all objects, and their interrelatedness, and where the information actually moves to and from can you truly understand the risks and or possibilities the organization have in sharing information within and across boundaries.

Today's DLP solutions create classifications in varying degrees, and and some store the result set in a data base, others persist the information within the meta data of the document. Either directly within the document, or in an alternate stream. These can of course be stripped off, and until DRM becomes pervasive, it will not solve this issue either. Actually DRM has another problem, in that if information is presented on a screen, it can be copied and the controls are stripped off as a consequence. However DRM will increase the effort necessary to improperly distribute information to objects who should not have access.

In order to support better protection, identity management is another dimension that must be solved. I will not go much into depth in this posting, other than just saying that roles based identity management is hard, and identity management between organizations are even harder, and is a contributor to the problem.

Wednesday, March 05, 2008

According to a survey by Pursuant, http://www.pursuantresearch.com/, 32% of surveyed government IT personnel do not think they will become compliant with requirements such as HSPD-12, FIPS 201, and FISMA. This article: http://www.informationweek.com/news/showArticle.jhtml?articleID=206901345 states that government IT personnel believes national security trumps privacy

Sunday, March 02, 2008

Confluence of HIPAA security audits and increasing attacks from the Internet creates pressure on health care organizations to protect their patient information: http://www.networkworld.com/news/2008/022708-healthcare-cyberattacks.html

The four important questions to ask for any custodian of sensitive information should be:

What information exists on my systems
Where is it located
Who has access
How is it protected

I believe the only way to find out what information exists, cataloguing and classification is a necessity. To find out where it is, the repositories containing information must be scanned, and content then classified based on this scan. To ensure that only users who need access, has access, entitlement management is key. The information that is classified should then be protected.

This cannot be achieved with technology alone. People, Process and Technology all go hand in hand to solve this problem.
Selection Criteria for an ILP solution

Here are the high level selection criteria I would use for selecting a DLP solution

· Accuracy (I would be willing to trade speed for accuracy if needed)
· Speed (can all high risk areas be scanned efficiently without a high bandwidth cost)
· Scalability (can all high risk areas be scanned efficiently)
· Remediation capabilities (if a scanning solution is deployed without proper remediation, it leaves the organization with a much higher risk than prior to scanning)
· Upfront cost of application
· Upfront cost of services needed to deploy application
· Cost of ownership
o How many headcount are needed to manage incidents and systems
o What is the annual support cost
o What is the total life time cost of the application (3 years)
· Risk reduction provided by application
o How is it measured
o Will result set stand up in court (can I prove due diligence when using these tools)
o Can new regulatory requirements or new corporate policy be set up within a standard framework
o Does the reporting meet the following needs
§ Overall risk reduction
§ Specific risk reduction for business unit/regulatory compliance/regional compliance
§ Can ROI be demonstrated
§ Are executive reports easy to understand
§ Can executive reports be rolled into a CIO scorecard
§ Does the reports for the operations team allow for improving efficiency of team and rules (this drives TCO)