Alex Tosheff does not consider himself a deeply religious man, but when it comes to sensitive data, he follows one critical commandment.
“One of my IT risk mantras is, ‘Thou shall know thy data and thou shall know where thy data lives,’” says Tosheff, 41, the newly appointed chief information security officer at Bill Me Later, a fast growing company that offers customers an innovative way to make payments via the web.
Maryland-based Bill Me Later, a seven-year-old company projected to have brought in more than $100 million in revenue last year, deals in two types of data.
The first – and the most important to the company – is its customer information, which includes any identifying records. The second is its intellectual property, namely the so-called secret sauce that allows Bill Me Later to extend credit to internet shoppers in real time, with nothing more needed than a customer’s birth date and the last four digits of their Social Security number.
To protect these precious digital assets, Tosheff and his IT department have turned to data loss prevention (DLP) as part of the company’s overall security portfolio. “We have best practices in place, but this was to get more defense-in-depth,” he says. “We hold our customer information sacred.”
DLP is a technology already well known in the industry – just ask any visitor to the past two RSA Conferences in San Francisco which solution was being hawked as a must-buy.
But while its hype is sky high, DLP deployment is still limited in scope, largely reserved to the big financials and manufacturers. Reticence remains, despite the fact that IT security bellwethers Symantec, McAfee and Trend Micro validated the market when they scooped up three DLP pure-plays – Vontu, Onigma and Provilla, respectively – in recent years.
Roughly $1 billion has been spent acquiring DLP vendors. So why does hesitation remain to adopt this technology?
Well-documented deployment challenges aside, DLP is a widely misunderstood technology that has created a plethora of user confusion, says Rich Mogull, founder of Arizona-based IT security consultancy Securosis, and a former Gartner analyst.
The technology was originally marketed as an alarm that sounded whenever sensitive information left an organization’s boundaries, he says. While it still offers such capabilities, DLP has morphed into something more strategic, allowing companies to not only detect sensitive data, but also to apply some way to fix the problem, he says.
“Real DLP isn’t about leak prevention,” Mogull says. “It’s about content protection. You’re using it to reduce overall risk. You’re not using it to stop every hack attack or every malicious employee.”
As organizations shift their priority away from the perimeter and on to the data itself – all the while valuing risk and IT governance more than ever before – DLP may turn out to be the most important security innovation in a long while.
But it still has some growing up to do.
Data, data, data
Increasingly, companies are grasping the importance of securing their data because, in the end, that is what cyberattackers are after. Traditional perimeter defenses, such as firewalls and anti-malware, are effective in stopping certain threats that could cripple a network, but they do little to protect the core assets of a corporation.
Enter technologies such as encryption and DLP.
“Now, organizations realize their business success is based on digital assets, which if they don’t protect, it will cause irreparable shareholder harm,” says Faizel Lakhani, vice president of products at Mountain View, Calif.-based Reconnex, the firm that makes DLP solutions used by Bill Me Later. “Companies are realizing that they are so knowledge- and information-dependent that they have to put safeguards in to protect that data far sooner.”
While most organizations are becoming keenly aware of this, it is the organizations that have been embarrassed over breaches that seem motivated to take the first steps. Take the recent Hannaford Bros. grocery chain breach, in which hackers used packet sniffers to lift some 4.2 million credit card numbers from a private network over which data traversed from point-of-sale system to card processor.
As a result of this incident, Hannaford just announced it would implement a leading-edge solution to encrypt this traffic – a move not even required by Payment Card Industry guidelines.
“The data, at this point, is where the value is,” says Dan Geer, chief scientist at DLP provider Verdasys, based in Waltham, Mass., and author of the book, Economics and Strategies of Data Security.
Geer, in his book, estimates that the value of data rises about one percent each week, compared to the Dow Jones Industrial Average, which increases an average of one-seventh of a percent each week. This leads Geer to one of two possible conclusions.
“Either the Dow Jones is being swamped by the growth of data, and that means data is valueless, or the percentage of wealth that is data is rising,” Geer says, adding that he sides with the latter. “Data is so much all over the place that nobody knows where it really is.”
Geer attributes the rise in data value to two factors: Information assets are becoming more important in making a company run and they can be stored in massive allotments for minimal cost. They say data should be part of a company’s balance sheet.
“The future is data rich,” Geer says. “We need to start treating it like wealth, because it is.”
A challenged, maturing technology
Vontu, founded in 2001, was among the first companies to offer products that addressed data loss.
The Vontus and Vericepts of the world developed network-based solutions that were designed to serve as sniffers that flagged certain traffic leaving the network, Mogull says.
As the DLP market matured, vendors began developing mechanisms for discovering and protecting stored data, says Paul Proctor, distinguished analyst at Stamford, Conn.-based Gartner.
The most recent market shift has placed the focus on creating endpoint-based offerings so organizations can monitor activity happening on individual workstations and laptops, often before data exits the organization, Proctor says. For example, the product would send an alert to IT if an employee saved some confidential company financials onto their hard drive.
Meanwhile, many of the original DLP players are now trying to create suites that address data wherever it may live – on the network, on the endpoint or at rest, experts say.
There are also a growing number of companies offering DLP as a feature, meaning that extrusion prevention technology is integrated into some other component, such as an endpoint control or email gateway. Vendors in this space include Cisco’s IronPort and SecureWave.
Despite its growth and evolution, the DLP market only earned about $75 million in revenue last year, Proctor says. “Adoption rates have been much lower than we originally predicted,” he says.
The market has been plagued by clunky deployments – particularly across distributed endpoints – fueled by high costs, integration problems, false positives, manageability headaches, and companies’ failure to plan in advance the introduction of this type of technology into the corporate infrastructure, analysts say.
“You have to spend the time to define sensitive data,” Proctor says. “It’s tough. This is the part where a lot of people got burned. They got the impression, based on vendor promises, that the product will help them get a handle on their data, and that’s probably the least mature part of this entire industry. These products tell you where the data exists, but you usually have to change business processes to solve them.”
Others simply have not bought into the technology or have yet to see the need for it. Mogull, for example, can understand this viewpoint. “There is no compelling need to do this,” he says. “It’s not like you’re going out of business if you don’t do this.”
Michael Hamilton, chief information security officer for the city of Seattle, says he is a bit of a curmudgeon when it comes to warming up to the latest gizmos offered for the IT security marketplace. He says that following best practices and turning to a solution that maps traffic patterns, for example, could prove just as helpful as DLP.
But, Rob Israel, chief information officer of John C. Lincoln Health Network, made up of two hospitals in the Phoenix area, says, the health care system is steering clear of DLP deployments, at least for now.
He adds that protecting data is more important than ever, especially given compliance mandates, such as the Health Insurance Portability and Accountability Act (HIPAA).
His organization contracts with Scottsdale, Ariz.-based Lumension Security to ensure that end-users are unable to save anything to their local hard drives or removable media devices without permission. In addition, John C. Lincoln deploys an email encryption program that scans outgoing messages for confidential information.
“I think it’s something we probably haven’t gotten to,” he says. “Health care is probably way behind the security curve in many ways. We wanted to enforce our internal walls first and get better control on what’s going on in our network.”
Hamilton admits DLP has its benefits, especially for those companies which deal in intellectual property. “DLP is pretty good at detecting rank and file and error of omission for the uneducated user on your network who is trying to poach something,” he says.
In the case of governments, where there is little intellectual property to protect and sensitive documents are publicly available under federal law, DLP is unnecessary, Hamilton says. Plus, if an attacker is truly bent on getting to an organization’s data, with a bit of ingenuity and perseverence they will succeed.
“If I was very determined and had access to your network, I’m going to steal it, and this thing is not going to stop me,” Hamilton says. “All of this technology is really not going to do anything to stop the really well-resourced and well-educated attacker who is serious enough to know what technical controls you are going to have in place and then will work around those obstacles.”
The future of DLP
Content awareness. Those two words are what will separate DLP of yesteryear from DLP in three to five years, experts say. It is the ability to look inside a file and identify confidential information that will define the technology going forward.
With that awareness comes the opportunity for businesses to invoke actionable change – to analyze the data, redefine policies, apply security controls and measure success. Combined, this will help reduce overall IT risk, agree both experts and end-users.
“If you think about where we could be going with information-centric security, DLP is at the heart of it,” Mogull says.
Greg Allender, director of global information security at Cincinnati-based Convergys, provider of human resources and billing services, and a Verdays customer, says DLP acts as an analytical tool, providing visibility for the IT department.
“It allows you to get more granular with the data at its point of use and track how that data is being accessed and distributed throughout the organization,” he says. “It helps analyze how to make business processes more efficient.”
At Bill Me Later, where corporate executives place a high premium on retaining customer trust, DLP made perfect sense, Tosheff says.
“We needed something that allowed us to get up to speed very quickly,” he says. The Reconnex solution reduces the insider threat risk by monitoring for potentially sensitive communications leaving channels, such as email, instant messenger or FTP.
But what especially drew Tosheff to the DLP offering was its ability to offer pre-built mappings into regulatory requirements and governance frameworks, as well as its case management capabilities, which enable him and his IT staff to track a data incident throughout its lifecycle. This is useful in case a forensic investigation is required.
Tosheff credits a smooth deployment so far with his staff spending six months to classify data prior to installing DLP.
“You can start defining your data regimes in terms of structured and unstructured, so you can define those clearly. By doing that, you can start pre-tuning the DLP as it comes into play,” Tosheff explains. “You want to be able to validate your assumptions, and the way you go about validating assumptions is through measurement.”
Most enterprises today know little about where any of their data lives, never mind those records that – if they got out – could result in a front-page headline. But this mindset is changing. It has to change. And DLP products will be a big part of it.
“I have the visibility into the data in my environment that I just didn’t have before,” Tosheff says. “I have it mapped in the context of regulatory, legal and Bill Me Later-specific requirements. We can see things as narrowly focused as someone cutting a paragraph out of a Word document and pasting it into an instant message or email.”
Agree to disagree
The true value of DLP, according to Gartner, will eventually prove to be its ability to help companies create and enforce more robust business practices concerning the handling and transmission of confidential data.
“That vision I painted of content awareness, that is what the promise of this is, from an enterprise-wide perspective,” Proctor says. “The technology is just not mature enough right now for companies to realize that vision.”
For Tosheff, that vision is already here.
“I would say this company is extremely forward-looking,” he says. “The company understands that investing in its customers is one of the big things it can do to keep going.”