Aggregating the Management of Policies

Daryl Eicher, VP, Industry Solutions, Axway

Security, Pt 2: Axway Connections ’09 Predictions Panel

Axway CTO Dave Bennett, Taher Elgamal, Bernard Debauche and Joe Fisher continue to discuss security and make predictions.

Raise Consciousness—Not Frustrations—With DLP

by Willy Leichter
Director, Product & Solutions Marketing
Axway

I want to be the voice of the realist here, because there’s a lot of hype around DLP, yet DLP implementation projects have often failed because it can be such a complex, daunting undertaking.

Nine times out of ten, once you start content filtering, the incident rate drops dramatically, because employees don’t want an alert and they don’t want to be flagged by IT.

Many organizations put limits on the size of the files their employees can transmit, but they don’t tell the employee what to do if they need to send something larger. This leads to a lot of well-intentioned employees coming up with ways to send large files and get their jobs done.

As numerous bleeding-edge companies pilot DLP projects, they find it can be an enormous challenge. When you consider all the possible ways information can leak, most organizations resemble Swiss cheese. How do you plug up all those holes?

That question leads to a couple dilemmas. One, if you lock things down well, then you shut down business, an effect worse than the problem you’re trying to solve.  Two, the business-unit owner is supposed to own the information, but since IT is usually running the DLP products, they’re put in the position of being the bad guys who force the business-unit owner to confront issues that they do not want to confront.

To keep this from being too overwhelming, I recommend a couple of basic starting points that will maximize your DLP effectiveness while minimizing your frustrations.

First, instead of trying to boil the ocean, look for things that have become established best practices and the information that is most critical for your organization to protect. This doesn’t include all possible things that might need protecting, just really top-of-the-list information. And often, that’s regulated information. Healthcare data is obvious. But, PCI compliance, credit card numbers, social security numbers—those are the things that, more and more, you need to be concerned about. In a vast orchard of data, this is low hanging fruit!

Second, protect the obvious egress point: email. There are pretty straightforward steps that almost all organizations should be taking to prevent well-intentioned employees from sending sensitive information—often by accident—into the clear, specifically credit card, social security, and healthcare numbers. This is relatively easy and it addresses the most common way people accidentally send information.

Third, think of DLP in the broader case. Trying to thwart someone intent on stealing is much more challenging than preventing mistakes. Focus first on preventing well-intentioned employees from making stupid mistakes, like accidentally copying files that can cause liability, or setting up rogue FTP servers.

Many organizations put limits on the size of the files their employees can transmit, but they don’t tell the employee what to do if they need to send something larger. This leads to a lot of well-intentioned employees coming up with ways to send large files and get their jobs done. A lot of serious incidents have happened this way—employees copying CDs and DVDs, employees sending things over Yahoo accounts to their own computers, employees sending discs via snail mail. IT must not ignore the “What do we do if we don’t allow them to use email to send big files?” question. IT must provide mechanisms that allow employees to reliably send large files rather than just block those files and say no.

It’s important that you raise awareness within the organization that you’re taking steps regarding these issues. If you’re filtering stuff, you should raise alerts and make people aware why you’re taking these steps. Nine times out of ten, once you start content filtering, the incident rate drops dramatically, because employees don’t want an alert and they don’t want to be flagged by IT. They want to comply. These practices tend to train the group better than actual training. And what better proof of an initiative’s success than consciousness being so fundamentally raised that, after a time, the ongoing need for the initiative becomes largely moot?

PCI is Not Enough

by Paul French
VP, Product & Solutions Marketing
Axway

If you Google “Heartland Payment Systems CEO auditor,” you’ll find a recent interview with said CEO, Robert Carr. Heartland is a credit card processor, and they recently got dinged because a whole lot of credit card numbers got stolen. And the CEO’s position was that the company was PCI compliant, they did everything right and the auditors were the ones who screwed up. Now, he wasn’t completely passing the buck (maybe a little bit) but he was trying to make the point to all who would hear it, and that’s this: PCI is not enough.

PCI is just one part of many complex and comprehensive data privacy standards that need to be evaluated and supported.

PCI is just one part of many complex and comprehensive data privacy standards that need to be evaluated and supported.

And I completely agree. PCI is just one part of many complex and comprehensive data privacy standards that need to be evaluated and supported, but it’s not enough to treat it like a box of soap (e.g., “Big Name Bank—Now with PCI compliance!”).

There was a time in the recent past when that was enough to get you off the hook. But that’s not going to help Heartland. It didn’t help a company called Hannaford Brothers, which had a data leak problem and was also PCI compliant.

It’s important to actually think about compliance as a modular effort. You have a certain set of tools and policies that evolve to satisfy the external regulatory bodies you’re forced to comply with. And that’s great. But it’s absolutely critical to go above and beyond the call of compliance so that legislative, regulatory, customer, partner and contractual requirements aren’t summarily forced upon you. Everyone will believe that you have what’s necessary to be secure, and rightly so.

You shouldn’t buy one solution that only addresses PCI any more than you should buy one car that only takes you to the office, one car that only takes you to the grocery store, one car that only takes you to the theater, and one car that only takes you to the football game. You should buy one car that takes you everywhere you need to go, and you should buy a comprehensive data security and compliance solution that will account for all the different needs of all the different venues, jurisdictions and industries that you participate in.

(Photo by djlicious: http://www.flickr.com/photos/djlicious/ / CC BY 2.0)