DLP: Plugging Costly Data Leaks Creates Big Opportunities

By Frank Ohlhorst  |  Print this article Print

Data loss prevention (DLP) is becoming one of the most important security technologies in the market today. Companies are embracing DLP to protect proprietary data and meet compliance needs, creating ample opportunity for solution providers willing to jump into the most sensitive part of the security market. DLP is a tremendous opportunity for security resellers.

An analysis by the Association Press found that more than 800 million data records were exposed or compromised in 2008. The data loss prevention opportunities are growing and the market for this technology is expected to top $2 billion by 2012. Resellers of data loss prevention (DLP) are finding a golden opportunity, but digging for that gold is not without some risks.

Few security technologies have become as contrived and misunderstood as DLP, which can affect all aspects of the data processing end of a business. It all comes down to protecting data and preventing data from falling into the wrong hands–both intentionally or unintentionally. Yet, the complexity of today’s solutions can leave items unprotected and solution providers liable if something goes amiss.

A complete DLP solution has multiple components, including protection for DIM (data in motion), DAR (data at rest), and data housed on end points. DIM, mostly email and attachments, proves to be the source for most company DLP violations. The problem is exacerbated by innocent mistakes, such as misaddressed email, improper file attachments or sending confidential information to a home office to work on over a weekend. Those examples show that the road to hell is indeed paved by good intentions.

DAR can be found in many places, ranging from server drives, to optical storage to SAN or NAS technologies. Further complicating protecting DAR is that the data is not static, and users must have access to the data to perform their duties. The trick here is to protect the data and not encumber the user with strict policies, which can result in incomplete data and a high number of false positives (incorrectly flagged as violations). DAR leaks can occur through other channels, ranging from lost or stolen backup tapes to improper FTP or VPN access.

Protecting data at the end point can be an unsolvable problem, there are many ways that data can escape from an endpoint – ranging from the inane, such as printed reports to the calculated, where a cell phone camera is used to photograph computer screens. Add to that the low cost of small USB storage devices and the prevalence of PCs with CD-R burners, it becomes very clear how DLP at the end point can be a nightmare.

Companies can take a preventative approach to protecting data at the endpoint, but if someone wants the data bad enough, there is probably no stopping them. Does that mean end points should be ignored when it comes to DLP? Not necessarily, but companies will have accept the fact that as long as humans have access to the data, that data can be compromised. For DLP, the real benefit comes from spending in areas where a positive effect can be guaranteed – in this case, that is the gateway of the network.

Vendors such as Cisco, Check Point, Websense, Purewire, McAfee, Symantec, RSA, Barracuda, Palo-Alto networks, and Fortinet are all offering some form of DLP technology. Most of those are relying on enhancing exisiting products or a combination of software and services to meet DLP needs. While vendors such as Palisade Systems, Finjan and Fidelis are taking a more specialized approach to solving DLP nightmares using dedicated appliances.

Palisade tackles the DLP problem with the PacketSure Network Appliance. A device specifically equipped to protect private information for both "data at rest" and "data in motion." PacketSure goes one step further by controlling the type of traffic that occurs on the network, by monitoring TCP/IP or UDP traffic to perform deep packet inspection of network traffic (passively or inline).

It blocks traffic by protocol at the edge of the network and contains a default set of more than 140 signature-based rules that can be customized. Administrators can create custom rules using keyword matching or extended regular expressions to manage specific traffic. When PacketSure finds content that matches a rule, it takes the action specified by the rule - log, block, or allow.

The device includes Web filtering, which is used to block access to unauthorized sites. Web filtering can successfully prevent users from accidently visiting "phising sites" or other sites that may house malicious content. Palisade offers the PacketSure Network Appliance in many configurations to size the appliance appropriately for the subject network. The company offers add-ons, which enhance the appliances capabilities, such as File System Discovery, healthcare and financial information matching, email content analysis, content matching and credit card matching – all of which make the appliance a good DLP foundation for both broad and vertical markets.

Palisade’s claim to fame is the products plug and play simplicity and wizard driven administration console. Integrators should be able to deploy the device in a matter of minutes and create a basic rule set to protect data. Beyond the basics, some expertise will be needed to fully realize the devices protection potential and that may be best left to a data security professional. In other words, it’s easy to get started with PacketSure, but you will need some professional help to fully plug all DLP holes.

Finjan treats DLP as a smaller part of a larger security solution in the FInjan Secure Web Gateway appliance, which is available in many different sizes to handle small to large networking needs. The Finjan Secure Web Gateway uses active real-time content inspection to prevent data leakage. All HTTP/HTTPS communication is inspected and deep analysis is used to detect and prevention confidential data from leaving the network.

When configured properly, the appliance prevents both intentional (as a result of malicious activity) and unintentional data leakage. Where Finjan differs from the other DLP appliance plays is that the company does not offer a standalone DLP appliance, DLP is offered as an option on the company’s premier security appliance, the Secure Web Gateway. In some cases, that means buyers will be paying for much more than they need in the DLP battle. But, realistically, those same buyers could probably use the additional security offered and perhaps turn a DLP deployment into a replacement of legacy security products.

Finjan helps to make that argument by offering a great deal of flexibility with the Secure Web Gateway – administrators can turn specific features on and off, deploy security features in stages or even disable un-needed functions. Regardless of what path an integrator chooses, Finjan Web Secure Gateway is just a few mouse clicks away from becoming a company’s primary security appliance, with fully integrated DLP capabilities.

The Extrusion Prevention System 5.3 appliance from Fidelis Security Systems takes aim at DLP from a different front. The device is specifically engineered to analyze communications with social networking sites, such as Facebook, LinkedIn, MySpace, Plaxo, Twitter, Orkut, Friendster, hi5, Ning and Badoo – as well as providing traditional DLP protection.

The company uses analyzer technology to understand what communications is transpiring on those sites. For example, Facebook has a chat function and an e-mail box – the appliance can be configured to monitor or block those capabilities – eliminating perhaps another avenue for data leakage to occur. What’s more, The Fidelis DLP can be configured to restrict the use of add-on social networking applications or designate some parts of social networking sites off-limits.

Of course, social networking is only part of the problem, Extrusion Prevention System 5.3 also does the expected deep packet inspection and traffic analysis found on other DLP devices. The product uses administrator defined policies to prevent DLP and has the capability to monitor activity for later analysis.

The three products mentioned here all take a different approach to achieving DLP, yet each strives to meet the same goal. To better understand the implications, one must first grasp the business benefits offered by DLP.

Why Use DLP? The technologies helps users:  

  • manage and share sensitive information
  • meet compliance requirements
  • protect brand image and reputation
  • automate policy enforcement
  • reduce risk to sensitive information

Regardless of the solution chosen, if one strives to meet the above bullet points, DLP can only be a benefit to any organization, while paving the way for more advanced security capabilities and future compliance requirements.

Frank Ohlhorst Frank J. Ohlhorst is the Executive Technology Editor for eWeek Channel Insider and brings with him over 20 years of experience in the Information Technology field.He began his career as a network administrator and applications program in the private sector for two years before joining a computer consulting firm as a programmer analyst. In 1988 Frank founded a computer consulting company, which specialized in network design, implementation, and support, along with custom accounting applications developed in a variety of programming languages.In 1991, Frank took a position with the United States Department of Energy as a Network Manager for multiple DOE Area Offices with locations at Brookhaven National Laboratory (BNL), Princeton Plasma Physics Laboratory (PPL), Argonne National Laboratory (ANL), FermiLAB and the Ames Area Office (AMESAO). Frank's duties included managing the site networks, associated staff and the inter-network links between the area offices. He also served at the Computer Security Officer (CSO) for multiple DOE sites. Frank joined CMP Technology's Channel group in 1999 as a Technical Editor assigned to the CRN Test Center, within a year, Frank became the Senior Technical Editor, and was responsible for designing product testing methodologies, assigning product reviews, roundups and bakeoffs to the CRN Test Center staff.In 2003, Frank was named Technology Editor of CRN. In that capacity, he ensured that CRN maintained a clearer focus on technology and increased the integration of the Test Center's review content into both CRN's print and web properties. He also contributed to Netseminar's, hosted sessions at CMP's Xchange Channel trade shows and helped to develop new methods of content delivery, Such as CRN-TV.In September of 2004, Frank became the Director of the CRN Test Center and was charged with increasing the Test Center's contributions to CMP's Channel Web online presence and CMP's latest monthly publication, Digital Connect, a magazine geared towards the home integrator. He also continued to contribute to CMP's Netseminar series, Xchange events, industry conferences and CRN-TV.In January of 2007, CMP Launched CRNtech, a monthly publication focused on technology for the channel, with a mailed audience of 70,000 qualified readers. Frank was instrumental in the development and design of CRNTech and was the editorial director of the publication as well as its primary contributor. He also maintained the edit calendar, and hosted quarterly CRNTech Live events.In June 2007, Frank was named Senior Technology Analyst and became responsible for the technical focus and edit calendars of all the Channel Group's publications, including CRN, CRNTech, and VARBusiness, along with the Channel Group's specialized publications Solutions Inc., Government VAR, TechBuilder and various custom publications. Frank joined Ziff Davis Enterprise in September of 2007 and focuses on creating editorial content geared towards the purveyors of Information Technology products and services. Frank writes comparative reviews, channel analysis pieces and participates in many of Ziff Davis Enterprise's tradeshows and webinars. He has received several awards for his writing and editing, including back to back best review of the year awards, and a president's award for CRN-TV. Frank speaks at many industry conferences, is a contributor to several IT Books, holds several records for online hits and has several industry certifications, including Novell's CNE, Microsoft's MCP.Frank can be reached at frank.ohlhorst@ziffdavisenterprise.com