Q&A: Preventing Data Loss

A closer look at the components and best practices for success with your data loss prevention project.

• By James E. Powell
• 04/14/2009

Data loss prevention covers a wide range of approaches, technologies, and pitfalls. IT has a wide variety of options to choose from, but building a comprehensive strategy is key. To learn more about the components and best practices for IT DLP project success, we spoke with John Carione, senior product marketing manager for LiveCycle Security Solutions at Adobe.

Enterprise Strategies: The term data loss prevention can be interpreted in many ways -- protecting data from unauthorized access, keeping it backed up and always available online, preventing media failure (so bits can always be read), and so on. What do you mean when you use the term?

John Carione: As you mention, data loss prevention (DLP) can really be broken down into two main categories: data loss stemming from availability issues such as backup/recovery and redundancy, or data loss that occurs from a violation of corporate security policy, such as a violation of regulatory compliance or IP protection. Adobe focuses on building solutions that solve the latter piece of the puzzle.

What are some of the data loss prevention approaches IT typically takes? What are the pros and cons of each approach?

There are many different approaches to solving the data loss prevention problem, but I’ll focus on enforcing corporate security policy. On the one hand, there is the DLP market segment that does a great job of classifying information and parsing it into raw buckets of information. These buckets often break down into what is considered high-business-impact and low-business-impact data. They also provide some rudimentary enforcement mechanisms such as the ability to block e-mails, route information to an encryption gateway, or quarantine sensitive data at rest.

The prime benefit of this approach is that the organization quickly begins to understand where the greatest risk resides and how sensitive information is moving inside the enterprise. On the other hand, this set of technologies does not provide robust, persistent enforcement mechanisms natively, which allow the information to be protected both inside and outside the firewall. This means that once the information leaves the organization, it is no longer protected.

Rights management is a second approach that offers strong information enforcement. Rights management products are very good at enforcing policies via encryption. This assures that information stays protected wherever it goes. It also maintains the policy dictated by the business regardless of where the information travels. The policy maintains a log of who should have access, what actions the recipients should be able to take, and provides a robust audit system to provide transparency into those actions.

For example, if a user sends a sensitive M&A document outside the organization to an internal consultant, the information stays protected if that consultant decides to forward it along either maliciously or accidentally. It is that next level of protection that can be surgically applied to the information that DLP products deem sensitive.

The real win for organizations is learning to use both of these technologies in concert to provide seamless automated discovery and persistent protection of only the most important and sensitive information inside the enterprise.

How does digital signature technology, which you’re involved with, fit into this picture?

Although DLP and rights management technologies help provide context and confidentiality for the information, digital signature technology can bolster the protection to include authenticity and integrity. Authenticity is the assurance that the information has come from the intended author of the document, while integrity helps prove that the information hasn’t been changed or altered in transit.

You’ve talked about preventing internal data loss. What about the increased vulnerabilities that arise when you have to share data outside the organization, such as with consultants or partners?

I think this really plays into the strengths of rights management. Because it is a client-server model, you can set up groups of users external to your organization that can be invited (via e-mail) to be part of a secure collaboration environment. Enforcement policies then dictate the particular access and user rights such as printing, copying, or editing based on their identity in a directory system. If a third party outside the firewall leaves the information on a USB stick in a cab, loses their laptop in an airport, or maliciously uploads the document to an Internet portal, the organization can be assured the information is still protected based on that same control policy. If there is a suspicion that information is being compromised, a company can also revoke access to a previously vetted individual or group altogether, at any time.

What role do regulations and/or compliance play in the methods IT uses to prevent data loss?

Regulations do not usually dictate the specific type of enforcement technology required to prove compliance. Regulatory bodies typically leave it up to an organization to decide the best method based on its business drivers, but organizations typically choose technologies that help answer the most pressing questions auditors will likely pose. This includes the “who, what, when, and where” questions regarding the assets under compliance -- so the more transparent the system, the better. It’s also been proven time and again that it is less expensive to be proactive in protecting sensitive information, regardless of whether there is a regulation in place or not.

In these uncertain economic times, how can IT justify proposing additional security projects?

Data breach will not subside just because we are going through a difficult economic period. Based on statistics, we know that the costs of data loss to a company are immense. This is typically due to fines, penalties, loss of brand recognition, and loss of competitive advantage. Regardless of the economic conditions, the ROI is clear to ensure sensitive files are not leaked. However, there are collateral benefits in implementing information-centric technologies like rights management. These technologies can also bolster efficiency and productivity along with providing security protection.

For instance, rights management also provides automated version control for documents to ensure users are always working with the most up-to-date information. This saves countless hours of rework and can even lead to, for example, fewer design errors in a lab or in the field with technicians. If an organization is working on an RFP with multiple bidders, retracting a sensitive bid package after the business has been won can limit exposure to disgruntled bidders who may retain access to sensitive proprietary information. My advice to IT would be to weave in some of the non-security value propositions that often come as a bonus with these types of technologies.

What are the biggest impediments to preventing data loss or the biggest problems IT makes in their security projects?

I think in many cases it is the failure to build a business case from the top down and then secure a firm commitment to security and compliance from the line of business down to IT to make it work. Also getting executive level buy-in and dictating the appropriate levels of mandatory education and training go a long way to ensure projects are successful.

What best practices can you suggest IT follow to overcome these problems?

Best practices around DLP involve making sure that your business objectives are driving your security strategy and technology decisions. For example, if you need to provide a secure collaboration environment for your partners or customers to gain critical product feedback on a major release, that should be considered a tier-one project. Also, remember that people and processes are just as important as technology, so education and training are critical to success. Make sure governance objectives from executives are vetted through compliance and legal departments and are understood by IT.

I’d venture to say that most IT professionals associate Adobe with graphics products such as Photoshop. What products or services does Adobe offer to secure data?

Adobe LiveCycle ES has two solutions components that focus on securing data: LiveCycle Rights Management and LiveCycle Digital Signatures. LiveCycle Rights Management ES provides persistent protection for PDF, Microsoft Office (including Word, PowerPoint, and Excel), and CAD formats (including CATIA, Lattice XVL, and PTC PRO/Engineer files). LiveCycle Digital Signatures ES provides high-assurance, PKI-based digital signatures for certification workflows. Adobe also provides products like Adobe Acrobat Connect Pro that provide a secure collaboration environment through a Web interface.