01 Aug, 2009
B2B in Canberra Magazine (August): Advice Column with Arun
DLP refers to a variety of both hardware and software based technologies and associated processes that attempt to detect and prevent unauthorised leaks of information from within an organisation; often by examining data for specific keywords that indicate it is likely to be sensitive. DLP solutions are generally grouped into one of three approach categories:
Data in transit: data being sent from within the organisation to external networks (eg. via email)
Data at rest: examines data held in any repositories within the organisation (eg. file servers)
Endpoint-based: endpoint solutions are typically software installed on company desktops, laptops, mobile devices and portable media.
Whether caused through deliberate or inadvertent behaviour by employees or external parties, the potential implications of unauthorised data disclosure for organisations are numerous. The most obvious include damaged reputation and financial losses sustained through either legal action or loss of market advantage, caused by leaks of information to industry competitors. For example, in January 2007, TJX Companies Inc. (a large US based apparel and fashion retail chain) experienced a data compromise in which over 45 million payment card numbers belonging to its customers were leaked, resulting in a class action against the organisation which resulted in it having to pay a settlement of US $200 million. Not only did the leak of this data create a significant risk to customers of identity theft, TJX sustained significant damage to its brand name and its share price, which dropped significantly.
While DLP solutions have the potential to reduce the risk of these scenarios being realised, it is still in a relatively early stage of development, and, as a result, it should not be considered a panacea to the problem of unauthorised data leaks. As with any technology solution there still needs to be effective policies and processes in place to support a suitable defence-in-depth strategy to any implementation of suitable controls.
Nevertheless, DLP solutions are likely to gain increased prominence in future: given that the Australian Law Reform Commission has recently advocated modifications to privacy laws that would require organisations to disclose unauthorised information leaks of personal data to affected individuals. If enacted by law, this would mean that data leaks of customer information that are likely to result in actual harm to a person would need to be reported, potentially exposing an organisation to significant negative publicity.
The use of DLP in this context may provide organisations with a way of minimising the likelihood of this occurring. Thus, Australian businesses would be well-advised to continue to monitor developments in DLP technology and consider whether its potential benefits are sufficient to justify any up-front implementation costs.
Arun Raghu is a consultant and researcher at stratsec. For your small business information security needs, contactstratsec.
T: 6260 8878 E: info@stratsec.net W: www.stratsec.net.