As enterprise security hones its focus on data loss prevention (DLP), the networking team must be a part of the conversation on how best to implement safety measures such as deep-packet inspection (DPI).
According to Rich Mogull, principal and founder of security consulting practice Securosis Inc., there are three points at which data leakage can occur, all of which must be kept in mind when developing a DLP strategy:
- Data in motion -- what's going across the enterprise network, such as corporate email, webmail, forums, blogs and IM.
- Data at rest -- stored not just in the data center but on laptops, desktops, USB keys, and even PIM information in mobile devices.
- Data in use -- documents in use, where formerly protected data can be printed or simply copied and pasted into an insecure format.
Data in motion is the segment most likely to concern networking professionals, Mogull said, and it's also one of the first places to start securing with DLP.
That's because the data leakage occurs as information is sent across the network, and the best places to detect its release are at network choke points. Without having at least some coordination with networking, not all of those choke points will necessarily be discovered.
Fortunately, given some research and open channels of communication with other departments – including legal, compliance, network security, and auditing – DPI won't change the day-to-day networking job, Mogull said.
"It's a minor adjustment, another box or bump in the wire," he said. "What you want to do is do your research."
Over the past few years, viruses and black hat hackers have taken a backseat to internal threats: 28% of surveyed networking decision makers recently responded that data leakage was the primary threat, compared with only 14% who marked external threats as their biggest concern, according to a recent SearchNetworking survey.
"[DLP is] definitely a growing area," Mogull said. Last year, it was only a $70 million market, but it's one that enterprises are starting to pay more attention to as rising risks and regulations make it impossible to look the other way, he said.
The need for strong DLP is most keenly felt in industries such as healthcare, finance and education, which have a myriad of compliance rules, but it's spreading to other fields, like manufacturing, where data leakage can potentially destroy a competitive advantage.
"It's becoming more horizontal," said Keith Crosley, director of market development for ProofPoint, which provides tools to detect and prevent data leakage. "This remains a huge area of risk, and a large number of companies experience theft of customer information."
Crosley offered some questions companies should ask themselves when considering DLP:
- When is it OK to send information outside the enterprise via email? When is it not?
- What types of information are prohibited in the email (and other messaging) system(s)? Transactional data? Customer data? Intellectual property documents? Internal memos?
- What types of procedures will be necessary to discourage risky behavior and enforce established policies? Punishment? Termination?
- What is our process for reviewing and revising policies in the event that changes occur or policies fail to work as expected?
Crosley also suggested contacting various DLP vendors and asking for help conducting an audit, which often could be a free service invaluable in establishing whether an enterprise should or should not move forward with deep-packet inspection to stop data leakage.
Ultimately, however, the decision needs to be made based on independent analysis, which means taking a look at how real the dangers are and how much damage will be done if data does leak out. Although advanced DLP techniques are spreading and may well be standard someday, employee education may be the most effective answer for many companies. This is advice DLP vendors are unlikely to offer.
"You definitely want to do a little bit of research before you go to the vendors," Mogull said.
Dig deeper on Network Security Monitoring and Analysis