19 May 2010
Is #Information Protection Even Possible?
December 17, 2009 by Danny Lieberman, Security Expert and Founder of Software Associates
A Few Months ago I saw an article inComputerWeekly that asked – Is data loss prevention possible?
“Data is out of control in the corporate world…I think… the only way that we can have influence on the likelihood of (data loss) occurring is through a couple of fundamental controls, namely 1. Reduce and limit access to data 2. Control the “copy-ability” of data…”
I think that a more relevant question is “Is information protection possible?”
The author correctly identifies that it’s easier to access data (and leak it) than to modify or delete data. However, the notion that data is out of control in the corporate world is an over-reaction and does a mis-justice to most businesses.
Companies already manage access and control “copy-ability”. This is not new, nor is it effective against the threat of a major data loss event.
Organizations from SME and up to Global 2000 use Microsoft networks based on Active Directory with planned (not always well executed) group policies and permissions management.
Controlling access and copy-ability in the service of business objectives is precisely the objective of these systems.
If you need finer-grained copy protection – there are dozens of endpoint security products – from Checkpoint, Mcafee and Symantec to Controlguard.
If you need finer-grained rights management, there are products like Microsoft DRM and Oracle IRM. Personally, I don’t think that DRM is effective for enterprise information protection.
DRM changes the user experience and depends on user behavior, it can be broken and or bypassed and DRM systems are difficult to deploy on a large scale because of the above constraints.
However – permissions and rights access management and lately, removable device management have not prevented major data loss events like Heartland or Hannaford.
The reason for this is that once rights are granted – the user is trusted and can move the data anywhere he or she wants.
We need information protection, not copy protection; and in a way and at a cost that is a good fit for the business.
Information protection is possible by taking a value-based approach that integrates with the business operation.
Analyze your business requirements and threat scenarios – and only then – consider data loss prevention solutions like enterprise information protection fromVerdasys, agent DLP from Mcafee or a gateway DLP solution from Fidelis Security.