Why do security people have a job? You CISSPs should know this: it’s to maintain data integrity, keep data available, and keep data secure (CIA). Period. If your work assignments don’t fall into these three catagories, then they are not security related.
So it amazes me why Data Loss Prevention isn’t being adopted quickly by every government agency who has data security as a priority. IDS/IPS, firewalls, AV, web security, all have their place, so do things like properly patching, certifying and accrediting hardware. But none of these technologies provide agencies with WHAT THEY NEED MOST, a data-centric view of their network, and the abilitiy to view agency data business processes.
The biggest crime today against US companies and government agencies today is data theft. Arguably, data loss by legitimate users may be a bigger problem. It’s easy to find examples of goverment agencies who have suffered from serious breaches of data loss, due to accidental or non-malicious misuse. Many of the security people at the top lost their jobs. And they should have. An event that happens once should be a lesson learned. After a breach happens, if no compensating controls are planned and implemented, then the person responisible is negligent and/or incompetent.
What no IPS or Firewall Can’t Do.
IDS and Firewalls protect access inside and outside the network, but this protection is network based, and is pretty good at stopping attacks from the outside.
In today’s data centric environments, that is not enough. A hardened firewall or properly tuned IPS can not protect against the accidental emailing of data from a known user. It can’t stop data that should have been encrypted before going out. It can’t stop transmission of sensitive data to open chat, peer, or webmail sites.A Firewalls are no protection for sensitive data going to the websites or IP addresses of our enemies.
It can’t do these things because while firewalls and IPS are protocal and packet smart, THEY ARE DATA DUMB. Firewalls and IPS can’t determine where sensitive data resides on the network. Firewalls provide no way of catagorizing sensitive data. IPS doesn’t see where data is coming from, and where it is going to, what the data is, and how it’s being sent. A good DLP architecture will prevent against this.
At the core level, DLP looks at suspicious data, and provides a way to identify, monitor, and protect that data., DLP is more valuable from a higher level of abstraction. DLP identifies the underlying business problems causing sensitive data to be misused.
It only takes one email, one chat session, or one peer to peer data exchange to lose data.
Remember, it’s not just about PII! Depending on your agency, a person’s or company’s financial future could depend upon the proper security of your data. At some agencies, data protection is literally a matter of life and death.