The past three years have flown by and I cannot believe where we are now when it comes to Data Loss Prevention (DLP).
First a bit of background – I am the Principal Consultant for security at Insentra. I have been working as a Symantec consultant for ten years of which six have been at Insentra. My goal has always been to be a subject matter expert in security with a particular prowess across the suite of Symantec technologies. Most of my project work consists of Symantec Data Loss Prevention and Symantec Endpoint Protection implementations across Australia and New Zealand. I also work with an exciting array of other technologies such as encryption, two factor authentication, identity management, data classification and tagging.
Three years ago I started to investigate DLP even though at the time there wasn’t a lot of ‘opportunity’ or ‘interest’; I knew in the future it would be a high growth area so I pursued the Symantec Data Loss Prevention certification. The certification was challenging given the size of the Symantec DLP solution and its flexibility. When I received my certification I was pleased with my success. But that was just the beginning…
Slowly DLP opportunities started rolling in. Small ones with around 100 users and only a few detection technologies deployed. I found these to be the most valuable projects as they provided a solid foundation on which to build a DLP practice and provided a deeper understanding of the complexity organizations face when managing and protecting their data.
WHAT PEOPLE FORGET
Over the past three years the projects have grown in complexity and size. The last project completed was to build a DLP infrastructure to scan 28TB of data for a financial services organization. It consisted of twenty-six servers and was focused on first finding existing Payment Card Industry (PCI) data on both file shares and in Exchange, and then to continually monitor for PCI violations on endpoints. One of the important things that people seem to forget is how many millions of files and tens or hundreds of thousands of folders exist in 28TB of data. The DLP servers were integrated with optical character recognition (OCR) servers giving the system the ability to do scan image files as well as text files. Correctly sizing an infrastructure like this is paramount to get the best bang for your customer’s buck.
From a technology perspective the solutions are becoming more powerful and complex. DLP is moving beyond “data loss prevention”. It is a platform that can be used to find, classify, tag and encrypt data. The sky is the limit for consultants who want to do a lot of reading and travelling!
For those of us who are techies, we love technology because of the cool stuff it can do and how it can solve business problems. However, unless there is a customer who recognises they have a problem and wants to buy what you are doing you do not get paid. What I want to focus on next is the “why” of DLP. Why are our customers wanting our services?
WHY DEPLOY DLP
In my experience, there are four key reasons that our customers want to deploy a DLP solution:
PCI Compliance
The most common reason Insentra is engaged to assist customers with DLP is for PCI compliance[1]. The PCI standard is there to protect payment card information such as credit card numbers, CCV numbers and magnetic stripe information.
The majority of companies we have assisted are financial services companies. However, the scope of the PCI standard covers all merchants who use payment cards. PCI compliance can be a challenge because credit card numbers (CCNs) can contaminate data repositories. There may be CCNs in email stores, file stores, databases and backups. Below is a sample of questions that must be addressed when doing an DLP for PCI project:
- How do you find CCNs in the environment?
- What strategy do you use to remove the CCNs?
- How do you prevent the re-contamination of the environment with PCI data?
In organizations with thousands of users and terabytes of storage, PCI compliance requires people who understand data and a tool to identify and manage incidents.
General Data Protection Regulation (GDPR)
GDPR was approved by the General Council in April 2016 and came into effect this May (2018), with the intent to protect personal information for people who live in the European Union (EU). Under the GDPR, Companies must protect all information that can be used to identify a person such as name, address, phone number, social media posts and IP address.
Furthermore, the scope of GDPR is global. If a company is found guilty of violating the GDPR regulation they could be fined a maximum of 4% of their annual global turnover or 20 million Euros[2].
Under the regulation EU residents have the following rights:
- Breach Notification
- Right to Access
- Right to be Forgotten
- Data Portability
Who cares? The regulations are for the EU, right? Wrong! These regulations affect businesses globally. Therefore, if you are outside of the EU but have EU citizen data, your organization is also bound by GDPR.
Australian Prudential Regulation Authority (APRA)
APRA covers deposit taking organizations such as banks, credit unions and insurance companies[3].
Some of the smaller financial services industry clients we have worked with have been subject to APRA audits which discovered the lack of a DLP capability. As a result, I was engaged to:
- Assist the business identify data repositories
- Identify data owners
- Deploy a DLP infrastructure
- Develop an incident response strategy
It is not uncommon to include PCI discovery with this piece of work like this.
Notifiable Data Breaches Scheme
The Notifiable Data Breaches scheme is Australian legislation driving more companies to adopt a data loss prevention strategy[4]. The scheme came into effect 22 February 2018 and mandates Australian organizations with obligations under the Australian Privacy Act 1988, to notify a person if there is a breach of their personal information where that breach is likely to result in serious harm. This includes organizations such as:
- Australian Government agencies
- Businesses and not-for-profit organizations with an annual turnover of $3 million or more
- Credit reporting bodies
- Health service providers
- Tax File Number recipients
When a breach occurs, the organization must act. When an eligible (serious) breach has occurred, the breach must be investigated to determine the severity and must promptly notify any individuals at risk of serious harm as well as notify the Privacy Commissioner in accordance with the notification requirements.
According to zdnet.com, 31 notifications were made to the Office of the Australian Information Commissioner (OAIC) in the first month since the scheme has been in operation. How many of these events could have been prevented if the organizations had personnel trained in the prevention of data loss and a tool such as Symantec Data Loss Prevention?
SUMMARY
I have provided a quick summary about why I got involved with data loss prevention and the drivers that are causing the opportunities to grow. As a DLP consultant, I am assisting my customers protect their most important asset, their information. I would encourage anyone who enjoys working with business processes as much as they enjoy working with technology to investigate a career in data loss prevention. This is just early days and the opportunities are endless.
