Security Watch | Matt Hines » Process leads to information leakage

November 19, 2007 | Comments: (0)

Process leads to information leakage

TAGS: Security

With security vendors pushing complex technologies such as data leakage prevention (DLP) and network access control (NAC) as elixirs for organizations' information security headaches, a recent study aimed at examining enterprises' intellectual property usage policies points to a glaring lack of planning.

The study -- prepared by Enterprise Strategy Group and sponsored by Reconnex, a provider of DLP appliances -- finds that while companies seem more willing than ever to allow people to access their proprietary data, many organizations may be failing to identify and protect the very assets they're so worried about losing.

Vendors and analysts tell us that enterprises are snapping-up security products -- including the many flavors of DLP, and there are many -- that are aimed specifically at blocking the theft of intellectual property and sensitive information such as customer data.

However, of the hundred-odd North American IT security pros that ESG recently interviewed -- who worked for companies ranging from 1,000 to more than 20,000 employees -- 46 percent admitted that they have no standard policies and procedures for classifying data as IP across their entire organization.

That comes despite the fact that 66 percent said that their organizations share a moderate to substantial amount of information with business partners.

How does one protect information when they don't know where it is -- while giving access to it to other people?

Furthermore, while those interviewed said that their employers plan to share more IP with their partners in the next several years, few have plans to expand their process for reviewing how the information is exchanged and protected.

ESG found that:

- Only 41 percent of respondents worked at organizations that have a formal process to determine which IP can be shared.
- Only 42 percent indicated that their organizations review their IP access and usage policies more than once per year.
- While 64 percent were confident that their employer's security department is aware of all business partners who have access to IP, only 54 percent were confident that their organizations knew the specific IP that their business partners can access.

"The way that these companies classify, monitor and manage access is still pretty messy, they need to put some better processes and safeguards in place or they're going to get burned," said Jon Oltsik, the ESG analyst who authored the study.

"It's almost a little surprising how much data they are sharing and how aggressive their plans are to do more, especially among the larger end users," he said. "They can't stop the business train from moving down the tracks, but it's surprising how poorly some of these companies are managing security; they need better policies in place and better management of access controls."

One of the biggest procedural issues that contribute to the problem is that so many different people within a typical organization are involved in defining just what information constitutes IP. From legal departments and business managers (51 percent), to IT (46 percent), the network of people needed to make an official determination often leads to a failure of process, Oltsik said.

So, it would seem that companies could probably do themselves a huge favor merely by retooling their IP classification, usage and access enforcement policies.

Part of those efforts, Oltsik said, could involve the employment of some form of DLP.

While only 17 percent of respondents said their organizations currently use network-based data DLP appliances, companies like Reconnex claim that their filtering devices can help locate, catalogue and protect IP "across an organization."

Other companies propose similar results using security gateways or endpoint-based filtering software, also known as the so-called DLP agent approach.

Analysts like Oltsik seem to believe that network and agent-based products will be eventually become a single product set. The DLP space has recently been overwhelmed by consolidation among the many startups pitching each type of product, and some like Reconnex and Vontu -- acquired by Symantec -- that claim to have both.

It certainly seems likely that companies like Symantec, McAfee and IBM, among others, will soon offer both pieces in unison as part of larger security offerings.

Among the dozens of DLP tools providers that remain independent, Reconnex appears to be seen as interesting based on its approach that involves a heavy element of data classification, in addition to its filtering skills.

Whether that makes the company a long term bet as a standalone, or merely another DLP acquisitions target is not immediately clear.

Regardless of all the vendor hype, it is clear that companies will continue to find themselves at the crossroad of two major and seemingly unavoidable trends, those being, the demand to allow greater access to valuable information, and a rising number of attacks aimed specifically at stealing that same data.

"With the data-sharing, that horse is out of the barn, certainly some companies will slow down to bolster security, but my expectation is that business will trump security concerns and people will live with the risk if they can drive productivity," Oltsik said. "Regulations will help convince some people to do a better job, but, this is an issue of broken business processes at its center."

Posted by Matt Hines on November 19, 2007 11:01 AM

RATE THIS ARTICLE: