Why reinvent when you can leverage existing investments in data security?
When it comes to data security, where would you bet your money? DLP?
Since the onset of ‘digital’, data security has become a priority. Companies across the world, especially in the European Union, have always approached this issue in a very studiously. For others, it has largely been a matter of regulatory compliance.
Data security practitioners, such as CISOs and CIOs, it has always to touchy subject: would it be a question of ripping and replacing existing IT infrastructure? Who would want to reinvent the expensive wheel? Fortunately, Data Loss Prevention (DLP) solutions came to the rescue.
Sitting at the periphery, DLP monitors all data traffic, identifies and, if necessary, blocks files that are not supposed to exit the network. To the CISO, this seemed cool – a single data security solution that promised compliance. Today, DLP has become an almost ubiquitous solution across enterprises of all hues and sizes protecting intentional and unintentional data breaches. Well, that’s how CISOs love to think.
So what’s wrong?
If DLP solutions were the answer to data loss risks, why do we have so many data breaches? There are reports by analysts and data security practitioners who state that DLP may not be the ultimate solution. Well, maybe not in its current form. The problem with such solutions is based on the ‘Content’ paradigm. Such solutions function based on content and hence, more of than not, tend to impediment legit operational requirements.
A content-based DLP solution would not have a deep perspective, such as purpose or context, of a transaction. Content-based DLP solutions typically scan content to discern data sensitivity based on keywords. However, this could lead to further complications such as ‘false positives’ and ‘false negatives’ maybe even leading to permitted data being blocked and unauthorized data passing through the security filter. This, needless to say, leads to user frustration.
Context above content
So is there a way for the CISO to retain his investments in data security, yet raise the security standards? There is. It is called context-aware DLP. Such software has the ability to discern the context of the data flow (to and from) and the user.
Let’s consider the example of an aeronautical engineering company. All aircraft component documents, such as CAD drawings and technical specification document, would be stored in a repository, such as the content server, with each document tagged and classified. The document classification is linked to the relevant engineer. This ensures that only authorized engineers and personnel get access to the documents and are allowed to read or edit it as per policy.
Unfortunately, the internal classification does not encompass exported files. Content-based DLP solutions, based on key words, cannot discern the ‘need to share’ and hence, may block files from being legally shared. Hence, some of these documents which have to be shared with external OEMs may not pass through the security filter.
However, a context-aware solution, integrated with the content server, would be aware of the internal classification and would take the necessary action – i.e. tag it with metadata, such as a classification label, allowing the DLP solution at the end point to either block the file or transfer it.
It’s always about integrated contextual awareness
Integration is a fundamental prerequisite. Context-aware solutions have to be integrated with applications housing sensitive company data. Many companies typically use ERP systems that are the repository of all IP and business-specific data. Context-aware solutions best fit within the ERP, consequently closing security gaps.
Are you an SAP user? Are you aware of the documents that exit your system? SECUDE’s HALOCORE® is a unique solution for controlling and protecting intellectual property and personal data that are exported from SAP. HALOCORE® not only meets GDPR requirements, but shuts the door to security breaches. Read about the solution here.
Comments are closed.