It's the Information, Stupid

Security pros won't succeed unless they broaden their focus from the infrastructure that houses information to the security of the information itself. BT Senior Security Consultant Jason Stradley explains how to get there.

1 2 Page 2
Page 2 of 2

While the organizational and people oriented elements just described are critical to the success of any program to protect data and information from abuse and improper disclosure, those elements alone are not sufficient to provide the fullest possible level of protection.

To this point we have discussed the need for a data classification policy in an organization and the need to have the proper structure, incentives and capabilities around user awareness, training and incident response to educate the community with regard to that policy on an ongoing basis.

To properly monitor and enforce those policies, there needs to be a sound implementation of appropriate technology solutions to provide the "teeth" for the policies and processes established around the protection of data and information in the enterprise.

There are several technical elements that make a good information and data protection framework. These elements include:

  • Mature Identity Infrastructure
  • Digital or Enterprise Rights Management
  • Data Leakage Prevention
  • Encryption

Identity infrastructure is the base on which the majority of the other tools and solution types are dependent to properly operate. Without proper identity there can be no consistent assignment of rights and privileges to information resources across the enterprise. Most organizations have many moving parts in their identity infrastructures. Invariably some parts are either missing or not working up to their full potential. Without a viable identity infrastructure, many of the tools specifically designed for monitoring and protecting information and data will have only limited success at best; at worst they could possibly be seen as a failure. Once there is a solid identity infrastructure in place with a granular set of user attributes, additional solutions can be deployed for the protection of data and information.

The DRM/DLP Conundrum

Digital Rights Management (DRM) solutions encrypt content at a document level making use of access and authorization criteria from identity infrastructure to prevent the misuse, modification, loss or theft of intellectual property and sensitive information.

In contrast Data Leakage Prevention (DLP) solutions monitor for content on networks and endpoints based on defined criteria such as tags in documents, key word searches and so forth. As content is scanned and the criteria of the search parameters are met, rules are triggered. In less sophisticated solutions, these triggered rules result in some type of alert, typically an email to an administrator who makes decisions and inquiries based on established response procedures. In more sophisticated solutions, content can actually be interdicted or quarantined by the solution based on a rule set.

At first blush, DRM and DLP appear to be competing and mutually exclusive solutions that take different approaches to solving the same issue. There have been equal amounts of controversy and confusion in the market place regarding these types of solutions, which in many ways has slowed the maturity of the solution sets and their mainstream acceptance in the market place.

Both of these solution sets have their pros and cons and some vendors attempt to convince potential customers that their solutions will solve all of their problems in the area of information and data leakage. The fact of the matter is that the majority of these solutions, when deployed as a single solution, provide only partial protection against loss or disclosure of data or information. Other vendors make the caveat that their solutions only provide protection against the inadvertent or accidental loss or disclosure of data or information. These solutions make no specific claim to guard against deliberate loss or disclosure of data and information.

It is important that security practitioners not be lulled into a false sense of security if one of these solutions is deployed and advertised within an organization as the "Silver Bullet" of information and data protection.

These two seemingly competing technologies have some striking similarities to another set of technologies that came to the forefront of the security industry a few years ago. In the early part of the decade, Intrusion Detection Systems (IDS) started to mature and move towards mainstream acceptance and adoption by the security community at large. Not long after that Intrusion Prevention Systems (IPS) were introduced and presented by many as the logical evolution of IDS. Not long after the introduction of IPS, there were proclamations by many information security pundits that IDS was dead, long live IPS! The evolution of the technology has for the most part played out and in the final analysis there is a place in the enterprise for both technologies.

Recently, although on a somewhat smaller scale, a similar proclamation was made regarding DLP technology solutions. Once DLP and DRM technologies are examined, it becomes apparent that there is a place in any enterprise that requires comprehensive monitoring and enforcement of its data classification policies to protect its data and information from improper use.

Going back to the analogy that was drawn between these technologies and the IDS/IPS technologies, it became apparent that you use IPS technologies where you new what you wanted to block and were very certain that only specific inappropriate traffic was going to be affected. In areas where that certainty was not there, it became apparent that you use IDS technologies to monitor, alert, respond and institute change in the environment to eliminate unwanted traffic as it was identified.

Similarly the same approach can be used with regard to DRM and DLP technologies being deployed in the enterprise. A DRM solution can be deployed for information that has been properly classified and is resident in known information stores. Once subject to an enterprise policy of a DRM solution, that information is protected during its lifecycle and can be retired at the proper time based on an organizations retention policy, or when there is suspicion of inappropriate use of that information.

For information that has not been classified and/or is not residing in known information stores, a DLP solution can be employed. As critical content is detected by the DLP solution it can then be properly classified, moved to the appropriate information store and become subject to enterprise DRM policy and governance.

The last element of any information and data protection program is to employ encryption on any and all high risk devices in the enterprise. This typically means laptops and mobile devices. It is important to identify all types of information that exists in the enterprise that may not be subject to the DRM solution or by its nature not be detectable by the DLP solution at some point in its life cycle.

Those are the areas that require traditional encryption solutions. Examples of this type of information might be data that is received in batch transmissions from customers for processing or analysis that enters the environment in an unencrypted format due to customer preference. Once that data is on your organization's systems, your organization may be responsible for it unless specific language in a legal agreement states the opposite. As this data is passed through an organization, the source data is often unclassified and only the output of the processing or analysis is classified. This again is an obvious requirement to have encryption for all places that this data might end up. A combination of both full disk and volume encryption on laptops, files servers and mobile devices will provide maximum protection of this type of information.

By using these solutions in combination with good user awareness and training, appropriate policy and process, an extremely well thought out solution to reduce the risk of information and data leakage can be accomplished, resulting in a set of reasonable controls against these risk areas.


In summary there are several things that drive the need for protecting information and data in addition to infrastructure:

  • The change in mentality and motives of hackers and cyber criminals.
  • The realization that it is the information and not just the infrastructure that needs to be protected.
  • The increase in a technologically savvy workforce that use every conceivable tool and utility to bolster their productivity and connectivity to others at work, at home or on the road.
  • The intentional break down of enterprise perimeters and the increased collaboration between partners, customers and suppliers.
  • The ever increasing regulatory pressure to manage the information and data that exists with an organization.

To achieve a reasonable level of information and data protection requires that the following are in place within an organization:

  • A work force that understands the importance of the various types of information and data in the enterprise;
  • Consequences for the individual and the organization for the misuse of this information;
  • Understanding all of the information egress vectors that exist in a given enterprise;
  • Developing the proper controls to address the information egress vectors that have been identified; and
  • Implementing the proper technology solutions to monitor and enforce those controls over time.

The basic elements of a data leakage prevention program consist of:

  • A data classification policy
  • A user training and awareness program
  • Inclusion of security in general and data leakage/protection of critical information in employee policy acknowledgements and as individual performance objectives
  • A mature identity infrastructure
  • A Digital Rights Management (DRM) Solution
  • A Data Leakage Prevention (DLP) Solution
  • Encryption on targeted devices based on risk
  • A mature incident response capability

Many organizations have at least some of these elements in place and at some level of functionality already. Based on an organization's risk tolerance, consideration should be given to adding those elements not already in place to any long term security strategy.

Jason Stradley is a senior security consultant for BT, providing executive-level strategic security and business consulting to Fortune 500 clients. He can be reached at or by phone at (630) 525-1834.

Copyright © 2009 IDG Communications, Inc.

1 2 Page 2
Page 2 of 2
Make your voice heard. Share your experience in CSO's Security Priorities Study.