Tag Archives: Data Protection Act

When Does DLP (Data Loss Prevention) Make Sense??

I read Dan Raywood’s SC article this week called “Criticisms made of lax attitudes to data loss prevention tools” and I totally agree with Michael Gabriel’s thoughts on companies, and in some respects the InfoSec communities attitude to DLP technology.

The reason for my interest in this article is because I am in the process of deploying a DLP solution across EMEA and so far I have been very impressed with how things are going, and the benefit it can bring to the organisation. Before doing this project I did think DLP technology would be valuable to organisation, and because I am a geek I love any excuse to mess about with new technology, however I did have concerns about how effective it can be.

I still hold true to some of my original thoughts, and I don’t think DLP is right for everything. I think it is very dependant on the industry you are operating in, and the maturity and security posture of your organisation.

In the article Andrew Waite mentioned that the basics are essential, and unless you have this right you shouldn’t look at DLP. I agree that security basics are essential, and for many reason companies still struggle with this (lets not even talk about patching), however I think DLP could actually help you build an improved case for securing budget for a security back to basics programme.

So when does DLP make sense, and what do you need to be aware of if your going to implement it?

DLP makes sense if you know what you want to protect. This might sound obvious or stupid, however many companies don’t really know what their critical business assets are. Some DLP system can help you identify where this data lives if you don’t know via network and endpoint discovery. Obviously its not a miracle system so you need to give it a clue. You can provide a sample of data and let it use its signatures to find similar, or you can use keywords and phrases etc.

So if you know what your data looks like, and even better if you know where it is, you can point your DLP solution at it, and it will form extracts of the data within the files, and monitor specific network files and folders and then perform verification lookups in real time when data passes through its systems. This is where your policies and rules are important, and as also noted in the SC Article don’t expect it to be effective if you create once and never look at them again, the business changes, so do our processes, policies and rules. We can then leverage (or build cases to invest) in other technologies to prevent the data from leaving the organisation in the first place. So monitor and alert on all network traffic, prevent your critical information being lost externally on removal media, corporate email, webmail, social networking sites, forums, blogs and instant messaging. In my mind the primary reason for DLP is to help your protect and prevent the loss of what matters most to your organisation, its intellectual property, its key business assets. However, DLP can also help you with your Data Protection Act obligations, as well as the wonderful PCI:DSS requirements, as you can define signatures / criteria for your DLP system to match against, some vendors even have these available as default policies.

So if by now your thinking it makes sense to you, and your company has a reasonable grasp on its assets, and hopefully data flows, and you have convinced someone to release the purse strings, your install DLP and your done…. right?

Of course things are not that simple (although it is a little simpler if your in the US as we know there is no privacy 🙂 ). I am in the UK, but need to know about EU regulatory requirement, and as soon as your talking about monitoring and blocking you need to do alot of preparatory work. So hopefully you have some policies in place, and have worked with your legal and HR teams when you implemented email and web filtering technology, well now is a good time to renew those friendships.

So what should you be thinking before you go switching on your new shinny DLP technology. Below I have created a list, some of them may not be applicable to you and the country you are in, but it should at least provide a checkpoint and food for thought, before going away monitoring everyone, until to be shutdown by HR and Legal when you go to give someone the boot from gross miss-conduct when violating company policy.

DLP points for consideration:

  • Resilience in your solution
  • Capacity in your solution (Powerful Tin, Pipes with Capacity, Geographical coverage)
  • Acceptable Usage Policies (Covering the level of monitoring and prevention DLP will provide)
  • Communication (Even though your policies cover it, have you communicated this to staff, and updated policies. The goal is to stop loss by have it not happen)
  • Employee Consent (In some countries such as Germany for example, employee consent is required when you doing this monitoring)
  • Consent not given approach (When an employee does not give consent, how will you handle it? Prevent the use of business systems for personal use?)
  • Data Protection Commissioner Approval (It is always worth having a DLP business process defined so you can share this with the DPC if questioned, however in some countries prior consent from the DPC is required)
  • Workers Council Approval (In some countries workers councils have alot of grunt, it is essential to get their buy in and approval)
  • Labour Inspection (In Italy for example the labour council need to give consent for each office location monitoring occurs, other countries may have something similar)
  • Build and Test policies and rules (This is hopefully obvious. Build and test your DLP policies and rules, tweak as required, and use this as evidence to reassure the business on the uptake of your new solution)
  • Ensure the data your policies are using for matching is accurate and up to date
  • Ensure enough resource is available for daily review, monitoring and management
  • Have a process defined for expediting and reviewing policy violations

DLP is a good tool with the right information, processes and people behind it. Like anything understanding your business, your objectives and proposed outcomes is essential in its success.


Information Commissioners View on using Personal data for system testing

Following on from my recent post on “Doing the right thing when testing with production data“, I was discussing my frustation with a colleage at work and they told me to take a look at a copy of the the “Data Protection: Guidelines for the Use of Personal Data in System Testing” document. We had an old copy, and this is a statement from the ICO, in 2003 I believe. There is an updated 2009 version, but I dont have access to this, so I am unable to comment. Either way its a useful snip it to share with everyone.

The Information Commissioner’s view
The ICO advises that the use of personal data for system testing should be avoided. Where there is no practical alternative to using ‘live’ data for this purpose,
systems administrators should develop alternative methods of carrying out system testing. Should the Information Commissioner receive a complaint about
the use of personal data for system testing, his first question to the data controller would be to ask why no alternative to the use of ‘live’ data had been found.
Key risks in system testing There are a number of general risks that exist whenever system testing is undertaken using live data and/or a live environment.

These are as follows:
• unauthorized access to data;
• unauthorized disclosure of data;
• intentional corruption of data;
• unintentional corruption of data;
• compromise of source system data where appropriate;
• loss of data;
• inadequacy of data;
• objections from customers.

There will of course also be sector-specific risks peculiar to each individual business, each type of business and each particular system.
Before commencing any system testing, it is advisable for the data controller to undertake a risk assessment identifying the nature of the risks that apply, their
possible impact and planned handling strategies.

A cautionary tale
The view is sometimes expressed that system testing poses no real data protection problem, as it takes place all the time with little apparent detriment
to individuals. The following case study, which is based on a true complaint received by the Information Commissioner’s Office, shows that the use of ‘live’
data to test systems can indeed cause very real problems for individuals. A pupil was away from home at boarding school. The pupil’s parents received a
letter from the local hospital informing them that their daughter had been involved in a road accident. In fact, there had been no accident, but the hospital
had been using live patient data to test a system for sending out letters to patients.

Data Protection Act related breach… £500,000 fine!!

I have spoken before about the Information Commissioners Office getting new powers from April 2010. Well now it has been confirmed that they will now have the power to issue fines upto £500,000 to organisations suffering a security breach in relation to the Data Protection Act 1998.

Personally I think its good they are getting some more teeth that they can use to hopefully get organisations to start taking the DPA a little more seriously. I wonder how soon we will here about this happening with current disclosure laws.

I think we will see similar trends coming in relation to regulation and compliance in 2010, this could be an interesting year.