State and local governments look to prevent identity theft and data breaches by deploying data loss prevention software.
Play It Safe with DLP
The line has already formed for data loss prevention (DLP) tools in Travis County, Texas. Shannon Clyde, information security manager for the county's information and telecommunications systems, says the medical examiner's office wants first crack at the software to protect digital evidence.
"Our medical examiner, who works cases for other counties, is extremely security conscious and wants DLP to make sure that autopsies and other critical material don't become high-profile leaks," Clyde says.
DLP is software that can be deployed at the endpoint, such as a notebook or desktop, or within the network to detect and manage sensitive data, both at rest and in motion. Based on predetermined settings, the data can either be erased or quarantined as the IT staff and users are notified.
"In the past, DLP technology was targeted at very well-funded financial, government and healthcare institutions because it was considered cutting-edge security," says Phil Hochmuth, program manager for security products at research group IDC. "That has changed as the technology has become more affordable and more organizations need this granular level of protection."
Hochmuth considers the growing number of federal, state and industry compliance mandates an equally important driver for increased interest in DLP among state and local governments.
"Almost every organization now has to be careful about inadvertent transmission via e-mail or file transfers of sensitive data [for which] they may face fines, legal repercussions or reputational damage," he says.
The Travis County medical examiner understands the potential damage caused by data leaks and wants Clyde to prevent them with DLP. Clyde already has McAfee Endpoint Protection and has purchased several licenses for McAfee's DLP module to conduct a pilot. Eventually, he will use DLP to protect the county's 5,500 employees and critical data such as documents for court cases or citizen health records.
Before Clyde bought the McAfee DLP software, he worked with staffers who manage important data to identify and classify sensitive data that is covered by federal, state and local mandates. For instance, Clyde outlined health information that falls under HIPAA and criminal background material protected by FBI regulations. He also spent time training users on how to handle sensitive data. "We started with people and processes so the technology will be successful," he says.
He believes DLP will be a great complement to the authorization, auditing and logging tools already in place to control access.
In Albany, N.Y., the Office of the New York State CIO and Office for Technology (CIO/OFT) continues to perform risk assessment in support of a DLP deployment. Bruce Rollins, acting director of security and internal auditing services for CIO/OFT, says the recent disclosure of sensitive documents by the WikiLeaks website raises awareness among state agencies for potential additional threats.
The amount the U.S. Veterans Affairs Department paid to settle a class-action lawsuit that stemmed from the 2006 theft of a notebook containing data about more than 26 million veterans
"WikiLeaks emphasizes how much data can be extracted from an organization on inexpensive, portable devices with a lot of memory," Rollins says.
For now, CIO/OFT continues to improve security to protect sensitive data. "The last four digits of the SSN, coupled with other personal data, are considered risky," Rollins says. "If a hacker gets a piece of the data, they might try to get the rest through social engineering."
Rollins hopes to stifle such activity by putting DLP at both the host and the network endpoints. "We'd immediately know if someone was trying to grab a large amount of files or certain types of data and be able to automatically stop them at the desktop or the network," he says.
Although Rollins believes that DLP will eventually be a common utility, getting funding today is a challenge. "We need to carefully evaluate and identify the potential return on investment for preventative controls," he concludes.
Industry analysts expect increased interest in data loss prevention software in the months ahead.
"There are enough breaches and exposures across industries to warrant consideration of DLP solutions, not to mention compliance requirements," says Rich Mogull, analyst and CEO at Securosis, a security consultancy in Phoenix.
DLP software can be sold in stand-alone or appliance form, depending on where it is being deployed in an organization. McAfee, Symantec and Trend Micro all offer endpoint DLP solutions. Whether bundled into existing endpoint products or rolled out separately, endpoint DLP ensures that sensitive data is either banned from being stored locally, properly encrypted or deleted in accordance with retention requirements.
Network DLP, offered by Cisco, McAfee and RSA among others, protects sensitive data in motion. For instance, such tools would prevent employee financial data from being sent outside of an organization. The parameters for DLP monitoring are set by an organization based on its own definition of sensitive data.
DLP from McAfee also can be used to discover the sensitive data in an organization, according to Phil Hochmuth, program manager for security products at research group IDC. "Rather than taking a hair-on-fire approach and encrypting everything, you can locate sensitive data and strategically protect it," Hochmuth says.