Play It Safe with DLP

The line has already formed for data loss prevention (DLP) tools in Travis County, Texas. Shannon Clyde, information security manager for the county's information and telecommunications systems, says the medical examiner's office wants first crack at the software to protect digital evidence.

"Our medical examiner, who works cases for other counties, is extremely security  conscious and wants DLP to make sure that autopsies and other critical material don't become high-profile leaks," Clyde says.

DLP is software that can be deployed at the endpoint, such as a notebook or desktop, or within the network to detect and manage sensitive data, both at rest and in motion. Based on predetermined settings, the data can either be erased or quarantined as the IT staff and users are notified. 

Cisco Systems, McAfee, RSA, Symantec and Trend Micro all offer host/endpoint and/or network DLP solutions.

"In the past, DLP technology was targeted at very well-funded financial, government and healthcare institutions because it was considered cutting-edge security," says Phil Hochmuth, program manager for security products at research group IDC. "That has changed as the technology has become more affordable and more organizations need this granular level of protection."

Hochmuth considers the growing number of federal, state and industry compliance mandates an equally important driver for increased interest in DLP among state and local governments.

"Almost every organization now has to be careful about inadvertent transmission via e-mail or file transfers of sensitive data [for which] they may face fines, legal repercussions or reputational damage," he says.

The Travis County medical examiner understands the potential damage caused by data leaks and wants Clyde to prevent them with DLP. Clyde already has McAfee Endpoint Protection and has purchased several licenses for McAfee's DLP module to conduct a pilot. Eventually, he will use DLP to protect the county's 5,500 employees and critical data such as documents for court cases or citizen health records.

Before Clyde bought the McAfee DLP software, he worked with staffers who manage important data to identify and classify sensitive data that is covered by federal, state and local mandates. For instance, Clyde outlined health information that falls under HIPAA and criminal background material protected by FBI regulations. He also spent time training users on how to handle sensitive data. "We started with people and processes so the technology will be successful," he says.

He believes DLP will be a great complement to the authorization, auditing and logging tools already in place to control access.

Managing Risk

In Albany, N.Y., the Office of the New York State CIO and Office for Technology (CIO/OFT) continues to perform risk assessment in support of a DLP deployment. Bruce Rollins, acting director of security and internal auditing services for CIO/OFT, says the recent disclosure of sensitive documents by the WikiLeaks website raises awareness among state agencies for potential additional threats.

"WikiLeaks emphasizes how much data can be extracted from an organization on inexpensive, portable devices with a lot of memory," Rollins says.

For now, CIO/OFT continues to improve security to protect sensitive data. "The last four digits of the SSN, coupled with other personal data, are considered risky," Rollins says. "If a hacker gets a piece of the data, they might try to get the rest through social engineering."

Rollins hopes to stifle such activity by putting DLP at both the host and the network endpoints. "We'd immediately know if someone was trying to grab a large amount of files or certain types of data and be able to automatically stop them at the desktop or the network," he says.

Although Rollins believes that DLP will eventually be a common utility, getting funding today is a challenge. "We need to carefully evaluate and identify the potential return on investment for preventative controls," he concludes.