My presentations on data security even used to include all sorts of “alternative options” using existing or free tools instead of things like data loss prevention (DLP) or database activity monitoring (DAM). And like “alternative medicine,” they offered no more value other than the placebo effect.
Then I realized that just as we need network tools for network security, and endpoint tools for endpoint security, we need data-focused tools for data security. And nearly no organizations I worked with had even the most basic capability to assess and protect their information assets.
Which begged the question: What do we really need? Which tools provide value, which are a waste of time, and what’s the right way to use them? Despite my East Coast Jewish roots, tackling these problems was far more fulfilling than wallowing in guilt.
To really succeed with data security, we need a foundation of monitoring tools. If you don’t know who is using your data and how, then no amount of encryption, DRM, or filtering will ever really help. Here are the two main foundational tools that provide the most insight, and one additional tool that’s promising, but very new.
We start with DLP, and in this case I’ll stick with talking about the full DLP suites vs. the DLP-lite tools that offer a subset of functionality. DLP is the first tool that allows us to define what kind of content we are looking for and then find out where it’s stored, where it’s moving around our network, and which endpoints it ends up on (and how it’s being used).
DLP is a heck of a lot more than simple keyword matching -- modern tools can look for customer accounts out of your database, sensitive documents loaded up in the system to protect (and even paragraphs of the documents), or common categories like PII or healthcare data. It will dig down through multiple layers of files, not simply look for plain text.
There are three primary places you’ll use DLP to find and monitor your data. Using content discovery features, you can scan your storage repositories to see where all this sensitive stuff ends up -- locations like file shares, document management systems, and even some databases. And believe me, everyone finds stuff where it isn’t supposed to be.
You also use DLP to monitor sensitive information moving in and out of your network: email, Web, and even inside SSL connections or other protocols (if your product supports it). DLP is pretty weak at monitoring internal networks, but at least you can get a good handle on the stuff moving in and out. You can also use its endpoint agents to see who has this information stored locally, is moving it onto portable storage, or even printing/faxing.
No other tool provides this level of visibility on how your organization uses information. Is it perfect? Not by a long shot. Will it miss things? Certainly. But even opening one eye is a lot better than flying blind.
The next major tool is DAM. DLP does a great job monitoring data users handle in productivity applications (email, Office, etc.), but it can’t keep up with databases. DAM is a database- and application-specific tool designed to give you incredible insight as to how your databases are being used. It watches all SQL connections, sometimes in both directions, and can track anything and everything.
Want to know which admin is peeking at data instead of simple system maintenance? You’re covered. Want to know which application user is accessing what data inside a connection pooled query? DAM can do that. Want an alert when a credit-card number shows up in a query that it isn’t supposed to be in? Some of the tools handle that as well. In short, you get deep insight into how users and applications directly interact with your database data -- and in ways well beyond what logging normally provides.
And then there are our files. While it’s still a fairly new tool, file activity monitoring (FAM) does for files what DAM does for data. Instead of looking for specific content like DLP, FAM looks at all file access, ties it to user accounts, and can pick up all sorts of interesting patterns. Want to identify a file owner? Combine who is accessing a file the most with user and group knowledge, and you can probably figure it out. Want to know when a stale user account that hasn’t been accessed in 180 days suddenly downloads an entire directory of customer information? There’s an alert for that. Users downloading a higher volume of files than usual? You betcha.
These three tools provide visibility and situational awareness on your information and data you simply can’t achieve with anything else. I’d argue it’s impossible to really protect data if you don’t know where it is or how people are using it.
Again, these tools aren’t perfect, and they won’t solve every problem, but we have to start somewhere.
Rich Mogull is is founder of Securosis LLC and a former security industry analyst for Gartner Inc.