By: Alex Burkardt|
January 15, 2020|
Why Effective Security Extends Beyond DLP
Network perimeter erosion is a challenging reality for modern IT and security teams. Unfortunately, the erosion is a symptom of a more fundamental challenge. If that challenge isn’t properly addressed, an organization runs a high risk of building a new, costly perimeter with the same problems as the old one.
Practically speaking, perimeter security typically does a very good job under the right circumstances―at a specific point-in-time and when content traverses a specific point of control.
The challenge lies in sharing data beyond the perimeter’s boundaries, a requisite in today’s business dynamic of continuous productivity, collaboration across companies and services, and productive mobility.
Data Protection Challenges and Requirements
Data Loss Prevention (DLP) products are often evaluated as an option to securing enterprise data in a “post-perimeter” architecture. They can be either network- or endpoint-based, each model having its own unique benefits and challenges.
However, DLP technologies are traditionally prone to yielding false positives. Consequently, their best use-cases are mostly limited to controlling very predictable and structured content in very specific situations. For example, DLP might be used for ensuring that credit card numbers do not leave the Cardholder Data Environment of the network.
As content and locations get more complex, DLP can develop problems very quickly. It simply doesn’t solve the fundamental problem of keeping data secure in the real world where content moves and is always accessible.
Positive vs. Negative Controls
A core challenge of DLP is that it is based on a negative control model. In many ways, you can think of DLP as an Intrusion Prevention System (IPS), where instead of trying to match malicious exploits coming into the environment, DLP tries to match sensitive content going out. In InfoSec parlance, this is called a “negative control,” where the goal is to detect something bad and block it (and conversely let everything else go through).
While there are some related activities such as warning the user that data is suspect, or requiring approval for certain content, the end result of using DLP is still going to be either allow or block.
This model is why DLP has earned the reputation for being both slow and prone to false positives. It must analyze all content and try to match it to ‘blocked’ lists. That requires lots of analysis; what’s more, the matching can be wrong because enterprise content is constantly changing.
The counterpoint to the negative control model is the positive control model. For example, in the network model, a firewall is an example of a positive control. Security specifies exactly what should be allowed (e.g., port 80) and everything else is denied by default, making policy much simpler.
Beyond false positives, DLP carries a number of additional challenges. As previously noted, it makes a point-in-time decision. Users can also evade DLP either intentionally or accidentally. For instance, data moved on a USB drive would be invisible to the DLP. An employee accessing their webmail on an unmanaged device could easily circumvent a host-based control. A user (or malware) encrypting the content or sending it through encrypted channels could also evade DLP controls.
Once data leaves either the endpoint or the network, the DLP no longer has control over it. If that data is forwarded, copied, stolen, or accidentally exposed, there is nothing that a DLP product can do. Realistically, to effectively protect any kind of data, organizations need a way to secure it at the point of origin, then track, audit and manage the policies securing it in real-time, no matter where it travels.
The Data-Centric Approach
A data-centric security approach solves this problem. Instead of trying to control everything around the data, VERA’s platform extends control to the data itself. VERA also allows DLP administrators to relax stringent rules around unstructured data, which provides a better experience for users. When security tools are actually used by employees, the security posture of the organization increases.
VERA also ensures that policy is checked and enforced whenever data is accessed regardless of where or how the access takes place. Trust can be defined down to an individual and controlled in terms of what a specific user is allowed to do with the data. Access is also adaptive and can be revoked at any time, whether for an internal or an external user.
This logical approach protects data in a modern way that DLP just can’t accomplish. Data and content can move, but IT and Security teams remain in control and can adapt as situations change. Truly protecting an organization’s ‘crown jewels’ in the modern, collaborative environment demands nothing less.