Data Loss Protection - An Oxymoron?

As some of my colleagues have stated the industry is agog regarding identity and access governance. It stands to reason that once you start cataloging your data, applying access and governance polices to it that you want to further protect that data by ensuring it doesn't accidentally leave your organization even in the hands of someone who is authorized to look at it. I think it is a bit of a conundrum on how to protect that data from walking off your enterprise network.


While data loss prevention (DLP) software might be able to protect against the accidental forwarding of a confidential message or the mistaken attachment of some sales spreadsheets I really doubt you can stop all data loss. We all heard that old saying that your locks and security systems at home can prevent the casual thief from breaking in but virtually nothing will stop a professional. I remember the first (and luckily only break-in) I experienced where despite having a home alarm system the thieves kicked in my front door, spent about 5 minutes hauling out my television and sound system and then departed - despite sirens going off. Then, 30 days later, after I replaced everything they came back and did it again. The alarm system went off but it didn't prevent the theft. I think DLP is very similar. It can prevent the accidental data loss and potentially more but the employee or contractor who really wants to take your data is going to be able to do it.


I was prompted to write this article while I was flying over to Zurich for customer meetings. I typically take a bunch of magazines to read on the plane and an article in ComputerWorld caught my eye: "Closing Off an Outlook Hole". Here are some of the more significant aspects of the article:


I've introduced event management and data leak prevention. We now filter URLs to keep employees off of websites that present security or legal risks to the company. I've introduced two-factor authentication, locked down mobile devices and written and promoted a slew of modern security policies and processes.


A few weeks ago, the manager of a local hotel called to tell us that the hotel staff had discovered over 1GB of our company email on the computer in the hotel lobby. One of our IT staffers headed over there for a look and found that the email belonged to one of our sales representatives. I told the IT staffer to copy the email to a .pst file and remove it from the hotel computer as best as possible.


We were lucky; this could have turned out much worse. We do a lot of business with that hotel, and the manager, eager to maintain good relations, assured us that the PC would be re-imaged.


A review of the .pst file showed that the sales rep had left behind sensitive corporate data, including information about pending deals and copies of contracts and internal memos, plus a good deal of his own personal information, including some data related to finances.


I now plan to restrict access to Outlook Anywhere to devices located behind our firewall. Remote users will need to sign on to the full-client VPN, and they are allowed to do that only from company-issued PCs. This constitutes a cultural change, so I expect some grumbling, but given the risks involved, I think it's justified as part of my efforts to close serious security holes.


Of course we all know - and the author acknowledges - how important of a business enabler e-mail is. And the author's approach to fixing this "hole" is to only allow Outlook Anywhere access to clients within the firewall or on corporate PCs. The question I have for this general case is how many companies go to this extent? How many companies do not know of this exposure and the risks therein? Probably not everyone.


Check out the author's follow-on article on this same topic where yet another hole is discovered.


As a demonstration for management, we copied part of the price book, which is an Excel spreadsheet, and pasted it into an email message that was then sent to a webmail account. This triggered an alert notifying us that the email contained data from the price book. Score one for DLP. But a couple of weeks ago, this demonstration started to fail, because we were unable to see any of our Microsoft Exchange email traffic.


All the other network traffic was still visible; what happened to the Exchange traffic? The Exchange administrators told us that they had recently upgraded to Exchange 2010, which uses what is called opportunistic TLS to automatically encrypt all traffic between the Exchange server and our spam-filtering mail gateway, in the cloud. In addition, we are slowly migrating our on-premises Microsoft Exchange servers to Microsoft O365, a hosted Exchange environment that also encrypts traffic.


The problem is that our DLP monitors network traffic via a SPAN port and can't see encrypted traffic. I now have to deploy proxies to decrypt the SSL packets, pass the traffic to the DLP for inspection and then re-encrypt the traffic to its destination.


As he patched one hole another was discovered which illustrates my point that DLP may be an oxymoron. It may not be possible to truly prevent data loss. In honor of my trip to Switzerland I thought I'd insert a graphic that I think illustrates the problem quite well...