Loss Prevention Re-Invented
Based on articles from Reuters and Krebs, massive security breaches such as the theft of 40 million credit cards from Target in the heart of the holiday season last year highlighted concerns that businesses have on data loss and network attacks. 90 lawsuits, over $60 million dollars spent in response, and a 46% drop in holiday profit later, Target is still reeling. In fact, according to Gartner’s fraud analyst, Avivah Litan, “Target could be facing losses of up to $420 million as a result of the breach." Understandably, companies, in the interest of protecting financial and brand value, have actively implemented various technologies to do so, from Data Loss Prevention (DLP), encryption, network security, and Advanced Threat Protection (ATP).
Surprisingly, the difficulty for many businesses has not been a lack of security and control, but rather too much of it. Parsing through the signal and the noise has proven to be the greatest challenge. Despite heavy spending on technology, infrastructure, and resources, many companies are finding that their security solutions are better at inhibiting their businesses than helping them.
LESS IS MORE
Take the example of older generation DLP solutions. Legacy providers like Symantec and RSA when fully deployed, require teams of administrators to monitor and maintain the mountain of onsite server hardware as well as corporate wide endpoint agents deployed to lockdown users’ desktops and laptops.
These systems function by the creation of fairly elaborate rules and policies specific to each business. The expressions, terms, and information that define a customer’s most sensitive data such as Protected Health Information (PHI) or Personal Identification Information (PII) include many types of files and formats. Building this set of rules is complex and typically requires the dedicated efforts of the company’s security team, compliance and governance groups together with outside consultants and vendors.
This process is a major investment in time and money because the accuracy of the rules determines the effectiveness of the solution, particularly in the number of hits received and the accuracy of security alerts. Because of this, it can take many months or more to finalize these policies, dramatically increasing deployment time.
The cloud has shown to be a better enterprise platform, providing businesses with superior scalability, ease of deployment, and predictable costs. Even so, many technology vendors have failed to evolve to the cloud, continuing instead to build solutions with imposing management needs and heavy, on premise infrastructure requirements. The concept of the cloud focuses on the following fundamental advantages:
1. Reducing infrastructure costs within corporate data centers by pushing as much application infrastructure into a secure, highly scalable cloud-based infrastructure.
2. Freeing customers to focus on using applications instead of managing them by driving as much infrastructure management to cloud providers.
3. Paying only for what is used and eliminating massive capital outlays by transforming customer costs into operational expenses.
IDEAL LOSS PREVENTION
Clearly, the subject of corporate privacy is critical in many of the same ways that corporate security breaches are. Both disciplines attempt to ensure that sensitive data does not leave the company in an unauthorized manner, and both expose significant brand and financial risk if not addressed properly.
The fact that a significant number of companies deactivate the lockdown portion of their loss prevention solutions even after spending millions in hardware and software is telling. Instead of restricting access outright, these businesses can leverage next-generation tools to identify where sensitive information exists and utilize insight and reporting capabilities to highlight areas of risk. Many of these same firms could instead elect to build a practice around information classification and discovery with manual remediation instead of automated lockdown. Coupled with a variety of channel based loss prevention technologies, this would be a more realistic way to approach the same problem.
Current surveys follow a pattern- that the chief weaknesses of older generation loss prevention solutions are diametric to the advantages of the cloud, including:
1. Large on premise infrastructures that are costly to buy and operate.
2. Expensive, expert headcount to manage and monitor systems.
3. Solutions that disrupt business and information flow due to automated access restrictions.
4. Solutions filled with components that many customers pay for but never use.
Ideally, next generation loss prevention technologies would address the majority of issues companies face today by:
1. Utilizing as much cloud-based infrastructure needed and eliminating on premise elements as much as possible.
2. Requiring minimal headcount to maintain and monitor.
3. Leveraging existing rules and policies without the need to recreate or redesign new ones.
4. Providing insight and reporting against information at risk without disrupting business.
5. Addressing critical channels for data in motion such as email and for data at rest such as files and documents where ever they reside.
6. Significantly lowering overall cost, while providing equivalent or better coverage on critical areas.
Customers grow tired of addressing privacy and security issues with dated technologies and architectures that are costly across multiple axes. They seek a next generation solution, one that leverages the latest architectures and techniques to provide a solution that is simpler to manage and easier and more cost effective to deploy.
- Stephen Chan
Stephen leads products for the Information Governance team at Proofpoint. Successfully merging 15 years of expertise in the areas of e-discovery, compliance, and records management together with their most relevant technologies, Stephen drives thought leadership in the industry, advising the SEC and Global 1,000 organizations. Prior to Proofpoint, Stephen was co-founder of several enterprise and consumer software firms, served as primary investigator on two government funded research projects, and has been published in over twenty magazines and books. Stephen is a graduate of UC Davis and Harvard University.