SecurityBrief New Zealand - Technology news for CISOs & cybersecurity decision-makers
Story image

For YOUR eyes only: Data loss prevention strategies

Mon, 25th Jul 2016
FYI, this story is more than a year old

It's your job as the security professional at your company to prevent the loss of critical or sensitive data.

Your financial data is valuable to cyber-criminals. Your IP is valuable to competitors and spies. Your HR data, including salaries, is best kept secret. It's not just good business… it's the law. New Zealand's Privacy Act (Principle 5, Storage and security of personal information) states that ‘An agency that holds personal information shall ensure that the information is protected, by such security safeguards as it is reasonable in the circumstances to take, against loss'. In other words, if you hold sensitive information, you'd better keep it safe.

But as networks get more complex and the attack surface expands, your job is not getting any easier. “Data loss prevention (DLP) is getting more attention, thanks in part to the Panama Papers data leak,” says Andrew Khan, Fortinet Senior Business Manager at Ingram Micro, New Zealand's largest distributor of Fortinet's cyber security solutions. “This was a wake-up call to every business: protect what you hold or face the consequences…which are not pleasant.

DLP: Applied across the entire network

DLP is a systems-based solution applied across the entire distributed network, including endpoints, local and distributed networks, data centers, cloud services, applications and web and e-mail services in order to prevent end users from sending sensitive or valuable information to unauthorised users and devices. An effective DLP strategy is also a valuable tool for IT administrators, enabling them to create, refine and enforce policy, gain broad visibility into data flow, filter data streams on the network and protect data at rest, in motion or in use.

Customers, employees, contractors, and business partners all want to access critical business data and network resources. “The number and kinds of devices used to access this data are expanding rapidly,” notes Khan, “from smartphones and tablets to personal laptops that are increasingly not controlled by IT. At the same time, critical data is being stored offsite on a variety of third-party platforms, something known in the industry as Shadow IT.

“Traditional network perimeters are changing,” he continues. “Users expect to be able to access any information, from any location, at any time, using any device. But the imperative stays the same: you need to protect and preserve critical, sensitive or confidential data in the midst of a rapidly expanding environment where traditional security solutions are less and less relevant.

Policy comes first

DLP is achieved through the coordination of many different components. The first, and most essential, is a strong policy and governance strategy. If you can describe and map it, you can protect it. Your security policy is the blueprint from which you can build your security fabric.

After a policy is in place, you can then enhance your network to discover, analyse and secure data. Using a combination of specific data management and control tools, content-aware security devices and solutions and the ability to leverage the services that already exist in your network, you can create a workable and manageable DLP profile.

An effective strategy

An effective data loss prevention strategy, therefore, needs to include:

1) Preparation and planning as you adopt new network technologies, strategies and devices

2) Designing and implementing collaborative and adaptive security as an integral part of your network architecture

3) Continuous assessment and automated response to threats as they occur

4) Implementing forensic tools that allow you to immediately trace an event to its source, identify compromised devices inside your network and optimise your environment to prevent future breaches.

“DLP isn't a black hole or amorphous concept,” concludes Khan. “It's a policy, tools and the resources to enforce. Done systematically, you can implement DLP without having to redesign your network. An additional appliance or upgrade here and a reconfiguration there and you should be able to fast track DLP implementation. At Fortinet, it's one of our specialities. Give us a call and we'll put you in touch with a local Partner who can help you keep your data ‘for your eyes only.

For further information, please contact:

Andrew Khan, Senior Business Manager Email: M: 021 819 793

David Hills, Solutions Architect Email: M: 021 245 0437

Hugo Hutchinson, Business Development Manager Email: P: 09-414-0261 | M: 021-245-8276

Marc Brunzel, Business Development Manager Email:  M: 021 241 6946

Follow us on: