WHITE PAPER Information Protection and Control | October 2010

protecting your information top 10 deployment success factors

Gijo Mathew
CA Security Management

we can

Protecting Your InformationTop 10 Deployment Success Factors

table of contents

executive summary
SECTION 1 Why is data loss prevention important now? 4 Information is at the core Information is hard to protect SECTION 2 Top 10 deployment success factors provide complete control of data 1.  Discover and protect data of multiple types and states 2. Improve control of messaging 3. Flexible, customized remediation options Take an identity-centric approach 4. Identity-based policy 5. Identity-based policy administration 6. Identity-based remediation Provide rapid value 7. Accurate 8. Scalable 9. Modular Enable content-aware IAM 10. Integrate information protection and IAM SECTION 3 Conclusions CA DLP delivers on all requirements SECTION 4 About the author 4 4

5 5 5 6 6 6 7 7 8 8 8 9 9 9 10 10 10

Protecting Your InformationTop 10 Deployment Success Factors

executive summary
Challenge
Information is at the core of your organization. The creation and sharing of digital information within the typical organization continues to accelerate. Being able to effectively and efficiently protect and control this information to and from numerous locations or persons is a prerequisite for effective security and compliance. However, the very same technologies such as cloud computing, virtualization and social networking that allow this advanced level of openness, connectivity and collaboration between employees, customers, and partners can also generate an enormous security risk for your organization. A single breach of sensitive data, whether inadvertent, intentional or downright malicious, can expose organizations to far reaching financial, public relations, legal, and brand reputation costs.

Opportunity
You can reduce risk by learning where valuable information is located throughout the organization, how and where it is being moved, and the level of risk it represents. In addition to preventing information security breaches of Personally Identifiable Information (PII), Intellectual Property (IP), and other Non-Public Information (NPI), your information protection and control solution should also mitigate the risks created by inadvertent, unsafe or noncompliant use of data. Data loss is a symptom of ineffective information protection and control. There are now opportunities for your organization to not only prevent data loss but take control of your most critical information.

Benefits
A robust solution will help your organization find, classify, and control the use of sensitive data throughout your organization while providing such potential benefits as: Identifying and analyzing data at major control points Preventing the inadvertent or malicious disclosure of sensitive information Addressing government and industry information protection regulations Preventing violations of general corporate security and behavioral policies Monitoring and controlling use of information based on identity and role Educating users on the proper use of critical data Confidently leverage new technologies and platforms

Protecting Your InformationTop 10 Deployment Success Factors

Section 1:

Why is data loss prevention important now?

Information is at the core The world is going through some major shifts from a technical, business, and threat perspective. From a technical view, new models of communication are taking over, social networking is everywhere, cloud computing/virtualization is seeing huge growth and mobile devices have functionality to keep people connected seemingly everywhere. Business is also changingsharing data, sharing access to systems and applications is now a necessary part of conducting business. The line has also blurred between employer, employee, contractor and partner users; these previously created identity divides are no longer so black and white. In addition to the shifts in technology and the shifts in business we have also had a shift in the threat environment. Cyber criminals have created a very profitable and expansive market by investing in research and finding and exploiting vulnerabilities before organizations find them. They have created a business model around obtaining access to machines and data. The next step in the threat evolution is to take advantage of people inside the organization and the new collaborative nature of business. We have seen many cases of this in the recent past and expect to see more. Information is one of your most important assets but your organization wants to be able to access information from anywhere, on any device, and collaborate with almost anyone. The desire for information to be free presents many security and risk management challenges. Organizations are moving from securing just the IT infrastructure to directly securing information and to do this you have to understand how critical data is used and where it is stored. Protecting data has always been important for organizations but now there is additional visibility into this challenge because of regulatory compliance requirements, corporate standards, customer data disclosure laws, employee privacy concerns and the rising cost of a data loss incident. Information is hard to protect To mitigate the risks from uncontrolled data activity, you need to understand where valuable information is located, how and where it is being used, and the level of risk it represents. Most importantly, you need to prevent it from falling into the wrong hands, both inside and outside the organization whether inadvertently or maliciously. With so many data loss prevention (DLP) products on the market, all making similar claims about their ability to mitigate data loss, it is difficult to know how to proactively reduce your companys risk and protect confidential and sensitive data. Ironically, most organizations dont need a DLP tool, what they require is an information protection and control solution of which preventing data loss is only one aspect. Using straightforward language, a lot of common sense, and some out-of-the-box thinking, this roadmap will help you understand the ten essential requirements for a information protection and control solution that actually help you control your information rather than just prevent loss. We have compiled the most important deployment success factors based on real-world experiences to bring this insightful guide to you.

Protecting Your InformationTop 10 Deployment Success Factors

Section 2:

Top 10 deployment success factors provide complete control of data

1. Find and protect sensitive data at many locations Unwanted internal and external disclosure of Non-Public Information (financial, business, HR, legal, and regulatory data), Personally Identifiable Information (social security numbers, credit card information, personal health data), and Intellectual Property (patents, trademarks, design plans) can occur at many different points throughout your organization. This is why a robust information protection and control solution ultimately has to protect many potential risk points in your organization. Most organizations start by addressing DLP-related concerns first, and then expand protection to other areas, such as information misuse. In addition to preventing information security breaches of PII, IP, and NPI, your DLP solution should also mitigate the risks created by unsafe or noncompliant behavior conducted electronically. This broad range of activity can include inappropriate and offensive employee behavior, communication not in compliance with various regulatory and jurisdictional requirements, behavior that could compromise legal activity and strategy, uncontrolled financial transactions, and inappropriate handling of customer data. The solution should also address broader regulatory and country specific compliance needs such as HIPAA, SOX, GLBA, and PCI DSS and IT security best practices such as CoBIT and ISO. Key Takeaway: There is a growing list of channels where information can be lost (i.e. social networking, mobile devices, virtualization and cloud computing) and a growing list of sensitive information in your organization. Most DLP products address data loss tactically, but your organization will need a strategic information protection and control solution to address the growing set of requirements. 2. Improve control of messaging A robust information protection and control solution ultimately has to protect many potential risk points in your organization. While end-to-end protection of all data types and states is the ultimate goal for your organization, in reality, it makes far more tactical and financial sense to begin by protecting the data as well as the mechanisms used to move this datathat represents the most risk to your organization. As the most frequently accessed and used electronic application in all companies, email is, without question, the most susceptible data misuse point for most organizations. With literally every employee in a typical organization sending and receiving numerous messages every day, its an obvious vessel for sensitive and confidential information to go where it shouldnt. Adding to this security threat is the fact that email can originate from several different locations, many with gaping security holes, including desktops, mobile devices, public computers, Web-based corporate email, and disconnected laptops. Another reason why email is an ideal starting point is because many regulations require organizations to monitor, supervise and control messaging environments for many reasons ranging from inappropriate internal communication to illegal communication outside of the organization or country. Key Takeaway: Email continues to be the most uncontrolled system for information misuse. Monitoring and protecting email can dramatically reduce the risk of information misuse and improper disclosure.

Protecting Your InformationTop 10 Deployment Success Factors

3. Flexible, customized remediation options Instead of a one-size-fits-all approach that only allows passive, post-violation review or indiscriminate blocking of all suspected violations, your information protection and control solution should provide the flexibility to take the right action for every individual data policy violation. Once an event has been determined to be a violation, your information protection and control solution should respond in real time with the appropriate action such as alerting, blocking, quarantining, warning, encrypting, or applying digital rights. Each response should be gauged specifically to the type and severity of the violation as well as the identity of the violator. For example, an infraction caused by the company CEO may need to be handled differently than one by a sales rep or a member of the research team. Other appropriate responses include redirecting the user to an informative webpage on company security policy, providing procedural support to complete the task at hand, classifying the relevant message or file, updating an incident dashboard, and silently capturing problematic activity. In addition, when you discover data at rest you should be able to move, copy, delete, or tag files based on the type of violation. Many organizations are looking to also control legitimate use of sensitive information and provide persistent controls over their data and monitor proper protection. To enable this IT and security professionals are looking for tighter integration between their information protection solution, encryption, and Digital Rights Management (DRM). Through automated understanding of data content and context, information protection and control solutions can help enhance both encryption and DRM technologies. Without this integration encryption and DRM solutions are less effective because end users need to manually classify data; this in turn limits deployments and places more burden on the data users. Key Takeaway: Protecting information is not just about either monitoring or blocking misuse but about proper enablement and education. An information protection and control solution will help you take the appropriate action based on the classification of the data, the identity of the violator, and how the data is being used. This will enable end user awareness of data policy and serve as the foundation for encryption and digital rights management technology.

Take an identity-centric approach

4. Identity-based policy Identity of a user has always played an important part in securing your infrastructure. Your organization has implemented policies around who has access to what systems and applications. This same paradigm now needs to be extended to protecting information. It is often not sufficient to just know the data classification because in order to protect and control information you need more context, such as who is using the data. An effective information protection and control solution needs to apply policy-based controls on identity or use an identity attribute as part of the policy logic. For example, a human resource (HR) associate can only send HR data to others with HR titles. When organizations deploy solutions that do not consider identity, generic rules have to be implemented. An example might be no one can send HR data outside the organization. This would not be viable in environments where this is a legitimate use of HR data. Key Takeaway: When a particular data incident is being analyzed, information about the user is necessary to take the appropriate next step. The ability for an information protection and control solution to leverage user attributes is key to providing effective protection and remediation of data violations.
6

Protecting Your InformationTop 10 Deployment Success Factors

5. Identity-based policy administration Identities and an identitys relationship to information are as dynamic as the data itself. People continually change roles and responsibilities in your organization so you need to be able to dynamically adjust data policy based on role and identity changes. Most organizations administer the change of system and application access with an identity management solution. The identity management processes and technology should now extend and integrate with the information protection and control solution. This integration enables better protection of sensitive data by identity and role. For example, an HR associate cannot send HR data anymore to anyone in the sales organization. Without taking identity and role into consideration traditional DLP solutions would have to implement generic rules that applied to everyone on the organization. Key Takeaway: What a user can and cant do with data is correlated with their role in the organization. An effective information protection and control solution will leverage this intelligence to apply the right data policies to the right users at the right time. 6. Identity-based remediation A holistic information protection and control solution analyzes and tracks all data in your organization. The review and reporting of these events need identity centric and role based controls. An optimized remediation process should always feature native visibility controls that securely determine which person can review a specific violation. The reviewer must be able to view all relevant information including the full message, complete files, and attachments in their original formatsas well as be able to search automatically or in an ad hoc manner, and to easily find related incidents to aid investigations. The solution has to control data access and delegate incident review based on the access rights and roles. For example, only HR executives can see and remediate HR data violations. Without this type of granular control, security managers could see all violations and be exposed to sensitive information in the process. Your information protection and control solution should not only find all genuine policy violation incidents, but also provide quick and identity based remediation of them. Key Takeaway: Data violations will undoubtedly occur in any organization but the remediation of those violations is not always the responsibility of the security team. Most violations need to be delegated to a manager, HR, compliance or some other function based on the type of violation. The solution needs to know about and route the violations to the right identities and only allow them to see the violations they are responsible for.

Protecting Your InformationTop 10 Deployment Success Factors

Provide rapid value

7. Accurate Accuracy is the linchpin of any effective information protection and control solution. Simple content detection methods employed by most DLP solutions significantly increase the probability of data loss by missing true violations and introducing potentially serious operational inefficiencies by flagging too many events. The only way to confidently respond to potential violations is to use an analysis technique that is identity and business awareone that can identify true violations while allowing legitimate business activity to take place. Information protection and control solutions define data policies that are parameter-based; if the policy parameters are met then an event is created. Distinct content or metadata can be used as parameters inside a data policy. There are two powerful techniques that form these parameters for accurate content analysis. First, content description is the ability to use a policy-expression language to describe the content of data the solution is looking for. This method allows your organization to find violations beyond those that you explicitly input into the system. Second, content registration (sometimes referred to as data fingerprinting) scans both structured and unstructured data, regardless of file type or format, and allows you to create a fingerprint that can be used in data policies to find that exact data. This method can be very effective on various types of data but requires you to create fingerprints in advance. While both detections method have advantages and disadvantages, organizations need to leverage each method appropriately but more importantly include context such as identity to make the policies concept and intent aware. No matter how easy it may be to configure a policy, a DLP tool with overly simplified or functionally limited policy capabilities will not deliver meaningful data loss protection or data control. Key Takeaway: If your information protection and control solution cannot perform comprehensive and accurate content analysis, you wont easily be able to find and resolve true violations among a mass of false positives. As a result, this ineffective detection system will prevent you from proactively blocking potential data loss violations with confidence, since so many of those flagged actions will be legitimate business activities. 8. Scalable Data is continuously created and used. Therefore, protecting all of it is a difficult task. An effective information protection and control solution needs to scale in multiple dimensions. It will need to scale to handle the amount of data being transmitted through different channels. It also needs to scale to analyze the petabytes of information that an organization may store. In order to do this and not overwhelm existing systems, components need to offload analysis to dedicated systems that can scale horizontally to accommodate high network speeds and large amounts of data. A flexible architecture like this will help enable speedy deployments, eliminate single points of failure, and scale to protect 500 or 500,000 employees. Additionally the platform should provide automated policy distribution so that the right policy is quickly and securely deployed to the right place, transparently to the user. Key Takeaway: Digital data continues to grow at exceptional rates and be used by more people in different ways. An effective information protection and control solution needs to be able to scale to analyze and act on large volumes of data without burdening existing performance of systems and applications.

Protecting Your InformationTop 10 Deployment Success Factors

9. Modular A solution based on a set of modular, distributed components allows companies to immediately and cost effectively address their most pressing requirements while being able to add new controls as their needs change. This type of platform architecture enables the system administrator to determine which combination of control points provides necessary coverage for your company. In some cases, only desktop or laptop controls may be desired, while in others, network control points will be necessary. Endpoint or client components should be able to provide protection even when disconnected from a central server or from the corporate network. When the user re-connects to the corporate network, new policies must be automatically downloaded and captured and incidents seamlessly uploaded. All capabilities must be supported regardless of the number of policies used or the number of control points. In addition, the information protection and control solution must work in a variety of locations (desktops, network, messaging servers and data repositories) in any sequence, with supplementary modules able to be added later. Key Takeaway: As new data types, channels, and protocols emerge, the solution should be able to adapt to these evolving requirements. Compared to a rigid or unproven solution, one with a modular, distributed architecture providing superior flexibility, scalability, performance, and fault tolerance is the best way to address both current and future information risk needs.

Enable content-aware IAM

10. Integrate information protection and Identity and Access Management (IAM) DLP is part of a broader information protection and control solution, helping to manage the lifecycle of data and communications from creation to storage to discovery. IAM solutions continue to manage and authorize access to systems and applications. The integration of information protection and identity and access management results in content-aware identity and access management. Content-aware IAM is critical to complete the cycle of IAMmanaging users based on their role, enforcing access policies based on that role, controlling the use of information they access, auditing the entire process and, by understanding how information is used, refining processes and policies to help further streamline IAM. The key to the power of content-aware IAM is the ability of the IAM components to share intelligence about users, their entitlements, and most importantly, the content of the information being accessed. This intelligence sharing can provide improved control over users and their access within the IAM platform. Key Takeaway: Security has always been about layers of security controls but integration is needed to prevent certain risks dont fall through the cracks. Information protection and control cannot be another island of security but rather the next step in your identity and access management process.

Protecting Your InformationTop 10 Deployment Success Factors

 Companies leveraging content-aware technologies improve not only the organizations ability to share its sensitive data, but also to protect it.
Derek Brink, CISSP
Aberdeen The 2010 Data Loss Prevention Report

Section 3:

Conclusions
CA DLP delivers on all requirements Data loss is a symptom of ineffective information protection and control. CA DLP is an information protection and control solution. CA DLP helps protect organizations from a wide range of data loss and misuse by detecting and responding appropriately to the true violations that can cause extensive financial, legal, public relations, and brand damage. Industry-leading detection methods and analysis avoid creating massive queues of false-positives, enabling organizations to concentrate compliance and data loss review efforts on genuine breaches and pursue immediate corrective action. CA DLP monitors and detects violations across many control points, including email, IM, Web, mobile mail, FTP, file repositories, and endpoint activity. Once an infraction is detected, it takes appropriate actions such as blocking, warning, quarantining, or alerting a supervisor. Equally important, the intelligent review process provides an array of capabilities that allows administrators to focus exclusively on security violations relevant to their specific area of oversight. Integrated workflow facilitates advanced searching, escalation, and other case management activitiesall of which automatically builds an extensive audit trail. Finally, ongoing education helps employees understand, self-correct, and prevent future data loss risks. The CA DLP product helps organizations protect and control sensitive data where it is stored or used, significantly minimizing the risks associated with uncontrolled information. It addresses a broad set of risks while reducing the operational burdens associated with the detection and remediation of these risks. Data loss prevention is part of a holistic Identity and Access Management strategy. A multi-faceted content-aware IAM solution allows organizations to manage identities, control access, and protect how people use the data they have access to. This approach helps organizations streamline IT security environments and enables them to be more secure, agile, and compliant with regulations and privacy mandates. By implementing holistic, automated, and integrated solutions, organizations striving towards lean and efficient IT systems should be well positioned to realize a faster time-to-value and a reduction in costs, manual review, and security risks.

Section 4:

About the author

Gijo Mathew Vice President, CA Technologies Gijo Mathew is a Certified Information Systems Security Professional with twelve years of experience in security and IT management solutions. In his role he is responsible for setting strategy, direction and communicating vision. He has extensive experience in data loss prevention, identity and access management, application security, network security, risk management and security policy development.

10

CA Technologies (NASDAQ: CA) is an IT management software and solutions company with expertise across all IT environmentsfrom mainframe and distributed, to virtual and cloud. CA Technologies manages and secures IT environments and enables customers to deliver more flexible IT services. CA Technologies innovative products and services provide the insight and control essential for IT organizations to power business agility. The majority of the Global Fortune 500 relies on CA Technologies to manage evolving IT ecosystems.

Copyright 2010 CA. All rights reserved. All trademarks, trade names, service marks and logos referenced herein belong to their respective companies. This document is for your informational purposes only. CA assumes no responsibility for the accuracy or completeness of the information. To the extent permitted by applicable law, CA provides this document as is without warranty of any kind, including, without limitation, any implied warranties of merchantability, fitness for a particular purpose, or noninfringement. In no event will CA be liable for any loss or damage, direct or indirect, from the use of this document, including, without limitation, lost profits, business interruption, goodwill, or lost data, even if CA is expressly advised in advance of the possibility of such damages. 3023_1010