Strategies to Mitigate Information Risk: Data Loss ...download.microsoft.com/download/9/5/2/9520E1C6-2308-4B30-B085... · Page IT MANAGEMENT RESEARCH, INDUSTRY ANALYSIS AND CONSULTING

IT MANAGEMENT RESEARCH,INDUSTRY ANALYSIS AND CONSULTING

Strategies to Mitigate Information Risk:Data Loss Prevention and Enterprise Rights ManagementAn ENTERPRISE MANAGEMENT ASSOCIATES® (EMA™) White Paper

Prepared for RSA, The Security Division of EMC and Microsoft Corporation

June 2009

Strategies to Mitigate Information Risk: Data Loss Prevention and Enterprise Rights Management©2009 Enterprise Management Associates, Inc. All Rights Reserved.


Table of ContentsExecutive Summary .............................................................................................................................................1

Introduction ..........................................................................................................................................................1

Bringing a Strategy Together: A Closer Look at Preferred Tools ...............................................................2

Data Loss Prevention ....................................................................................................................................2

Enterprise Rights Management ...................................................................................................................3

Better Together: A Coordinated Approach to Combined DLP-ERM .....................................................3

Protecting Customer Information ..............................................................................................................4

In Health Care: Medical Records and Patient Information ...................................................................5

Protecting Valuable Intellectual Property ..................................................................................................6

Protecting Sensitive Data with the Integrated Microsoft AD RMS and RSA Data Loss Prevention Solution ..........................................................................................................................7

EMA Perspective ..................................................................................................................................................8

About RSA, The Security Division of EMC ..................................................................................................9

About Microsoft Corporation ...........................................................................................................................9

Page �



Executive SummarySensitive information risk control has become one of the top priorities in nearly every organiza-tion. From customer data to intellectual property, confidential communications, and proprietary knowledge, privileged information is the lifeblood of many enterprises in today’s knowledge-driven world.

The challenge is compounded by the fact that information can be found almost everywhere, from the data center to a wide and increasing range of endpoints and personal systems. It is shared and reproduced among business partners and customers as well as within the enterprise. Addressing this challenge requires more than a piecemeal collection of tools. It demands that every available resource be coordinated in an information risk control strategy.

Today, the technologies of Data Loss Prevention (DLP) and Enterprise Rights Management (ERM) have become increasingly important to businesses seeking to gain the upper hand on information risk. Though each is valuable in its own right, their value can be amplified significantly when used in concert together.

In this paper, Enterprise Management Associates (EMA) highlights the complementary values of Data Loss Prevention and Enterprise Rights Management, when integrated in a strategic approach to information risk control. Specific examples are offered of how DLP can leverage and apply an ERM policy to enable the persistent protection of information discovered by DLP technology. Those responsible for the protection of information will gain a greater appreciation of how an integrated DLP-ERM solution improves the efficiency and value of these technologies through expanded content and identity awareness of both working together, strengthening the foundations of information risk management strategy.

IntroductionIn the modern enterprise, sensitive data can be found just about everywhere. The data center may be at the heart of information processing on which the business depends, but people interact with it on endpoints ranging from fully equipped desktops to kiosk browsers and increasingly functional mobile devices. Data is communicated via secure tunnels and purpose-built applica-tions, but it may just as often be shared among corporate staff or delivered to business partners, customers or others via email or an increasing variety of other communications media, often in a clearly human-readable format accessible to anyone. Web applications manage and deliver a large proportion of the most sensitive information—but so does everything from community portals to desktop spreadsheets.

As newer forms of interaction such as social networks make themselves felt in the enterprise, these additional channels raise the ante on information protection—particularly considering the often viral way in which new tools for information sharing can proliferate. Even within the more disciplined world of the data center, sensitive information may be distributed across storage, appli-cation and networking systems, and may or may not be adequately secured, regardless whether at rest or in transit and use.

Page �



This is the information risk management challenge. It is one of the greatest facing the enterprise today, as evidenced by an astounding number of data breaches that continue to plague organiza-tions worldwide. According to the Privacy Rights Clearinghouse1, more than 261 million data records of U.S. residents have been exposed due to security breaches since January 2005—a figure that represents only part of a global total that some estimate to be significantly higher.

The sheer scope and scale of the challenge means that businesses must consider every weapon available to combat information threats. Too often, however, tools are deployed in isolation from each other, without adequate coordination of their mutual strengths. Such approaches are not only

inefficient, they can also introduce coverage gaps and frustrate efforts to follow the movement of sensitive information wherever it may be found, however it may be used. This calls for a strategy for coordinating protection, rather than a piecemeal approach.

Bringing a Strategy Together: A Closer Look at Preferred ToolsData Loss Prevention (DLP) and Enterprise Rights Management (ERM) are two technologies that can be leveraged along with other technologies, process changes, and end-user education as part of an overall strategy for information risk control. Used together, they can protect sensitive data more effectively.

Data Loss PreventionThe technology of DLP is purpose-built to automate a wide range of information risk manage-ment objectives. Today’s DLP tools incorporate the content-aware ability to recognize, find and classify sensitive information; correlate user identity with policy and identify actions that pose risk; apply appropriate policy enforcement; and increase awareness of information risk events throughout the enterprise. The rise of DLP technologies can be attributed directly not only to the alarming increase in data breaches, but also to a realization that individuals can handle sensitive information inappropriately for a number of reasons, from truly malicious threats to inadvertent disclosure. In a time of economic turmoil such as the present, these risks are amplified while the ability of the enterprise to tolerate and absorb them is sharply diminished.

This means that in the current economic climate, enterprises are looking to DLP to address a num-ber of information risk challenges. The fact that companies are laying off substantial numbers of staff means that corporate executives will be highly concerned about the sensitive information that former employees may be taking with them. For this reason, today’s sponsors of a DLP budget may well be in the highest levels of an organization.

Most DLP products are designed to work across a range of environments, from the data center to the network and individual endpoints, often integrating directly with storage and document management systems where many enterprises manage their most privileged information assets. This positions DLP well for controlling risk at the point of information access or use as well as 1 http://www.privacyrights.org

DLP and ERM are two technologies that can be

leveraged along with other technologies, process changes,

and end-user education as part of an overall strategy for information risk control. Used

together, they can protect sensitive data more effectively.

http://www.privacyrights.org

Page �



at network gateways. But loss prevention must extend to wherever sensitive information moves, particularly when it leaves the direct control of the organization. This requires tools that assure the consistent application of policy that follows information objects such as files and documents, wherever they go or however they are used.

Enterprise Rights ManagementThis is where the technology of Enterprise Rights Management (ERM) can help. ERM offers a way to apply policy directly to information throughout the lifecycle of creation, access, shar-ing, modification, storage, and expiration. ERM offers information creators and owners control over the ability to read, write, modify or distribute digital information objects such as files and documents, or to transform them into other formats such as hardcopy printouts. It does this by integrating usage controls directly into tools such as word processing applications, spreadsheet and email programs, collaboration portals, or other information creation, access and editing environ-ments. As with DLP, this requires a strong linkage with identity management to correlate policy with individual actions and use. Content owners can select an appropriate set of rights depending on the nature of the information and its intended recipients and use. Policy is evaluated when recipients (or others) seek access, and enforcement is applied at the point of access. This enables information risk control to travel with sensitive information, regardless how widely distributed it may be—even when beyond the boundaries of the enterprise.

ERM supports a content-aware information risk strategy by linking technologies such as identity management and encryption with usage restrictions, which helps to close one of the most trouble-some gaps in an information risk control strategy. It can also extend a strategy by protecting information regardless of location, whether inside or outside the enterprise. This is particularly important in light of the increased emphasis enterprises place on information sharing and collabo-ration, both internally as well as with business partners. ERM can help control the circulation and distribution of information shared in a collaborative environment, which can increase the confi-dence placed in collaboration. This helps businesses make the most of collaboration opportunities while providing a greater measure of policy control over shared information.

What would make the application of content-aware ERM policy even more comprehensive and consistent? One potentially very potent answer lies in the ability of DLP to automate the application of information risk control policy throughout the enterprise based on sensitivity of the data itself.

Better Together: A Coordinated Approach to Combined DLP-ERM Many enterprises may not yet fully recognize that the technologies of DLP and ERM are highly complementary. DLP can automate the consistent application of policy based on a number of factors such as the nature of the information; when, where and how it can be shared appropriately;

its legitimate recipients; and the media used to communicate. This simplifies data protection since it helps to relieve reliance on end users to apply the appropriate ERM policy to protect sensitive data. When coupled with the capabilities of ERM for applying persistent protection to information regardless where or how it may

Many enterprises may not yet fully recognize that the

technologies of DLP and ERM are highly complementary.

Page �



be used, these two technologies can together provide more comprehensive coverage for sensitive information throughout its lifecycle, regardless whether at rest, in use, or in transit, wherever it may go.

For example, a DLP policy can be created to discover and protect sensitive information. With an ERM policy imported into the DLP system, ERM can be engaged by DLP to apply persistent ERM protection automatically to discovered content. DLP discovery capabilities can extend ERM even further, by applying ERM protection to content created before the introduction of ERM in the environment, as well as to content created in an enterprise where ERM already exists. DLP aug-ments this control with identity-aware enforcement of policy in the proper handling of informa-tion. Together, integrated DLP and ERM provide content- and identity-aware policy enforcement for information at rest, both in the data center and at the endpoint, as well as when information is communicated via a network. Such an integrated approach enables an application of policy that is both consistent (thanks to the enterprise-wide scope of current DLP approaches) as well as persistent (owing to the capabilities of ERM).

The combination of these technologies can do more than expand the consistency of policy enforce-ment, close risk exposure gaps, and increase confidence in information sharing and collaboration. It can also make policy definition and enforcement more efficient, which may in turn contribute to driving down the total cost of comprehensive policy assurance by optimizing technology integra-tion. A number of examples can be called upon to illustrate these values.

Protecting Customer InformationNearly every industry has a mandate to protect the sensitive information of its customers. Virtually every entity that accepts payment cards must comply with the requirements of the Payment Card Industry (PCI) Data Security Standard, while a given vertical market may have its own require-ments, such as the Gramm-Leach-Bliley Act (GLBA) in banking and financial services. A growing number of US states have adopted their own privacy regulations, but on a multi-national scale, the European Union’s Data Privacy Directive has been on the books for years. Even when require-ments are not as explicit as these examples, regulators such as the US Federal Trade Commission have made it clear that they will pursue the mishandling of sensitive information as part of their enforcement of fair trade practices.

Many compliance mandates specifically reference encryption as part of their requirements—but the inconsistent application of encryption can lead to gaps in compliance strategy. Furthermore, encryption is but one tool available for tackling the challenge of information risk—and its effectiveness may be limited if applied without awareness of the sensitivity of content, and the identities and privileges of information owners and recipients alike. Given the scope of the challenge, an effective strategy must take advan-tage of as many opportunities to protect customer information as possible.

Many compliance mandates specifically reference encryption as part of their requirements—but the inconsistent application of encryption can lead to gaps

in compliance strategy.

Page �



This is where DLP and ERM can complement each other in the comprehensive protection of information, particularly when customer information is shared among a number of groups or business partners. Customer data may be collected in the sales process, but it will not disappear once an order or request is fulfilled. It will be retained to provide customer support, and may be shared with external contractors or other partners as part of long-term customer satisfaction. Once obtained, the Personally Identifiable Information (PII) of customers can be used to capital-ize on future opportunities—a fact not lost on departing personnel who may seek to exploit their access to customer information.

DLP can invoke ERM to apply persistent protection to customer information throughout its lifecycle. This assures that those having authorized access to customer data do not continue to have access once their employment changes or is terminated. When access is legitimate and autho-rized, DLP can assure that it is not handled inappropriately or distributed beyond the enterprise in conflict with policy. When it may be shared, ERM can help assure that persistent protection remains with the information, even in a partnership or collaborative environment so that only authorized recipients can access. In addition, ERM can determine the current status of an access requestor and deny access when appropriate, even when protected customer information is stored outside the enterprise—a particular concern in light of continuing layoffs.

In Health Care: Medical Records and Patient InformationRecent attention has focused on the dire need in the health care industry to move records away from legacy paper documents (still almost unbelievably prevalent in this industry), and toward a more modern approach to digital information management. With the passage of the Health Information Technology for Economic and Clinical Health (HITECH) Act as part of the American Recovery and Reinvestment Act of 2009 (ARRA), the health care industry has been both funded as well as mandated to modernize health care information. It has also been mandated to protect that information, with encryption specifically referenced by initial guidance from the US Department of Health and Human Services for those subject to the requirements of the Health Insurance Portability and Accountability Act (HIPAA).2 However, without an approach that gives the enter-prise realistic control over its obligations throughout the lifecycle of health care information, adapted to the ways people actually use that information, these initiatives are at risk of stumbling over the same obstacles that have hamstrung data privacy initiatives in the past.

With an approach that integrates DLP with ERM, health care organizations can go far toward meeting their information privacy requirements. Equipped with a designated ERM policy, DLP can automate the application of encryption to sensitive documents such as patient data, as well as a range of other ERM protections such as copy or print prevention at the time when health care information is first collected—at an initial patient visit at a practitioner’s office, for example, or during inpatient evaluation in a hospital equipped with mobile devices for caregivers. These ERM protections remain persistent throughout the lifecycle of health care information. They protect patient data when shared in a collaborative environment—during a specialist consultation or allied practitioner referral, for example—while DLP can enforce limitations on copying data to prohib-ited devices or emailing protected information beyond approved environments such as authorized health care applications or collaboration platforms. Authorized individuals or groups may be per-2 http://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/federalregisterbreachrfi.pdf

http://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/federalregisterbreachrfi.pdf

Page �



mitted to modify information, updating medical history or treatment plans as needed, while other content remains secured. These protections remain persistent in storage as well as in use or in transit. When data retirement is required, documents can be expired through ERM policy.

Protecting Valuable Intellectual PropertyOne of the greatest concerns of those who create and implement ideas is the protection of intellec-tual property. The viability of the business itself may depend directly on the ability to control unique or patentable work, or on the protection of creative content. Indeed, in industries from aerospace to pharmaceutical, lives may depend on the integrity of formulas and designs, as well as the research

data on which they are based. These matters, too, may be subject to regulation, as with pharmaceutical companies who must comply with 21 CFR 11 in the US.

Intellectual property is not always manifested as a formal design, formula, or other work. These final forms of IP are the fruit of a much greater body of information developed over time. A content-aware DLP system can recognize and discover intellec-tual property in its many variants, and can engage an ERM policy to apply controls directly to files, documents, designs, and other items considered a corporate intellectual asset. ERM can assure this protection in the long term, in many cases regardless how or

where information is managed, while DLP can control how information is handled when access is appropriate. Both can leverage awareness of identity controls to link content-specific policy with identity and access privileges.

These factors become even more significant when intellectual property such as an aircraft or weap-ons design, software source code, or formula must go through the scrutiny and modification of a number of groups throughout its lifecycle and when manufacturing involves an extended supply chain. These information assets may themselves be made up of a number of components provided by suppliers, contractors or other partners, who may also have their own concerns about the protection of their rights in intellectual property.

Here too, DLP can discover information that should be given this level of protection, and apply an ERM policy to items that may go through considerable transformation throughout their lifecycle, both inside the enterprise and beyond. DLP can place controls on how and where this information travels, and the conditions under which it can be appropriately accessed by partners and person-nel alike. ERM can augment that control with protection for this information beyond enterprise boundaries and with granular usage policies; when in the hands of potential customers, reviewers, or other third parties; or in collaborative environments where control may be shared.

A content-aware DLP system can recognize and discover

intellectual property in its many variants, and can engage an ERM policy to apply controls directly to files, documents,

designs, and other items

Page �



Protecting Sensitive Data with the Integrated Microsoft AD RMS and RSA Data Loss Prevention SolutionRecognizing these many synergies, RSA and Microsoft have partnered to help companies reduce information risk through just such an integration of their data security solutions. The RSA Data Loss Prevention Suite comprises a comprehensive data loss prevention solution that discovers, monitors and protects sensitive data from loss or misuse whether in a data center, on the network or at the end points. Microsoft Active Directory® Rights Management Services (AD RMS) in Windows® Server 2008 helps safeguard digital information from unauthorized use—both online and offline, inside and outside of the firewall, by protecting information through encryption and persistent usage policies.

Figure �: The integration of Data Loss Prevention (DLP) and Enterprise Rights Management (ERM) enables the consistent and automated application of policy to persistent protection for sensitive information.

Together, the integration of the RSA DLP Suite and Microsoft AD RMS helps customers auto-matically discover sensitive documents at rest and automatically apply RMS protection using a centrally managed set of policies. This reduces risk of leakage and helps meet compliance require-ments by protecting the most important data based on content and identity awareness.

With the integrated solution provided by Microsoft and RSA, customers can:

Find and protect their most important information today with best in class DLP and ERM solutions

Leverage data security processes and workflows already in place

Reduce the cost and complexity of securing information across the enterprise

•

•

•

Page �



EMA PerspectiveThe information risk challenge is broad and daunting. It is one of the primary mandates of Chief Information Security Officers (CISOs), Chief Privacy Officers, and other risk management execu-

tives on whom fall the responsibilities of guiding an information risk control strategy. Those who fail to think in terms of a com-prehensive strategy approach that embraces every available asset simply do not understand the scope and scale of the challenge.

This is the appeal of a combined approach that integrates the complementary strengths of Data Loss Prevention and Enterprise Rights Management. As the focus of strategy, a combined DLP-ERM solution can further extend the values of other weapons in

the risk control arsenal. It expands the reach and impact of identity and access management, for example, with actionable tools that directly control access to information itself through ERM, and correlate identity and access privileges with the appropriate handling of information through DLP.

One of the most important aspects of risk management is the visibility throughout the environ-ment required to understand the reality of information risk. When, for example, encrypted chan-nels constrain visibility, organizations need a more complete set of tools to balance their privacy requirements with the need to maintain awareness of security and risk events throughout the environment. This is where a combination of tools such as integrated DLP and ERM can provide a greater range of options for how and where the usefulness of encryption is applied, providing content-specific protection that limits the need to encrypt network traffic meaningful to security operations teams. Other tools such as Security Information and Event Management (SIEM) can further enhance visibility in a combined DLP-ERM environment, alerting the enterprise when DLP policy issues arise, or when ERM controls are put to work. It can also put a finger on exactly when and where encryption has been applied, which improves risk event awareness while enabling the organization to make the most of privacy enforcement. SIEM further supports more complete visibility into information risk issues with data concerning the integrity of the IT resources that store, manage and process information, as well as detailed documentation of information access and use. These capabilities can also help the organization maintain a more granular record of risk control, which supports more comprehensive compliance.

As the centerpiece of a strategic approach to information risk management, an integrated DLP-ERM solution such as that offered by the integration of RSA Data Loss Prevention and Microsoft Active Directory Rights Management Services offers distinctive benefits for safeguarding informa-tion from unauthorized use. Such an approach provides persistent as well as dynamic protection, enabling greater confidence in the secure sharing of valuable information. When automated by integrated DLP and ERM controls, the approach enables the enterprise to define a centralized policy based on a practical risk model, protecting against sensitive information abuses and leaks, and helping to meet a wide range of compliance requirements.

Together, these tools represent an important fundamental step toward embedding security directly into infrastructure, helping policy management to align more closely with information itself.

A combined DLP-ERM solution can further extend

the values of other weapons in the risk control arsenal.

Page �



About RSA, The Security Division of EMCRSA, the Security Division of EMC, is the premier provider of security solutions for business acceleration, helping the world’s leading organizations succeed by solving their most complex and sensitive security challenges. RSA’s information-centric approach to security guards the integ-rity and confidentiality of information throughout its lifecycle—no matter where it moves, who accesses it or how it is used. RSA offers industry-leading solutions in identity assurance & access control, encryption & key management, compliance & security information management and fraud protection. These solutions bring trust to millions of user identities, the transactions that they perform, and the data that is generated. For more information, please visit www.RSA.com and www.EMC.com.

About Microsoft CorporationFounded in 1975, Microsoft (Nasdaq “MSFT”) is the worldwide leader in software, services and solutions that help people and businesses realize their full potential.

About Enterprise Management Associates, Inc.Founded in 1996, Enterprise Management Associates (EMA) is a leading industry analyst firm that specializes in going “beyond the surface” to provide deep insight across the full spectrum of IT management technologies. EMA analysts leverage a unique combination of practical experience, insight into industry best practices, and in-depth knowledge of current and planned vendor solutions to help its clients achieve their goals. Learn more about EMA research, analysis, and consulting services for enterprise IT professionals and IT vendors at www.enterprisemanagement.com or follow EMA on Twitter.

This report in whole or in part may not be duplicated, reproduced, stored in a retrieval system or retransmitted without prior written permission of Enterprise Management Associates, Inc. All opinions and estimates herein constitute our judgement as of this date and are subject to change without notice. Product names mentioned herein may be trademarks and/or registered trademarks of their respective companies. “EMA” and “Enterprise Management Associates” are trademarks of Enterprise Management Associates, Inc. in the United States and other countries.

©2009 Enterprise Management Associates, Inc. All Rights Reserved. EMA™, ENTERPRISE MANAGEMENT ASSOCIATES®, and the mobius symbol are registered trademarks or common-law trademarks of Enterprise Management Associates, Inc.

Corporate Headquarters: 5777 Central Avenue, Suite 105 Boulder, CO 80301 Phone: +1 303.543.9500 Fax: +1 303.543.7687 www.enterprisemanagement.com 1902.061209

http://www.enterprisemanagement.com

http://twitter.com/ema_research

http://www.enterprisemanagement.com

Documents

Strategies to Mitigate Information Risk: Data Loss ...download.microsoft.com/download/9/5/2/9520E1C6-2308-4B30-B085... · Page IT MANAGEMENT RESEARCH, INDUSTRY ANALYSIS AND CONSULTING