White Papers

You sent WHAT? Linking identity and data loss prevention to avoid damage to brand, reputation and competitiveness

By: Quocirca
Published: May 2010
 Logo for Quocirca

Electronically stored information is a key asset for any organisation, but it is often insufficiently cared for-as the numerous high profile data breaches reported in recent years demonstrate. This failure to protect data is costly, not least because of the level of fines now being imposed by regulators. On top of this there is the reputational damage and loss of competitive advantage that usually ensue.

The technology exists today to link the use of data to people through enforceable policies. This allows a compliance-oriented architecture to be put in place based on widely accepted information security standards, such as ISO 27001. Doing so enables organisations to allow the safe sharing of information-internally and externally-ensuring both the continuity of business processes and good data governance.

This report examines the issue of data governance through the publication of new primary research that examines how well European businesses understand the risks and what steps they have taken to address them. The report should be of interest to those involved in ensuring the safety and integrity of information or those who manage business processes and operations that rely on it.

Electronically stored information is a key asset for any organisation, but it is often insufficiently cared for-as the numerous high profile data breaches reported in recent years demonstrate. This failure to protect data is costly, not least because of the level of fines now being imposed by regulators. On top of this there is the reputational damage and loss of competitive damage that usually ensues.

  • The safe use of data is high on the list of issues that concern IT managers when it comes to IT security After malware (rated at 2.9 on a scale of 1 to 5, where 1="not a threat" and 5="a very serious threat"), the issues of greatest concern with regard to IT security are internet use (2.8), managing sensitive data (2.7) and the activity of internal and external users (both 2.7). All three are linked; it is the sharing of data between users, usually over the internet, that is behind many incidents involving the loss of sensitive data.
  • Data compromise is costly and new regulations are expected to exacerbate this in coming years The majority of organisations expect "data privacy" (ranked 3.2 on a scale of 1 to 5 where 1="will decrease a lot" and 5 = "will increase a lot") to be a major driver for regulatory change in the next five years. It is second to "national government" bodies (3.3), which are responsible for many such regulations anyway.
  • Cloud computing and new communication tools underline the need for a pervasive data security The growing use of on-demand internet-based IT services means data is increasingly managed by third parties; consequently data security practices need greater reach. The variety of tools used to share data is also increasing, meaning that perimeter security is no longer enough and policing each communication medium separately is impractical. Only with corporate email is there a reasonable level of confidence that controls are in place.
  • IT departments struggle to deal with compliance issues and seem either unaware of how technology could help or are unable to convince the business of the inherent risks that justify required investments Lack of time and resources (both ranked 2.8 on a scale of 1 to 5 where 1="not a problem at all" to 5="a very great problem") followed by a plethora of manual processes (2.8) mean IT managers find it hard to address many of the compliance issues they face. The majority do not seem to have an "overall compliance vision" (2.7) that could alleviate the problem.
  • Implementing a compliance-oriented architecture (COA) would help alleviate this A COA is defined in this report as "a set of policies and best practices, enforced where practicable with technology, that minimise the likelihood of data loss and that provide an audit trail to investigate the circumstances when a breach occurs".
  • A COA requires three fundamental technologies to be in place First a full identity and access management system (IAM), deployed by just 25% of the respondents; second, the ability to locate and classify data, and third, data loss prevention (DLP) tools that provide a way to enforce policies that link people's roles to the use of that data. Many DLP tools include data search and classification capabilities, with 25% of respondents already having deployed such tools.
  • Those that have deployed the elements of a COA recognise the benefits Over 40% of those that have deployed full IAM say they have no concern about the safe deprovisioning of employees, compared to only 3% of those without full IAM. Approaching 90% of organisations that have deployed DLP say they are well prepared to protect intellectual property and personal data; for those without DLP the figure is under 30%.

Conclusions
The technology exists today to link the use of data to people through enforceable policies. This allows a complianceoriented architecture to be put in place based on widely accepted information security standards, such as ISO 27001. Doing so enables organisations to allow the safe sharing of information-internally and externally-ensuring both continuity of business processes and good data governance.

Download Paper

Click to download paper

Related Links: