When technology giant EMC Corp. deployed a data loss prevention (DLP) solution for the first time, it chose to protect a critical asset: software source code obtained through nearly four dozen acquisitions.  

Like most large companies, EMC is tackling the challenge of data loss prevention (DLP)- keeping sensitive, confidential and high-value information from “leaking” outside the organization through unauthorized or unprotected channels. Our efforts are driven by the usual pressures: increased compliance requirements, the need to manage business risk, and the desire to preserve our brand.  But we have another compelling reason as well. Our customers expect us to practice what we preach. And one value we preach, especially through our RSA Security division, is the importance of protecting critical information assets from external and internal threats. 

So it was a logical step for us to take the plunge into data loss prevention, which aims to reduce losses caused by insider activities, including deliberate misdeeds by wrong-doers and accidental security lapses caused by unwitting employees, contractors and partners.

Where is the greatest risk for data loss?

We started the process by asking a fundamental risk management question: What information is most critical to our success as an organization? What assets, if compromised, would put the business at greatest risk?  The answer quickly became apparent. Intellectual property (IP), especially software source code, is at the heart of our solutions and the foundation of our competitive advantage.

It should be noted that acquisitions are a core element of EMC’s business strategy. Over the last five years, we have acquired 44 companies including well-known brands such as Documentum, Legato and RSA. Our goal is always the same: to integrate best-in-breed technology assets into the EMC platform to continually enhance our solutions.

While such acquisitions create business opportunity, they also create information risk. Source code is scattered across multiple infrastructures and under the control of disparate IT groups. We had little visibility into where these IP assets lived, who was accessing them, or when they were moved outside the network. And there was no centralized control over how intellectual property was protected. In addition, many acquired companies had another sensitive asset – customer credit card data, which is subject to Payment Card Industry (PCI) compliance requirements – stored on their systems, creating another source of risk.

Gaining visibility and reasserting control

This landscape changed dramatically in December 2007 when – after an accelerated two-month deployment process - we launched an enterprise-wide DLP solution, with an initial focus on identifying and protecting IP and PCI data.  Based on technology from Tablus (another acquired company), the solution gave us the ability to locate critical assets, detect likely policy violations in real time, advise users when they are attempting a prohibited action, and block actions that appear to be especially risky - or flag them for further scrutiny.  Best of all, we can closely track our progress in reducing risk in different parts of the business and use that information to focus on the areas of greatest vulnerability.

From our experience with DLP to date, we see seven basic requirements for a successful implementation, summarized below.

1: Find the Data at Rest

Since you can’t protect what you can’t see, data discovery is a key step in implementing DLP. Tablus’s data discovery tools gave us the means to search out and identify critical assets occurring across our global infrastructure and endpoints.  By mapping data owners back to their specific business units, we have been able to develop a risk profile for each line of business. Ultimately this will allow us to track our remediation efforts and measure progress for individual business units, thus strengthening accountability for security improvements.

2: Monitor Data on the Move

A second challenge of DLP is to recognize when an attempt is being made to move protected information outside the network so appropriate action can be taken. With our solution, a powerful classification engine sits at every network gateway, scanning network traffic on the fly and classifying it, using RSA’s state- of-the-art content analysis blades. Out-of-the-box, software-based content blades accurately identify common information types, such as the PCI credit card numbers. We also developed custom content blades to recognize our source code files and identify different types of data the business units see as being critical to their business processes. Importantly, the solution recognizes the protected content whether it is contained within structured or unstructured files, email messages, or any other types of attachments. 

3 and 4: Automate Your Controls, Coach Your People

DLP allows us to automate policy enforcement through the use of security controls such as Information Rights Management, S/MIME, and identity-based encryption. DLP also encourages positive behavior change by end users. In many scenarios, the solution can advise employees when they are about to violate a policy and ask them if they want to continue. This serves two purposes: It educates well-meaning users about policy, so they’re less likely to make the same error again, and it deters wrong doers by letting them know their actions are being monitored. Depending on the likely severity of a data loss, the solution can modify or block a prohibited action, for example quarantining suspect email for inspection by a security analyst.  

5: Align Your Processes

One important organizational challenge we faced was persuading business units to expose their data to the DLP solution. EMC addressed this issue by incorporating data loss prevention into our Mergers & Acquisitions playbook. By “Day 90” following an acquisition, it is standard practice for network traffic from an acquired company to be routed through a DLP server and scanned to detect potential data loss incidents. 

6: Measure, Take Action, and Measure Again

Now that we have documented a stable baseline of activity across the enterprise, we are working to develop targeted end-user awareness campaigns, each based on activities identified by the DLP solution within a specific business unit. From this data we can effectively measure the success of the awareness campaigns and demonstrate the solution’s impact on securing the business overall.

7: Leverage your investment

Downstream from our DLP solution, information on attempted policy violations and actual loss incidents is aggregated with data from other security infrastructure, such as firewalls and intrusion prevention systems. In the near future, all this data will feed into an enterprise compliance, governance and risk management solution, providing EMC management with a real-time, dashboard view of the company’s overall risk and security posture.

As we expand our DLP solution - protecting new categories of information and automating enforcement of additional security policies - we see DLP evolving to become an integral part of EMC’s corporate security ecosystem.

V.Jay LaRosa is the principle security architect at EMC Corp.