Unstructured data in particular is a thorn in the side of data security and can benefit from three-dimensional insight. When someone in the organization runs a report, extracts information from a secure database into a spreadsheet, or transfers a file to an outside business partner, none of the internal and perimeter security controls we may have set up follow the data. The data no longer has the benefit of these protections and can now proliferate without even an audit trail.
Two-dimensional data loss prevention tools can look for specific types of sensitive data and tell us where it is located. We can add a third dimension to DLP by attaching metadata tags to the data when it leaves a structured data source (e.g. a database) and becomes unstructured data (e.g. a report file). This digital data tag could include information on who requested the report, when it was produced, what system it was produced from, and other useful information that helps “tell the story” about the intended purpose of the file.
By using DLP to track these digital data tags, and parsing the information they contain, we can track these files over time and identify where any proliferation of the files (copies made or sent) has occurred. This then gives us the ability to determine how unstructured sensitive data moves and gets used within our systems, illuminating any business processes that may be putting our sensitive data at risk.
Using a 3D DLP system adds new layers of data intelligence and can be used to track sensitive data over time. For example, while traditional 2D DLP might identify six files that contain 1,200 social security numbers distributed over six laptops, 3D DLP can tell us that the file was requested by Joe on Wednesday, and that Joe then sent the file to Larry on Thursday, who then sent the file to four other people the following week. To find out when this file was shared by authorized users, rather than searching for it by the social security numbers, it can be searched by metadata tags that are programmed into the files.
Using these tags, a company can automatically report on how the data in each file traveled through time to get to where it is versus having to make phone calls and send e-mails to determine who sent the files, why they were shared and what time the event occurred. In addition, if a business finds that the social security numbers are not where they belong or are not protected, it is in a better position to understand a broken business process and fix it.
Software development’s role in 3D DLP is in the programming of the metadata tags. When a software developer writes an application that generates a report or file transfer, a metadata tag also needs to be created with information about the file, including who created it, what system the file came out of and what it’s to be used for. Software developers can apply these metadata tags when they are coding reports or extract routines that handle sensitive information.
To ease adoption of this technique, an API can be created for use by developers. That way, for example, an API for use by PeopleSoft developers could be used to create digital data tags for reports and extracts in new PeopleSoft applications or to retrofit existing ones.
The ability to parse the information contained in the digital data tags, and use this information dynamically within a DLP policy, creates enforcement opportunities that don’t exist today within traditional 2D DLP systems. Once these tags are put into place, policies can be developed in a DLP system that make use of the intelligence within the tags to enforce the appropriate use of information and to limit the sharing and transfer of unstructured data files to recipients defined within the policy. Policies can flag users when they attempt to send sensitive information to a source that is not permitted to receive it.
For example, if data is tagged so that it is only able to be sent to a specific domain name, and someone attempts to send it somewhere else, they can be alerted to a potential policy violation (creating real-time awareness of policy), or be prevented from sending it. A digital data tag might also contain the name of the department or roles that are authorized to receive the information, which can then be enforced via the DLP policy.
Organizations can get more value out of existing data loss prevention with the use of metadata tags. They provide an added level of automated data intelligence, so files can be viewed as they move from one location to the next without the burden of having to physically recreate an audit trail. In addition, digital data tags offer an added level of data protection, helping organizations to get a better handle on how they’re moving sensitive data and put policies in place that will flag malicious actions.
This process can also help fix problems at the business process level by attaching information about how a file is to be used directly to the file, and by using the DLP system to enforce a policy that ensures the data is used for its intended purpose. By illuminating the process with a digital—rather than a manual—paper trail, you will save resources and minimize risk.
Michael Gabriel is director of the data protection practice at Integralis, which sells managed security services.