Unstructured data in particular is a thorn in the side of data security and can benefit from three-dimensional insight. When someone in the organization runs a report, extracts information from a secure database into a spreadsheet, or transfers a file to an outside business partner, none of the internal and perimeter security controls we may have set up follow the data. The data no longer has the benefit of these protections and can now proliferate without even an audit trail.
Two-dimensional data loss prevention tools can look for specific types of sensitive data and tell us where it is located. We can add a third dimension to DLP by attaching metadata tags to the data when it leaves a structured data source (e.g. a database) and becomes unstructured data (e.g. a report file). This digital data tag could include information on who requested the report, when it was produced, what system it was produced from, and other useful information that helps “tell the story” about the intended purpose of the file.
By using DLP to track these digital data tags, and parsing the information they contain, we can track these files over time and identify where any proliferation of the files (copies made or sent) has occurred. This then gives us the ability to determine how unstructured sensitive data moves and gets used within our systems, illuminating any business processes that may be putting our sensitive data at risk.
Using a 3D DLP system adds new layers of data intelligence and can be used to track sensitive data over time. For example, while traditional 2D DLP might identify six files that contain 1,200 social security numbers distributed over six laptops, 3D DLP can tell us that the file was requested by Joe on Wednesday, and that Joe then sent the file to Larry on Thursday, who then sent the file to four other people the following week. To find out when this file was shared by authorized users, rather than searching for it by the social security numbers, it can be searched by metadata tags that are programmed into the files.
Using these tags, a company can automatically report on how the data in each file traveled through time to get to where it is versus having to make phone calls and send e-mails to determine who sent the files, why they were shared and what time the event occurred. In addition, if a business finds that the social security numbers are not where they belong or are not protected, it is in a better position to understand a broken business process and fix it.
Software development’s role in 3D DLP is in the programming of the metadata tags. When a software developer writes an application that generates a report or file transfer, a metadata tag also needs to be created with information about the file, including who created it, what system the file came out of and what it’s to be used for. Software developers can apply these metadata tags when they are coding reports or extract routines that handle sensitive information.
To ease adoption of this technique, an API can be created for use by developers. That way, for example, an API for use by PeopleSoft developers could be used to create digital data tags for reports and extracts in new PeopleSoft applications or to retrofit existing ones.
The ability to parse the information contained in the digital data tags, and use this information dynamically within a DLP policy, creates enforcement opportunities that don’t exist today within traditional 2D DLP systems. Once these tags are put into place, policies can be developed in a DLP system that make use of the intelligence within the tags to enforce the appropriate use of information and to limit the sharing and transfer of unstructured data files to recipients defined within the policy. Policies can flag users when they attempt to send sensitive information to a source that is not permitted to receive it.