The firm makes this prediction in a research published on January 13th, and titled Content-Aware DLP in Asia/Pacific. Written by Rob McMillan and Eric Ouellet, the paper says “DLP will be within the standard of due care for Australia, Japan, New Zealand and Singapore by 2015. This means that, during an audit or an enforcement action, an organization is more likely to be held accountable for the lack of DLP as a common control, which will decrease its defensibility and increase its liability.”
Australia, the paper adds, “has organizations implementing DLP, but these deployments are typically only manifested in the larger early-adopter organizations (such as financial services) that do not have a strict base of operation limited within the country.”
As more nations add laws mandating greater privacy controls or breach disclosure, DLP implementations will become more common, the paper suggests.
“In Australia we know the Privacy Act is likely to get an overhaul,” McMillan told SearchSecurity ANZ. “And the Australian Prudential Regulatory Authority (APRA) used the term ‘data losss’ in its standards.” Similar moves are afoot elsewhere in the region, McMillan said, which will also spur uptake of DLP.
New ways of working are also making DLP sensible.
“There comes a need for more controls because you are not in physical proximity with the people you are in contact with every day,” McMillan said. Cloud services will also provide a challenge, as organisations commission and decommission servers in the cloud without ever the infrastructure on which data resides.
“When we used to have physical servers, if you really had to you could recover the data,” thanks to data recovery services. “Now we are talking about ephemeral servers and the hardware might well have a load of other memory dumped on it,” making retrieval of data or tracing its movements very difficult indeed. “Forensically, this becomes a different thing,” McMillan said.
Fortunately, he also feels that DLP is improving to meet these challenges. “It is not in its infancy, but I would not say we have solved all problems. There are still a lot of ways to get information out of an organisation. DLP won’t solve all of them. We can’t stop call centre staff memorising customer details. There are also technical problems DLP cannot solve, like steganography. We might be there in five years.”
A job for business
In the interim, McMillan said that while security teams posses the skills to implement DLP, business people should drive its deployment.
“The people you need engaged are the lines of business, because they are the ones who make the money and own the risk. Because DLP is seen as a technology, it is seen as a technical project. But it is more of a business risk project and technology should be seen as the enabler.”
“Instead of it being all about technology there needs to be a discussion about what are the risk parameters and what process will we use when we find an issue.”
This was first published in February 2011