7/29/2019 You Sent What - Linking identity and data loss prevention to avoid damage to brand, reputation and competitiven
1/16
Data Loss Prevention April 2010
An independent report by Quocirca Ltd.
www.quocirca.com
Commissioned by CA
Bob TarzeyQuocirca Ltd
Tel : +44 7900 275517
Clive LongbottomQuocirca Ltd
Tel: + 44 771 1719 505
Mariateresa FaregnaCA Inc
Tel: +39 2 90464739
You sent what?Linking identity and data loss prevention to avoid damage to
brand, reputation and competitiveness
May 2010
Electronically stored information is a key asset for any organisation, but it is often
insufficiently cared foras the numerous high profile data breaches reported in
recent years demonstrate. This failure to protect data is costly, not least because
of the level of fines now being imposed by regulators. On top of this there is the
reputational damage and loss of competitive advantage that usually ensue.
The technology exists today to link the use of data to people through enforceable
policies. This allows a compliance-oriented architecture to be put in place basedon widely accepted information security standards, such as ISO 27001. Doing so
enables organisations to allow the safe sharing of informationinternally and
externallyensuring both the continuity of business processes and good data
governance.
This report examines the issue of data governance through the publication of
new primary research that examines how well European businesses understand
the risks and what steps they have taken to address them.The report should be
of interest to those involved in ensuring the safety and integrity of information orthose who manage business processes and operations that rely on it.
7/29/2019 You Sent What - Linking identity and data loss prevention to avoid damage to brand, reputation and competitiven
2/16
You sent what? May 2010
You sent what?Linking identity and data loss prevention to avoid damage to
brand, reputation and competitiveness
Electronically stored information is a key asset for any organisation, but it is often insufficiently cared
foras the numerous high profile data breaches reported in recent years demonstrate. This failure to
protect data is costly, not least because of the level of fines now being imposed by regulators. On top of
this there is the reputational damage and loss of competitive damage that usually ensues.
The safe use of data is high on the list of issues that concern IT managers when it comes to IT security
After malware (rated at 2.9 on a scale of 1 to 5, where 1=not a threat and 5=a very serious threat), the
issues of greatest concern with regard to IT security are internet use (2.8), managing sensitive data (2.7) and
the activity of internal and external users (both 2.7). All three are linked; it is the sharing of data between
users, usually over the internet, that is behind many incidents involving the loss of sensitive data.
Data compromise is costlyand new regulations are expected to exacerbate this in coming years
The majority of organisations expect data privacy (ranked 3.2 on a scale of 1 to 5 where 1= will decrease alot and 5 = will increase a lot) to be a major driver for regulatory change in the next five years. It is second
to national government bodies (3.3), which are responsible for many such regulations anyway.
Cloud computing and new communication tools underline the need for a pervasive data securityThe growing use of on-demand internet-based IT services means data is increasingly managed by third
parties; consequently data security practices need greater reach. The variety of tools used to share data is
also increasing, meaning that perimeter security is no longer enough and policing each communication
medium separately is impractical. Only with corporate email is there a reasonable level of confidence that
controls are in place.
IT departments struggle to deal with compliance issues and seem either unaware of how technology could
help or are unable to convince the business of the inherent risks that justify required investments
Lack of time and resources (both ranked 2.8 on a scale of 1 to 5 where 1=not a problem at all to 5=a very
great problem) followed by a plethora of manual processes (2.8) mean IT managers find it hard to addressmany of the compliance issues they face. The majority do not seem to have an overall compliance vision
(2.7) that could alleviate the problem.
Implementing a compliance-oriented architecture (COA)would help alleviate this
A COA is defined in this report as a set of policies and best practices, enforced where practicable with
technology, that minimise the likelihood of data loss and that provide an audit trail to investigate the
circumstances when a breach occurs.
A COA requires three fundamental technologies to be in place
First a full identity and access management system (IAM), deployed by just 25% of the respondents; second,
the ability to locate and classify data, and third, data loss prevention (DLP) tools that provide a way to
enforce policies that link peoples roles to the use of that data. Many DLP tools include data search and
classification capabilities, with 25% of respondents already having deployed such tools.
Those that have deployed the elements of a COA recognise the benefits
Over 40% of those that have deployed full IAM say they have no concern about the safe deprovisioning of
employees, compared to only 3% of those without full IAM. Approaching 90% of organisations that have
deployed DLP say they are well prepared to protect intellectual property and personal data; for those
without DLP the figure is under 30%.
Conclusions
The technology exists today to link the use of data to people through enforceable policies. This allows a compliance-
oriented architecture to be put in place based on widely accepted information security standards, such as ISO 27001.
Doing so enables organisations to allow the safe sharing of informationinternally and externallyensuring both
continuity of business processes and good data governance.
7/29/2019 You Sent What - Linking identity and data loss prevention to avoid damage to brand, reputation and competitiven
3/16
You sent what? May 2010
CONTENTS
1. INTRODUCTION AND TARGET AUDIENCE .............................................................................. 4
2. THE NEED FOR DATA SECURITY............................................................................................. 4
3. THE CONSEQUENCES OF DATA COMPROMISE....................................................................... 5
4. A COMPLIANCE-ORIENTED ARCHITECTURE (COA) ................................................................. 7
5. USE OF TECHNOLOGY ........................................................................................................... 9
6. CONCLUSIONATTAINING THE HIGHEST STANDARDS ........................................................ 12
APPENDIX 1: DEMOGRAPHICS .................................................................................................. 13
APPENDIX 2: IT SPENDING TRENDS BY INDUSTRY ..................................................................... 14
ABOUT CA ............................................................................................................................... 15
ABOUT QUOCIRCA ................................................................................................................... 16
7/29/2019 You Sent What - Linking identity and data loss prevention to avoid damage to brand, reputation and competitiven
4/16
You sent what?
Quocirca 2010
1. Introduction and targeInformation is the life blood of a
ust as good quality blood ne
flowing in a regulated manne
creature, so too does informati
business.
Businesses also need to r
information with each other, dr
organisational business proces
suppliers trading and governmen
ordinated services to citizens.
However, whilst doing this, busin
to ensure they are protected fro
lies within the electronic stora
information; the possibility that iaccident or designend up in th
When it does, the consequence
and damaging.
How confident are European
they can keep information
ensuring they do not become the
breach and to what extent
technology to achieve these goals
This report aims to answer thes
should be of interest to thoensuring the safety and integrity
or those who manage business
operations that rely on it.
The report provides peer revie
publication of new research, th
organisations from different
countries stand on these issues.
The research involved 270 intervi
IT managers working for busin
countries across Europe, eachthan two thousand staff. The re
main industry sectors: fina
manufacturing, government an
media (see Appendix 2).
2. The need for data secuFor those charged with manag
malware remains the single
concern as it becomes more so
geared towards fast profits thro
data. Beyond malware, there ichoose between the next three i
audience
y business and,
ds to be kept
r in a healthy
n in a thriving
egularly share
iving the cross-
ses that keep
ts providing co-
esses also need
m a threat that
ge and use of
t maybe it bye wrong hands.
s can be costly
usinesses that
lowing, whilst
victim of a data
re they using
?
questions and
se involved inof information
processes and
, through the
t shows where
industries and
ews with senior
esses from 14
mploying moresearch covers 4
ncial services,
d telecoms &
rity
ing IT security,
reatest overall
phisticated and
ugh stealing of
s not much tosues (Figure 1).
All are related to the
the main way data is s
users (what might they
the compromise of sens
Figure 2 shows the sa
industry. It is clear that i
security are more pressi
others.
Manufacturers feel
expressing the highest
areas; this is perhaps b
than their counterpprotecting their intellec
The financial sector is n
the overall sample, sho
about internet use, i
compromise of sensiti
least concerned, per
already highly regula
handling of data as a co
Figure 3 shows how we
they are prepared to pthe loss of personal o
May 2010
Page 4
se of data; the internet,
ared externally; internal
be doing with data?) and
itive data itself.
e data broken down by
ssues with regard to data
ng for some sectors than
the most vulnerable,
level of concern in all
ecause they worry more
arts elsewhere aboutual property (IP).
t far behind; just as with
ing the greatest concern
nternal users and the
e data. Telcos are the
aps because they are
ed and see the safe
e business activity.
ll different industries feel
otect themselves againstregulated data and IP.
7/29/2019 You Sent What - Linking identity and data loss prevention to avoid damage to brand, reputation and competitiven
5/16
You sent what?
Quocirca 2010
Manufacturers do indeed show t
about protecting IP and, given t
financial sector has about users
of data, it seems poorly
Government scores lowest wh
personal and regulated informatiof the citizens they serve will be
the number and scale of rec
involving personal data about the
One of the most high profile exa
the loss in the post in November
the UKs HMRC (Her Majesty
Customs) to which the privat
million families had been copied.
One might not be surprised by
telecoms and media companies,
nature of their networks and
expertise, are the best prepared
However, when it comes to inter
a recent incident at T-Mobile
shows that telcos, at least, are no
Section 5 of this report will go
despite the widespread availab
tools to address all of these issu
of them is at a low level by orgfour sectors covered in this repor
3. The consequencescompromise
On top of the overriding concer
are three main things that w
should sensitive data get in to the
1. Being in breach of regullegal contract of some so
2. Loss of competitive adva
3. Reputational damage.
e most concern
e concerns the
and the sharing
prepared too.
n it comes to
on, which manyaware of, given
ent data leaks
m.
mples has been
2007 of a CD by
Revenue and
details of 25
he finding that
given the open
their technical
to protect data.
nal use of data,
(see Section 3)
t infallible.
n to show that
ility of security
es, deployment
anisations in all.
of data
of cost, there
rry businesses
wrong hands;
ations and/or a
t.
tage.
Many incidents are tou
the T-Mobile incident is
In November 2009 it b
details of thousands of
had been stolen by a
rivalscertainly not goUKs Information Com
has taken an immediate
is involved and privac
breached (at the time
been a ruling). Of cours
hold of such informatio
the subsequent bad
customers.
Perhaps the most impo
Mobile incident is thatby an insider; this cert
complacency. The only
such actions is to bette
can and cannot do
organisations this requi
information security.
The long term overall c
yet clear. An element o
penalty imposed by the
empowered, as of April
to 500K. However, slarger; in another case
which came to light in
was imposed by the
Authority (FSA).
Few expect the regula
coming years (Figure 4)
national governments
the most. As many of
sensitive personal data
May 2010
Page 5
hed by all three of these;
a good example.
came apparent that the
T-Mobiles UK customers
employee and sold to
d for its reputation. Theissioners Office (UK ICO)
interest as personal data
regulations have been
of writing there has not
e, for competitors to get
n is clearly damaging and
press may deter new
rtant lesson about the T-
he theft was perpetratedinly looks like a case of
way to defend against
control what employees
with data. For many
es a bottom up review of
osts for T-Mobile are not
that cost is likely to be a
UK ICO, which has been
2010, to levy fines of up
uch fines can be evenof disks lost in the post,
009, a fine of 3 million
UKs Financial Services
tory climate to ease in
. Restrictions imposed by
re expected to increase
these will dictate how
and breaches involving it
7/29/2019 You Sent What - Linking identity and data loss prevention to avoid damage to brand, reputation and competitiven
6/16
You sent what?
Quocirca 2010
should be handled, anticipated i
privacy legislation also figure high
Some issues are low on the list
regulations have already been p
as credit card handling and securi
Others, such as environmental
lower because this survey was c
the 2009 recession when many
more worried about their botto
carbon footprint. Governments
to take action on climate chang
this will be driven by regul
businesses consume resources.
Data privacy is of greatest conc
organisations as the consequenc
customer data are so serious (possess large amounts of sens
requires protection, including
intellectual property and ot
information. There have been a
profile cases of data loss
institutions, often leading to heav
A high profile example was the fi
the US credit transaction han
Heartland Payment Systems. It isVisa and $3.6M to Amex for loss
due to the breach of 130 million
records in 2008. The company
lost $129 million on data breach
financial report and that it still
$100 million for additional expen
which might bring the total cost
$229 million. In this case it w
external hacker (now in prison),
so far smaller, fines have bee
breaches caused by internal useearlier.
creases in data
on the list.
because tough
t in place, such
ties trading.
legislation, are
nducted during
usinesses were
line than their
now they have
e and much of
ting the way
ern to financial
s of losing their
Figure 5). Theyitive data that
personal data,
er non-public
number of high
from financial
y fines.
nes imposed on
dling company
to pay $60M tos they incurred
credit card user
eported that it
osts in its latest
as a reserve of
es on this case,
f the breach to
s down to an
ut other, albeit
n imposed for
rs, as discussed
Indeed, the HMRC and
all triggered by the acti
it is often necessary to
data to outsiders, al
controlling such externa
list of problems organismaking sure they a
regulations that surroun
Topping the list are
resources, followed by
processes and a lack
vision.
If businesses had a bet
to address the issues
security they mightcompliance vision at t
vision could reduce
process and, conseque
would be less of an issu
The three issues liste
sectionbreach of reg
competitive advanta
damagewould be m
could track the use o
surprisingly low down
addressed through de
part ofcompliance orien
May 2010
Page 6
T-Mobile incidents were
ns of insiders. However,
grant access to internal
hough, in this survey,
l users was bottom of the
tions say they face whene compliant with the
d them (Figure 6).
the lack of time and
the plethora of manual
f an overall compliance
er understanding of how
relating to information
ut lack of an overalle top of the list. Such a
he number of manual
ntly, time and resources
.
d at the start of this
lations/contracts, loss of
e and reputational
itigated if organisations
f data better, which is
he list. All three can be
loying suitable tools as
ted architecture.
7/29/2019 You Sent What - Linking identity and data loss prevention to avoid damage to brand, reputation and competitiven
7/16
You sent what?
Quocirca 2010
4. A compliance-orientedarchitecture (COA)
As businesses discover more an
communicate, or at least try t
their employees propensity tocommunication media on a case
no longer practical. To enable
information, both internally
whatever the medium of
requires a COA.
A COA can be defined as; a set
best practices, enforced where
technology, that minimise the li
loss and that provide an audit tr
the circumstances when a breach
The necessity to understand an
requirements has become param
decade. Ten years ago, the inter
in widespread business use, b
application, the web, was largely
The main way information was
corporate email, a single ne
(simple mail transfer protocol/S
use of instant massaging (IM). Th
is relatively easy to monitor and
businesses have invested in todecade to do this and are the
confident they have email under
7).
Today the use of the web is
webmail, social networking, w
(so called Web 2.0 technolo
ways to transmit data. There has
investment in technology to con
which is transmitted via a dif(hyper-text transfer protocol/HT
more ways to
keep up with
do so, securingby-case basis is
safe sharing of
nd externally,
ommunication,
of policies and
racticable with
elihood of data
il to investigate
occurs.
address these
ount in the last
et was already
ut its principal
assive.
shared was by
twork channel
TP) with some
e SMTP channel
filter and most
ols in the lastefore relatively
control (Figure
ynamic; blogs,
b conferencing
ies)countless
been much less
trol web traffic,
erent protocolP). This has led
to a reduced overall
sharing of information.
Furthermore, the very
managed and delivered
computing services are
demand over the intern
These range from busin
as a service/SaaS), soft
as a service/PaaS)
(infrastructure as a serv
models are often collec
computing and are ena
security is considered
(Figure 8).
Cloud computing mean
be even more data tran
but that more and mo
infrastructure manage
parties. Some fret abou
the use of such service
as the service provide
practices in place than
it does underline the
policies at the data level
This is not only necessfalling into the wrong
that some types of da
geographic boundaries.
that certain types of
physically stored outsi
area.
To achieve this it hel
storage and usage zon
For example, highly s
restricted to infrastru
behind the corporate flow sensitivity being su
May 2010
Page 7
confidence in the safe
nature of the way IT is
is changing rapidly. Many
now being delivered on-
t.
ss applications (software
are platforms (platform
to basic infrastructure
ice/IaaS). These different
ively referred to as cloud
bled by virtualisation. IT
a key enabler of both
s not just that there will
smitted across networks,
e of it will be stored on
and owned by third
t the security issues with
s, perhaps unnecessarily,
s will often have better
heir customers, however
need to apply security
.
ry to protect data fromands but also to ensure
ta remain within certain
Some regulations require
personal data are not
e of a given legislative
s to define information
es with understood risk.
ensitive data might be
cture that is managed
irewall and only data ofitable for processing and
7/29/2019 You Sent What - Linking identity and data loss prevention to avoid damage to brand, reputation and competitiven
8/16
You sent what?
Quocirca 2010
storage on shared infrastructur
service provider. The categorisat
on the risks inherent in a given cl
Understanding the type of
classification, enables real time
made about what is and is nothandled in each zone. Employ
expected to understand such iss
may be completely unaware
sensitive document from one loc
is moving it from internally m
party infrastructure, where it
contravention of corporate policy
In all the areas listed in Figure 7,
companies were the most conf
could control how their users shreflecting that the transmission
data is their core business (Fig
public sector and manufacturin
confident, except in one odd are
organisations were more confid
about their ability to manage th
materials.
Such confidence may be misp
printers, through information s
internal disks and memory or t
produce, are a security risk. Un
has certainly been a source of d
past. The higher confide
government organisations may
their growing use of secure print
Employee productivity is an iss
when it comes to the use of
communications tools, but is no
this report. Whatever tools bu
are useful, for good reasonsemployees will seek to use other
from a cloud
ion will depend
ud service.
data, and its
decisions to be
allowed to beees cannot be
es; indeed they
hat copying a
tion to another
naged to third
might be in
.
telco and media
ident that they
red data, againand sharing of
re 9). Finance,
g were all less
a; public sector
nt than others
use of printed
laced; network
tored on their
he output they
claimed output
ata leaks in the
nce amongst
be because of
ervices.
e often raised
internet-based
t the subject of
inesses believe
or bad, theirtoo. So, rather
than trying to police t
users are communicati
the need to apply secur
can only be done in the
the appropriate users
policies regarding its usindividual.
Many businesses
understanding of their
some sort of identity
(IAM) system. They ten
their data, not knowing
what is of true value
compromised). There is
security of data stored
their rapidly increasing
Many businesses have
identity and access ma
way data use is govern
as silos. This makes it h
centralised policies as
data and to track them
This last point is i
legitimate activities ofunderstanding how the
enables fine tuning an
through continual feedb
Having such systems
improved confidence
businesss relationshi
employeetheir depa
manufacturers show
presumably because o
followed by financial or
amounts of sensitive inf
May 2010
Page 8
e internet and the ways
ng, it simply underlines
ity to the data itself. This
context of knowing who
of information are, as
will vary by job role and
have a reasonable
users through the use of
and access management
to have a poorer view of
what is stored where and
(and therefore risk, if
most concern about the
on mobile devices with
isk capacity (Figure 10).
o linkage between their
nagement tools and the
d, often treating the two
rd to create and enforce
to how people can use
s they do.
portant; tracking the
hose in given roles, andy are using information,
improvement of a COA
ack.
in place also leads to
at a key stage in any
with an individual
ture (Figure 11). Here,
the most concern,
f their worry about IP,
anisations with the large
ormation they handle.
7/29/2019 You Sent What - Linking identity and data loss prevention to avoid damage to brand, reputation and competitiven
9/16
You sent what?
Quocirca 2010
Such concerns are well placed.
former Intel worker was indicte
with an estimated value of $1B
oin rival chip manufacturer AM
of attempted IP theft emerge
when a Goldman Sachs emplo
with stealing computer code that
firm's high-volume trading
commodities markets. The emplo
make use of the software when
employer.
Defining a COA is not something
done from scratch; there are
information management and ITlay down good practice. One of
adopted is ISO 27001, but there
as ITIL and COBIT (Figure 12).
These standards and guiding pri
on the road to regulatory c
example, many of the requireme
the Payment Card Industries
Standard (PCI DSS) overlap
specified in the ISO 27001 infor
standard.
In Nov 2008 a
for stealing IP
hen he left to
. Another case
in July 2009,
ee was charged
automated the
n stock and
yee intended to
e joined a rival
hat needs to be
rameworks for
overnance thathe most widely
are others such
ciples also help
ompliance. For
ts laid down in
Data Security
with controls
mation security
5. Use of technolThe examples laid o
underline the three
inherent with data brea
3; being in breach of re
competitive advantage
Technology can be use
mitigate these, but few
doing so.
A COA requires three t
in place; identity and a
data search/classificati
enforce policies that lin
IAM provides the abili
their roles and responsi
define their privileges
more than simply a dir
needs to embrace bo
users.
IAM also enables the
rights at runtime, appl
resources and applicati
systems do not provi
access to unstructured
strong link needs to be
DLP technologies to proprotection.
The majority of organis
identity management su
For those that do, not o
key part of a COA, they
problem that often res
deprovisioning of emplo
May 2010
Page 9
gy
ut in the last section
main threats that are
ches discussed in Section
ulations/contract, loss of
nd reputational damage.
to underpin a COA and
organisations are actually
chnology elements to be
cess management (IAM),
on and the ability to
the two.
y to understand people,
bilities and to be able to
nd access rights. This is
ectory of individuals and
h internal and external
enforcement of access
ied to assets such as IT
ons. However, most IAM
e the ability to secure
ontent. To achieve this, a
reated between IAM and
vide identity-centric data
ations do not have a full
ite in place (Figure 13).
nly do they have the first
lso overcome a common
lts in data loss; the safe
yees (Figure 14).
7/29/2019 You Sent What - Linking identity and data loss prevention to avoid damage to brand, reputation and competitiven
10/16
You sent what?
Quocirca 2010
The second element of a COA is
able to understand and classify d
places it may reside. Only 50%
say they have such a capability
15), although the current resear
into the type of tools being us
business cannot identify its critic
it protect it? This is exacerbated
use of cloud computing, wher
assets will be stored on infrastr
by external providers, perhaps di
a number of locations.
Telecoms and media companie
likely to have data idenclassification in place for pers
documents (Figure 16). The low
manufacturers may reflect
standards; given their concerns
seem to lack confidence in what
they have had to rely on to date t
the need to be
ata in the many
f organisations
in place (Figure
h did not delve
d for this. If a
l data, how can
by the growing
by some data
cture provided
stributed across
are the most
tification andonal data and
level amongst
ore exacting
about IP, they
ver technology
protect this.
Understanding people
They need to be linked
that control how data
given users role, privi
This requires an ab
recognise the sensit
elementsfrom whole
phrases and specific
policies on a per-user b
enables this has beco
prevention (DLP).
As well as providing th
and classify data, DLP
The tools enable the i
enforcement of pre-deon the rights of the indi
For example, docume
company confidential
being sent to external
printed, except perhap
certain level. Encryptio
transmission of any dat
numbers.
DLP tools are also inc
information controlorganisations use the t
prevent price fixing, b
There are other, more
making sure only the
public reports and broc
May 2010
Page 10
and data is not enough.
hrough enforced policies
is used depending on a
leges and access rights.
ility to monitor data,
ivity of various data
files down to sentences,
data typesand apply
asis. The technology that
e known as data loss
capability to search for
tools also police its use.
spection of content and
fined policies dependingidual concerned.
ts containing the term
can be blocked from
email recipients or being
s for managers above a
can be enforced for the
that contains credit card
reasingly being used for
purposes. Somechnology to identify and
id rigging and collusion.
positive, uses, such as
most recent version of
ures are distributed.
7/29/2019 You Sent What - Linking identity and data loss prevention to avoid damage to brand, reputation and competitiven
11/16
You sent what?
Quocirca 2010
DLP tools were deployed by aro
organisations interviewed for thi
the remaining 75% with no
protecting from the threats
breaches. DLP is most widel
telecoms and media companiemanufacturers (Figure 17).
Given the responsibility tha
organisations have for their citize
sensitive data held by fin
organisations, such low levels
should be a concern for regulator
Manufacturers should also take a
DLP; the leading products in thiprevent unwanted copying,
transmission of certain data,
include the identification an
capabilities required for a compl
protection of IP.
The fact is that two of the are
organisations are weak in dat
understanding data and enf
regarding its usecan be addre
single technology investment: DL
DLP also enables the continuous
data is being used. This provid
those managing the COA, ensurin
available to those with legiti
access, understanding new usa
redefining policy.
For example, a new partnership
certain confidential documents
shared on a regular basis wit
another organisation. This may
rise in the blocking of the docuby email, flagging the need for a
und 25% of the
survey, leaving
sure way of
osed by data
deployed by
and least by
t government
ns data and the
ncial services
of deployment
.
n urgent look at
s area not onlyprinting and
but they also
classification
te COA and the
s where many
governance
orcing policies
ssed through a
.
tracking of how
es feedback to
g critical data is
ate need for
e patterns and
ight mean that
can now be
employees of
lead to sudden
ents being senthange in policy.
Making sure policy kee
practice also makes it
behaviour and maintai
mechanisms.
As IAM and DLP sol
integrated, there will bhow information is s
present, many web acc
tools use static access c
being explicitly assig
resources). Linking WA
can enable dynami
decisions.
WAM will then have an
access control layer.
securing of resourcesMicrosoft SharePoint).
access a document, th
call to a runtime DLP c
check if the content
suitable for the reques
action gets taken.
Adaptive access contr
prove critical to sec
resources. Current sta
complex and expensive
The increased confiden
organisation should
Those that have it i
confidence in their ab
personally identifiable i
18) and to prevent de
valuable data with them
May 2010
Page 11
ps pace with acceptable
asier to spot anomalous
adaptive access control
tions get more tightly
e significant advances incured. For example, at
ess management (WAM)
ntrol mechanisms (users
ed access to certain
with DLP technologies
c, on-the-fly security
adaptive, content-aware
This will simplify the
such as portals (e.g.When a user tries to
WAM tools can make a
mponent to dynamically
ithin the document is
ted use and appropriate
ol approaches will also
uring cloud computing
tic models will be too
to maintain.
ce that DLP can give an
ot be underestimated.
place have far more
ilities to protect IP and
nformation (PID) (Figure
arting employees taking
(Figure 19).
7/29/2019 You Sent What - Linking identity and data loss prevention to avoid damage to brand, reputation and competitiven
12/16
You sent what?
Quocirca 2010
A COA cannot be implement
without fostering a complianc
across a business. This und
valuable benefit of DLP tools
educationalfor instance alertcertain actions are in violatio
security policies. Ultimately, t
awareness and drive behaviour.
6. Conclusionattainingstandards
This report has used the term CO
of practices and tools that can b
protect data. These involve linkin
through a set of well defined
policies.
The aim is to avoid the costly da
can cause reputational da
competitive advantage and the
the regulators. To achieve this,
of a comprehensive set of IAM
recommended and this report s
that have done so reap the bene
confidence in how they use and s
ed successfully
-aware culture
rlines another
they can be
ing users thatof corporate
hey will raise
the highest
to define a set
put in place to
people to data
and enforced
a breaches that
age, loss of
ire and fines of
he deployment
nd DLP tools is
ows that those
its of increased
are data.
A COA need not be inve
be based on widely ado
standards such as ISO
strong link between the
Organisations that hav
more likely to have de
tools; these help them
specified by the standar
It is interesting to no
adopted ISO 27001 bu
implementation are t
adopted IAM and DLP
discover how much the
The fact that quite a fe
ISO 27001 have also pu
in place merely suggest
standards to help achie
Either way, it requires
to constantly improve
to give an organisation
data flowing safely. De
that underpin a
architecture can help
quantum leap along the
compliance.
May 2010
Page 12
ted from scratch but can
pted information security
27001. In fact there is a
two, as Figure 20 shows.
adopted ISO 27001 are
ployed full IAM and DLP
put in place the controls
d.
e that those that have
have not completed its
e least likely to have
clearly they are yet to
se technologies can help.
that have not adopted
t these two technologies
s they are using different
e a COA.
n evolutionary approach
he way data is managed
the confidence to keep
ploying the technologies
compliance-oriented
any organisation take a
road to better regulatory
7/29/2019 You Sent What - Linking identity and data loss prevention to avoid damage to brand, reputation and competitiven
13/16
You sent what?
Quocirca 2010
Appendix 1: demographic
This Appendix shows how the
were distributed across the co
company size and job roles categ
the survey.
270 interviews
untry, industry,
ries covered by
May 2010
Page 13
7/29/2019 You Sent What - Linking identity and data loss prevention to avoid damage to brand, reputation and competitiven
14/16
You sent what?
Quocirca 2010
Appendix 2: IT spendin
industry
This Appendix shows some
industry, of total IT spending a
limit security spending.
trends by
ore detail, by
nd factors that
May 2010
Page 14
7/29/2019 You Sent What - Linking identity and data loss prevention to avoid damage to brand, reputation and competitiven
15/16
You sent what? May 2010
Quocirca 2010 Page 15
About CA
CA Inc. (NASDAQ: CA) is a global information technology (IT) management software company. We enable
organisations to secure and manage IT in all environmentsmainframe, distributed, virtualised and cloudto help
control risk and compliance, drive operational excellence, and facilitate business growth and innovation.
CA Security products and solutions help customers secure and control identities, their access and how they use
information. They give customers the control to help them confidently move their business forward. By implementing
robust, comprehensive and integrated solutions that help optimise all user identities and their access to critical IT
resources, organisations can operate in a more adaptable and efficient manner. With more than 3,000 security
customers and over 25 years experience in security management, CA offers pragmatic solutions that help reduce
security risks, enable greater efficiencies and cost savings, and support delivering quick business value.
CA DLP (Data Loss Prevention) discovers, classifies and sets control policies for information across physical, virtual and
cloud environments. The solution empowers organisations to reduce risk, comply with regulations and support
business agility. It controls sensitive data at rest or in transit and prevents its inadvertent or malicious movement
within or outside organisational boundaries. By rapidly reducing risks, organisations are able to better addresscompliance and privacy requirements while protecting corporate brand and competitive advantage.
While the proper use of information is essential to the operations of a business, it also needs to be protected from
various forms of misuse and loss. CA DLP helps organisations understand where critical information is located
throughout their environment, who is using it, and in what context. By combining deep content analysis and control
with an identity-centric approach, CA DLP provides more accurate and business-relevant results to help organisations
achieve the appropriate mix of business continuity and risk remediation.
Founded in 1976, CA is a global company with headquarters in Islandia, NY and offices in more than 40 countries. CA
had fiscal year 2009 revenues of $4.3 billion. For more information, visit www.ca.com.
For additional background information on the report please visitwww.ca.com/gb/mediaresourcecentre.
7/29/2019 You Sent What - Linking identity and data loss prevention to avoid damage to brand, reputation and competitiven
16/16
About Quocirca
Quocirca is a primary research and analysis company specialising in the
business impact of information technology and communications (ITC).
With world-wide, native language reach, Quocirca provides in-depth
insights into the views of buyers and influencers in large, mid-sized andsmall organisations. Its analyst team is made up of real-world practitioners
with firsthand experience of ITC delivery who continuously research and
track the industry and its real usage in the markets.
Through researching perceptions, Quocirca uncovers the real hurdles to
technology adoptionthe personal and political aspects of an
organisations environment and the pressures of the need for
demonstrable business value in any implementation. This capability to
uncover and report back on the end-user perceptions in the market
enables Quocirca to advise on the realities of technology adoption, not
the promises.
Quocirca research is always pragmatic, business orientated and conducted
in the context of the bigger picture. ITC has the ability to transform
businesses and the processes that drive them, but often fails to do so.
Quocircas mission is to help organisations improve their success rate in
process enablement through better levels of understanding and the
adoption of the correct technologies at the correct time.
Quocirca has a pro-active primary research programme, regularly
surveying users, purchasers and resellers of ITC products and services on
emerging, evolving and maturing technologies. Over time, Quocirca has
built a picture of long term investment trends, providing invaluable
information for the whole of the ITC community.
Quocirca works with global and local providers of ITC products and
services to help them deliver on the promise that ITC holds for business.
Quocircas clients include Oracle, Microsoft, IBM, O2, T-Mobile, HP, Xerox,
EMC, Symantec and Cisco, along with other large and medium sized
vendors, service providers and more specialist firms.
Details of Quocircas work and the services it offers can be found at
http://www.quocirca.com
REPORT NOTE:
This report has been writtenindependently by Quocirca Ltd
to provide an overview of theissues facing organisationswith regard to compliance anddata loss prevention.
The report draws on Quocircasextensive knowledge of thetechnology and businessarenas, and provides advice onthe approach that organisationsshould take to create a moreeffective and efficientenvironment for future growth.
Quocirca would like to thankCA for its sponsorship of thisreport.
Top Related