10 Comments

Summary:

Companies of all sizes worry about theft of key information but until recently, the use of data loss prevention technology was too rich for their blood. The adoption of cloud technologies to enable DLP managed services like Verdasys is changing that.

Data loss prevention is something that all CEOs worry about and if they don’t, they should. Just ask AMD, which last week charged four former employees with taking trade secrets over to rival Nvidia.

What company that does not have sensitive information — source code, customer lists, blueprints, M&A plans — that it doesn’t want walking out the door on someone’s USB drive? Those fears are exacerbated by the bring-your-own-device (BYOD) tidal wave, in which employees use personal smartphones and consumer cloud services like Dropbox to store work documents — even when forbidden to do so.

In theory, DLP should keep bad guys from stealing stuff in the first place but is often more likely to help catch them faster, minimizing damage, and to provide a detailed audit trail of who took what and how. That is important. The problem is that most DLP solutions to date are on-premises solutions that are complicated, time consuming and expensive to deploy.

Now, Verdasys, a Waltham, Mass.-based company that helped pioneer a cloud deployment model for DLP is offering less expensive DLP managed services for smaller companies that can’t afford the traditional DLP. This week it’s opened up that service globally by bringing non U.S.-based cloud suppliers online. Competitors include BEW Global, a systems integrator that deploys and manages DLP clouds using Symantec McAfee, RSA or other technologies.

By making DLP technologies available as managed services or via a software-as-a-service model, vendors make sure customers are working with latest technologies to meet fast-changing threats, according to Edward Ferrara, principal research analyst for security and risk professionals for Forrester Research.

And, the availability of cloud-based DLP also makes it more affordable both to the huge enterprises — big aerospace companies and car makers — that are typical DLP customers, as well as to smaller organizations. Many smaller suppliers in the aerospace business, for example,  cannot subcontract with the big vendors unless they deploy approved DLP. Last year, Gartner estimated that a typical DLP rollout costs $350,000 to $700,000 but can go much higher.

Getting DLP from an off-premises cloud (Verdasys uses private Rackspace clouds for most geographies) can cut time and cost of DLP deployment down to $100,000 per year and perhaps less, depending on company size compared to traditional on-premises DLP approaches, Verdasys said.

While trusting an outside cloud for internal security seems illogical, Bill Munroe, VP of marketing for Verdasys, says it makes sense. Verdasys does not collect the actual data itself. Rather, it aggregates the metadata about the files and documents and watches for patterns of activity. Sensors placed on every piece of the network watch the data move around, collects that metadata, encrypts it and sends it up to the cloud.

“It may see a Word document with credit card numbers on it or a CAD file — it looks at it but it doesn’t send the actual file up — just the data about the file,” Munroe said. The patterns collected are not just about the data but the user, the machine used, the file type and the application in use.

Verdasys customers include CDI Corp., a Tempe, Ariz. aerospace company that works with GE Aerospace.

DLP is just one of several new application areas starting to move to the cloud — via a managed service or SaaS model. And that means that many more businesses — with security concerns of their own — will be able to take advantage of the technology at an affordable price.

Verdasys Secure Cloud Managed Service

Photo courtesy of Flickr user Todd Ehlers

  1. Interesting article. And apart from internal or intentional data loss. Cloud also provides solution for unintentional or accidental data loss. For example: Theft – A C-level executive’s laptop stolen, which had some secret or confidential data. But with cloud-hosted virtual desktops, this will no longer be a headache.

    I liked this article – “Use the Cloud to Stop Crooks”
    http://www.dincloud.com/blog/stop-crooks-from-stealing-by-using-the-cloud

    Share
  2. It’ll be interesting to see how they address the security concerns of running such a sensitive service in the cloud. And in particular, security of the security service. We all know the story of how Mat Honan had his devices wiped remotely[1]. I doubt they will, but it’d be great to see credible adoption numbers from Verdasys because this is perhaps the most difficult sell for enterprise customers to run in the cloud – if they can do it then a lot of less sensitive applications can make it too!

    [1] http://www.wired.com/gadgetlab/2012/08/apple-amazon-mat-honan-hacking/

    Share
  3. While Verdasys (potentially) solves the problem of accessibility to DLP for smaller shops that can’t afford traditional on-premise products, it overlooks what I feel to be the biggest shortcoming of DLP in general: lack of context needed to *fix* the problems you find.

    Unfortunately, DLP’s file-based approach to content classification is cumbersome at best. When you “turn on” DLP it is not uncommon to have hundreds of thousands of alerts about sensitive files.

    Select an alert at random – the sensitive files involved may have been auto-encrypted and auto-quarantined, but what comes next? Who has the knowledge and authority to decide the appropriate access controls? Who are we now preventing from doing their jobs? How and why were the files placed here in the first place?

    DLP solutions provide very little context about data usage, permissions, and ownership, making it difficult for IT to proceed with sustainable remediation.

    Share
  4. Rob, you’re correct. I rep GTB Technologies which has a completely different way to solve the problem which the others seem to have been unable to do. I’ll paraphrase a recent quote posted:

    ” Most DLP solutions focus on what is allowed, what’s not, what are the sources, etc. This approach requires the administrator to create policies for EACH AND EVERY USER. Larger organization therefore need THOUSANDS of policies and inputs to a system (solution) that is simply unable to process them. The outcome of which are false positives, expensive “tuning” & network degradation. All which are unproductive and costly – creating many more problems & issues.

    GTB Technologies solution, like a firewall, is focused on the exceptions to the rules rather than what is allowed and not allowed for each user. GTB’s proprietary technology for policy creation & advanced detection engines insure that each DLP event is valid and significant enough for an efficient workflow.

    Users gain effective network visibility to the entire environment via a firewall process – creating objects and administrating rules on those objects. This deductive methodology allows for simple policy making and management “

    Share
  5. Dave, Rob and Less – thank you for your comments. Dave and Rob, I was going to speak to your comments here but I need more room so I wrote two short blog entries to cover them. I hope you will take a look and comment further as I describe how we secure the Cloud DLP service and how we collect “contextual event data” and what we can do with it.

    https://www.verdasys.com/blog/

    Less, I am not sure I understand your comment as an answer to Rob’s comment. You state “GTB’s ….policy creation & advanced detection engines insure that each DLP event is valid and significant enough for an efficient workflow…and…. users gain effective network visibility.” That seems to be the traditional DLP that Rob speaks to…. content scanning and workflows to deal with incidents which the workaround required by network DLP to add “context understanding” to a data event. You may lower “false positives” but I am not sure you answer the questions Rob asks. Rob is correct – Context is the key here!

    Share
  6. Email is typically the main source of data leaks and SilverSky finally brings content-aware DLP to email https://silversky.com/news-and-events/press-releases/silversky-announces-industry’s-most-comprehensive-email-protection

    Share
    1. Email is a “simple” exit point, but all email systems limit the size of what can be moved to roughly <5MB. Almost all data loss I see is well in excess of that minuscule amount. USB devices, smart phones, and FTP via tunneling/proxies, etc, are the easiest way to move large amounts of data. I mean, who doesn't have a smart phone with 16+GB of space?

      Share
  7. Of course, GTB Technologies provides context analysis. That coupled with its advanced content detection gives a true data protection solution without the need for costly, complicated installations and agent management.

    Share
  8. Les, not sure I understand. How does your product prevent someone from doing something as simple as copying source code or secure documents from their work PC onto their smart phone or other USB device when that information never goes over the network?

    I see the advantage in Verdasys’s Digital Guardian installing an Agent on the desktop, as this allows them to monitor all access that occurs on the PC, not just network access IN ADDITION to enforcing policy at the point of use (i.e. no you cannot copy that file onto a USB drive).

    Share
    1. g

      Share

Comments have been disabled for this post