You Sent What - Linking identity and data loss prevention to avoid damage to brand, reputation and...

7/29/2019 You Sent What - Linking identity and data loss prevention to avoid damage to brand, reputation and competitiven

1/16

Data Loss Prevention April 2010

An independent report by Quocirca Ltd.

www.quocirca.com

Commissioned by CA

Bob TarzeyQuocirca Ltd

Tel : +44 7900 275517

[email protected]

Clive LongbottomQuocirca Ltd

Tel: + 44 771 1719 505

[email protected]

Mariateresa FaregnaCA Inc

Tel: +39 2 90464739

[email protected]

You sent what?Linking identity and data loss prevention to avoid damage to

brand, reputation and competitiveness

May 2010

Electronically stored information is a key asset for any organisation, but it is often

insufficiently cared foras the numerous high profile data breaches reported in

recent years demonstrate. This failure to protect data is costly, not least because

of the level of fines now being imposed by regulators. On top of this there is the

reputational damage and loss of competitive advantage that usually ensue.

The technology exists today to link the use of data to people through enforceable

policies. This allows a compliance-oriented architecture to be put in place basedon widely accepted information security standards, such as ISO 27001. Doing so

enables organisations to allow the safe sharing of informationinternally and

externallyensuring both the continuity of business processes and good data

governance.

This report examines the issue of data governance through the publication of

new primary research that examines how well European businesses understand

the risks and what steps they have taken to address them.The report should be

of interest to those involved in ensuring the safety and integrity of information orthose who manage business processes and operations that rely on it.


2/16

You sent what? May 2010

You sent what?Linking identity and data loss prevention to avoid damage to

brand, reputation and competitiveness

Electronically stored information is a key asset for any organisation, but it is often insufficiently cared

foras the numerous high profile data breaches reported in recent years demonstrate. This failure to

protect data is costly, not least because of the level of fines now being imposed by regulators. On top of

this there is the reputational damage and loss of competitive damage that usually ensues.

The safe use of data is high on the list of issues that concern IT managers when it comes to IT security

After malware (rated at 2.9 on a scale of 1 to 5, where 1=not a threat and 5=a very serious threat), the

issues of greatest concern with regard to IT security are internet use (2.8), managing sensitive data (2.7) and

the activity of internal and external users (both 2.7). All three are linked; it is the sharing of data between

users, usually over the internet, that is behind many incidents involving the loss of sensitive data.

Data compromise is costlyand new regulations are expected to exacerbate this in coming years

The majority of organisations expect data privacy (ranked 3.2 on a scale of 1 to 5 where 1= will decrease alot and 5 = will increase a lot) to be a major driver for regulatory change in the next five years. It is second

to national government bodies (3.3), which are responsible for many such regulations anyway.

Cloud computing and new communication tools underline the need for a pervasive data securityThe growing use of on-demand internet-based IT services means data is increasingly managed by third

parties; consequently data security practices need greater reach. The variety of tools used to share data is

also increasing, meaning that perimeter security is no longer enough and policing each communication

medium separately is impractical. Only with corporate email is there a reasonable level of confidence that

controls are in place.

IT departments struggle to deal with compliance issues and seem either unaware of how technology could

help or are unable to convince the business of the inherent risks that justify required investments

Lack of time and resources (both ranked 2.8 on a scale of 1 to 5 where 1=not a problem at all to 5=a very

great problem) followed by a plethora of manual processes (2.8) mean IT managers find it hard to addressmany of the compliance issues they face. The majority do not seem to have an overall compliance vision

(2.7) that could alleviate the problem.

Implementing a compliance-oriented architecture (COA)would help alleviate this

A COA is defined in this report as a set of policies and best practices, enforced where practicable with

technology, that minimise the likelihood of data loss and that provide an audit trail to investigate the

circumstances when a breach occurs.

A COA requires three fundamental technologies to be in place

First a full identity and access management system (IAM), deployed by just 25% of the respondents; second,

the ability to locate and classify data, and third, data loss prevention (DLP) tools that provide a way to

enforce policies that link peoples roles to the use of that data. Many DLP tools include data search and

classification capabilities, with 25% of respondents already having deployed such tools.

Those that have deployed the elements of a COA recognise the benefits

Over 40% of those that have deployed full IAM say they have no concern about the safe deprovisioning of

employees, compared to only 3% of those without full IAM. Approaching 90% of organisations that have

deployed DLP say they are well prepared to protect intellectual property and personal data; for those

without DLP the figure is under 30%.

Conclusions

The technology exists today to link the use of data to people through enforceable policies. This allows a compliance-

oriented architecture to be put in place based on widely accepted information security standards, such as ISO 27001.

Doing so enables organisations to allow the safe sharing of informationinternally and externallyensuring both

continuity of business processes and good data governance.


3/16


CONTENTS

1. INTRODUCTION AND TARGET AUDIENCE .............................................................................. 4

2. THE NEED FOR DATA SECURITY............................................................................................. 4

3. THE CONSEQUENCES OF DATA COMPROMISE....................................................................... 5

4. A COMPLIANCE-ORIENTED ARCHITECTURE (COA) ................................................................. 7

5. USE OF TECHNOLOGY ........................................................................................................... 9

6. CONCLUSIONATTAINING THE HIGHEST STANDARDS ........................................................ 12

APPENDIX 1: DEMOGRAPHICS .................................................................................................. 13

APPENDIX 2: IT SPENDING TRENDS BY INDUSTRY ..................................................................... 14

ABOUT CA ............................................................................................................................... 15

ABOUT QUOCIRCA ................................................................................................................... 16


4/16

You sent what?

Quocirca 2010

1. Introduction and targeInformation is the life blood of a

ust as good quality blood ne

flowing in a regulated manne

creature, so too does informati

business.

Businesses also need to r

information with each other, dr

organisational business proces

suppliers trading and governmen

ordinated services to citizens.

However, whilst doing this, busin

to ensure they are protected fro

lies within the electronic stora

information; the possibility that iaccident or designend up in th

When it does, the consequence

and damaging.

How confident are European

they can keep information

ensuring they do not become the

breach and to what extent

technology to achieve these goals

This report aims to answer thes

should be of interest to thoensuring the safety and integrity

or those who manage business

operations that rely on it.

The report provides peer revie

publication of new research, th

organisations from different

countries stand on these issues.

The research involved 270 intervi

IT managers working for busin

countries across Europe, eachthan two thousand staff. The re

main industry sectors: fina

manufacturing, government an

media (see Appendix 2).

2. The need for data secuFor those charged with manag

malware remains the single

concern as it becomes more so

geared towards fast profits thro

data. Beyond malware, there ichoose between the next three i

audience

y business and,

ds to be kept

r in a healthy

n in a thriving

egularly share

iving the cross-

ses that keep

ts providing co-

esses also need

m a threat that

ge and use of

t maybe it bye wrong hands.

s can be costly

usinesses that

lowing, whilst

victim of a data

re they using

?

questions and

se involved inof information

processes and

, through the

t shows where

industries and

ews with senior

esses from 14

mploying moresearch covers 4

ncial services,

d telecoms &

rity

ing IT security,

reatest overall

phisticated and

ugh stealing of

s not much tosues (Figure 1).

All are related to the

the main way data is s

users (what might they

the compromise of sens

Figure 2 shows the sa

industry. It is clear that i

security are more pressi

others.

Manufacturers feel

expressing the highest

areas; this is perhaps b

than their counterpprotecting their intellec

The financial sector is n

the overall sample, sho

about internet use, i

compromise of sensiti

least concerned, per

already highly regula

handling of data as a co

Figure 3 shows how we

they are prepared to pthe loss of personal o

May 2010

Page 4

se of data; the internet,

ared externally; internal

be doing with data?) and

itive data itself.

e data broken down by

ssues with regard to data

ng for some sectors than

the most vulnerable,

level of concern in all

ecause they worry more

arts elsewhere aboutual property (IP).

t far behind; just as with

ing the greatest concern

nternal users and the

e data. Telcos are the

aps because they are

ed and see the safe

e business activity.

ll different industries feel

otect themselves againstregulated data and IP.


5/16

You sent what?

Quocirca 2010

Manufacturers do indeed show t

about protecting IP and, given t

financial sector has about users

of data, it seems poorly

Government scores lowest wh

personal and regulated informatiof the citizens they serve will be

the number and scale of rec

involving personal data about the

One of the most high profile exa

the loss in the post in November

the UKs HMRC (Her Majesty

Customs) to which the privat

million families had been copied.

One might not be surprised by

telecoms and media companies,

nature of their networks and

expertise, are the best prepared

However, when it comes to inter

a recent incident at T-Mobile

shows that telcos, at least, are no

Section 5 of this report will go

despite the widespread availab

tools to address all of these issu

of them is at a low level by orgfour sectors covered in this repor

3. The consequencescompromise

On top of the overriding concer

are three main things that w

should sensitive data get in to the

1. Being in breach of regullegal contract of some so

2. Loss of competitive adva

3. Reputational damage.

e most concern

e concerns the

and the sharing

prepared too.

n it comes to

on, which manyaware of, given

ent data leaks

m.

mples has been

2007 of a CD by

Revenue and

details of 25

he finding that

given the open

their technical

to protect data.

nal use of data,

(see Section 3)

t infallible.

n to show that

ility of security

es, deployment

anisations in all.

of data

of cost, there

rry businesses

wrong hands;

ations and/or a

t.

tage.

Many incidents are tou

the T-Mobile incident is

In November 2009 it b

details of thousands of

had been stolen by a

rivalscertainly not goUKs Information Com

has taken an immediate

is involved and privac

breached (at the time

been a ruling). Of cours

hold of such informatio

the subsequent bad

customers.

Perhaps the most impo

Mobile incident is thatby an insider; this cert

complacency. The only

such actions is to bette

can and cannot do

organisations this requi

information security.

The long term overall c

yet clear. An element o

penalty imposed by the

empowered, as of April

to 500K. However, slarger; in another case

which came to light in

was imposed by the

Authority (FSA).

Few expect the regula

coming years (Figure 4)

national governments

the most. As many of

sensitive personal data

May 2010

Page 5

hed by all three of these;

a good example.

came apparent that the

T-Mobiles UK customers

employee and sold to

d for its reputation. Theissioners Office (UK ICO)

interest as personal data

regulations have been

of writing there has not

e, for competitors to get

n is clearly damaging and

press may deter new

rtant lesson about the T-

he theft was perpetratedinly looks like a case of

way to defend against

control what employees

with data. For many

es a bottom up review of

osts for T-Mobile are not

that cost is likely to be a

UK ICO, which has been

2010, to levy fines of up

uch fines can be evenof disks lost in the post,

009, a fine of 3 million

UKs Financial Services

tory climate to ease in

. Restrictions imposed by

re expected to increase

these will dictate how

and breaches involving it


6/16

You sent what?

Quocirca 2010

should be handled, anticipated i

privacy legislation also figure high

Some issues are low on the list

regulations have already been p

as credit card handling and securi

Others, such as environmental

lower because this survey was c

the 2009 recession when many

more worried about their botto

carbon footprint. Governments

to take action on climate chang

this will be driven by regul

businesses consume resources.

Data privacy is of greatest conc

organisations as the consequenc

customer data are so serious (possess large amounts of sens

requires protection, including

intellectual property and ot

information. There have been a

profile cases of data loss

institutions, often leading to heav

A high profile example was the fi

the US credit transaction han

Heartland Payment Systems. It isVisa and $3.6M to Amex for loss

due to the breach of 130 million

records in 2008. The company

lost $129 million on data breach

financial report and that it still

$100 million for additional expen

which might bring the total cost

$229 million. In this case it w

external hacker (now in prison),

so far smaller, fines have bee

breaches caused by internal useearlier.

creases in data

on the list.

because tough

t in place, such

ties trading.

legislation, are

nducted during

usinesses were

line than their

now they have

e and much of

ting the way

ern to financial

s of losing their

Figure 5). Theyitive data that

personal data,

er non-public

number of high

from financial

y fines.

nes imposed on

dling company

to pay $60M tos they incurred

credit card user

eported that it

osts in its latest

as a reserve of

es on this case,

f the breach to

s down to an

ut other, albeit

n imposed for

rs, as discussed

Indeed, the HMRC and

all triggered by the acti

it is often necessary to

data to outsiders, al

controlling such externa

list of problems organismaking sure they a

regulations that surroun

Topping the list are

resources, followed by

processes and a lack

vision.

If businesses had a bet

to address the issues

security they mightcompliance vision at t

vision could reduce

process and, conseque

would be less of an issu

The three issues liste

sectionbreach of reg

competitive advanta

damagewould be m

could track the use o

surprisingly low down

addressed through de

part ofcompliance orien

May 2010

Page 6

T-Mobile incidents were

ns of insiders. However,

grant access to internal

hough, in this survey,

l users was bottom of the

tions say they face whene compliant with the

d them (Figure 6).

the lack of time and

the plethora of manual

f an overall compliance

er understanding of how

relating to information

ut lack of an overalle top of the list. Such a

he number of manual

ntly, time and resources

.

d at the start of this

lations/contracts, loss of

e and reputational

itigated if organisations

f data better, which is

he list. All three can be

loying suitable tools as

ted architecture.


7/16

You sent what?

Quocirca 2010

4. A compliance-orientedarchitecture (COA)

As businesses discover more an

communicate, or at least try t

their employees propensity tocommunication media on a case

no longer practical. To enable

information, both internally

whatever the medium of

requires a COA.

A COA can be defined as; a set

best practices, enforced where

technology, that minimise the li

loss and that provide an audit tr

the circumstances when a breach

The necessity to understand an

requirements has become param

decade. Ten years ago, the inter

in widespread business use, b

application, the web, was largely

The main way information was

corporate email, a single ne

(simple mail transfer protocol/S

use of instant massaging (IM). Th

is relatively easy to monitor and

businesses have invested in todecade to do this and are the

confident they have email under

7).

Today the use of the web is

webmail, social networking, w

(so called Web 2.0 technolo

ways to transmit data. There has

investment in technology to con

which is transmitted via a dif(hyper-text transfer protocol/HT

more ways to

keep up with

do so, securingby-case basis is

safe sharing of

nd externally,

ommunication,

of policies and

racticable with

elihood of data

il to investigate

occurs.

address these

ount in the last

et was already

ut its principal

assive.

shared was by

twork channel

TP) with some

e SMTP channel

filter and most

ols in the lastefore relatively

control (Figure

ynamic; blogs,

b conferencing

ies)countless

been much less

trol web traffic,

erent protocolP). This has led

to a reduced overall

sharing of information.

Furthermore, the very

managed and delivered

computing services are

demand over the intern

These range from busin

as a service/SaaS), soft

as a service/PaaS)

(infrastructure as a serv

models are often collec

computing and are ena

security is considered

(Figure 8).

Cloud computing mean

be even more data tran

but that more and mo

infrastructure manage

parties. Some fret abou

the use of such service

as the service provide

practices in place than

it does underline the

policies at the data level

This is not only necessfalling into the wrong

that some types of da

geographic boundaries.

that certain types of

physically stored outsi

area.

To achieve this it hel

storage and usage zon

For example, highly s

restricted to infrastru

behind the corporate flow sensitivity being su

May 2010

Page 7

confidence in the safe

nature of the way IT is

is changing rapidly. Many

now being delivered on-

t.

ss applications (software

are platforms (platform

to basic infrastructure

ice/IaaS). These different

ively referred to as cloud

bled by virtualisation. IT

a key enabler of both

s not just that there will

smitted across networks,

e of it will be stored on

and owned by third

t the security issues with

s, perhaps unnecessarily,

s will often have better

heir customers, however

need to apply security

.

ry to protect data fromands but also to ensure

ta remain within certain

Some regulations require

personal data are not

e of a given legislative

s to define information

es with understood risk.

ensitive data might be

cture that is managed

irewall and only data ofitable for processing and


8/16

You sent what?

Quocirca 2010

storage on shared infrastructur

service provider. The categorisat

on the risks inherent in a given cl

Understanding the type of

classification, enables real time

made about what is and is nothandled in each zone. Employ

expected to understand such iss

may be completely unaware

sensitive document from one loc

is moving it from internally m

party infrastructure, where it

contravention of corporate policy

In all the areas listed in Figure 7,

companies were the most conf

could control how their users shreflecting that the transmission

data is their core business (Fig

public sector and manufacturin

confident, except in one odd are

organisations were more confid

about their ability to manage th

materials.

Such confidence may be misp

printers, through information s

internal disks and memory or t

produce, are a security risk. Un

has certainly been a source of d

past. The higher confide

government organisations may

their growing use of secure print

Employee productivity is an iss

when it comes to the use of

communications tools, but is no

this report. Whatever tools bu

are useful, for good reasonsemployees will seek to use other

from a cloud

ion will depend

ud service.

data, and its

decisions to be

allowed to beees cannot be

es; indeed they

hat copying a

tion to another

naged to third

might be in

.

telco and media

ident that they

red data, againand sharing of

re 9). Finance,

g were all less

a; public sector

nt than others

use of printed

laced; network

tored on their

he output they

claimed output

ata leaks in the

nce amongst

be because of

ervices.

e often raised

internet-based

t the subject of

inesses believe

or bad, theirtoo. So, rather

than trying to police t

users are communicati

the need to apply secur

can only be done in the

the appropriate users

policies regarding its usindividual.

Many businesses

understanding of their

some sort of identity

(IAM) system. They ten

their data, not knowing

what is of true value

compromised). There is

security of data stored

their rapidly increasing

Many businesses have

identity and access ma

way data use is govern

as silos. This makes it h

centralised policies as

data and to track them

This last point is i

legitimate activities ofunderstanding how the

enables fine tuning an

through continual feedb

Having such systems

improved confidence

businesss relationshi

employeetheir depa

manufacturers show

presumably because o

followed by financial or

amounts of sensitive inf

May 2010

Page 8

e internet and the ways

ng, it simply underlines

ity to the data itself. This

context of knowing who

of information are, as

will vary by job role and

have a reasonable

users through the use of

and access management

to have a poorer view of

what is stored where and

(and therefore risk, if

most concern about the

on mobile devices with

isk capacity (Figure 10).

o linkage between their

nagement tools and the

d, often treating the two

rd to create and enforce

to how people can use

s they do.

portant; tracking the

hose in given roles, andy are using information,

improvement of a COA

ack.

in place also leads to

at a key stage in any

with an individual

ture (Figure 11). Here,

the most concern,

f their worry about IP,

anisations with the large

ormation they handle.


9/16

You sent what?

Quocirca 2010

Such concerns are well placed.

former Intel worker was indicte

with an estimated value of $1B

oin rival chip manufacturer AM

of attempted IP theft emerge

when a Goldman Sachs emplo

with stealing computer code that

firm's high-volume trading

commodities markets. The emplo

make use of the software when

employer.

Defining a COA is not something

done from scratch; there are

information management and ITlay down good practice. One of

adopted is ISO 27001, but there

as ITIL and COBIT (Figure 12).

These standards and guiding pri

on the road to regulatory c

example, many of the requireme

the Payment Card Industries

Standard (PCI DSS) overlap

specified in the ISO 27001 infor

standard.

In Nov 2008 a

for stealing IP

hen he left to

. Another case

in July 2009,

ee was charged

automated the

n stock and

yee intended to

e joined a rival

hat needs to be

rameworks for

overnance thathe most widely

are others such

ciples also help

ompliance. For

ts laid down in

Data Security

with controls

mation security

5. Use of technolThe examples laid o

underline the three

inherent with data brea

3; being in breach of re

competitive advantage

Technology can be use

mitigate these, but few

doing so.

A COA requires three t

in place; identity and a

data search/classificati

enforce policies that lin

IAM provides the abili

their roles and responsi

define their privileges

more than simply a dir

needs to embrace bo

users.

IAM also enables the

rights at runtime, appl

resources and applicati

systems do not provi

access to unstructured

strong link needs to be

DLP technologies to proprotection.

The majority of organis

identity management su

For those that do, not o

key part of a COA, they

problem that often res

deprovisioning of emplo

May 2010

Page 9

gy

ut in the last section

main threats that are

ches discussed in Section

ulations/contract, loss of

nd reputational damage.

to underpin a COA and

organisations are actually

chnology elements to be

cess management (IAM),

on and the ability to

the two.

y to understand people,

bilities and to be able to

nd access rights. This is

ectory of individuals and

h internal and external

enforcement of access

ied to assets such as IT

ons. However, most IAM

e the ability to secure

ontent. To achieve this, a

reated between IAM and

vide identity-centric data

ations do not have a full

ite in place (Figure 13).

nly do they have the first

lso overcome a common

lts in data loss; the safe

yees (Figure 14).


10/16

You sent what?

Quocirca 2010

The second element of a COA is

able to understand and classify d

places it may reside. Only 50%

say they have such a capability

15), although the current resear

into the type of tools being us

business cannot identify its critic

it protect it? This is exacerbated

use of cloud computing, wher

assets will be stored on infrastr

by external providers, perhaps di

a number of locations.

Telecoms and media companie

likely to have data idenclassification in place for pers

documents (Figure 16). The low

manufacturers may reflect

standards; given their concerns

seem to lack confidence in what

they have had to rely on to date t

the need to be

ata in the many

f organisations

in place (Figure

h did not delve

d for this. If a

l data, how can

by the growing

by some data

cture provided

stributed across

are the most

tification andonal data and

level amongst

ore exacting

about IP, they

ver technology

protect this.

Understanding people

They need to be linked

that control how data

given users role, privi

This requires an ab

recognise the sensit

elementsfrom whole

phrases and specific

policies on a per-user b

enables this has beco

prevention (DLP).

As well as providing th

and classify data, DLP

The tools enable the i

enforcement of pre-deon the rights of the indi

For example, docume

company confidential

being sent to external

printed, except perhap

certain level. Encryptio

transmission of any dat

numbers.

DLP tools are also inc

information controlorganisations use the t

prevent price fixing, b

There are other, more

making sure only the

public reports and broc

May 2010

Page 10

and data is not enough.

hrough enforced policies

is used depending on a

leges and access rights.

ility to monitor data,

ivity of various data

files down to sentences,

data typesand apply

asis. The technology that

e known as data loss

capability to search for

tools also police its use.

spection of content and

fined policies dependingidual concerned.

ts containing the term

can be blocked from

email recipients or being

s for managers above a

can be enforced for the

that contains credit card

reasingly being used for

purposes. Somechnology to identify and

id rigging and collusion.

positive, uses, such as

most recent version of

ures are distributed.


11/16

You sent what?

Quocirca 2010

DLP tools were deployed by aro

organisations interviewed for thi

the remaining 75% with no

protecting from the threats

breaches. DLP is most widel

telecoms and media companiemanufacturers (Figure 17).

Given the responsibility tha

organisations have for their citize

sensitive data held by fin

organisations, such low levels

should be a concern for regulator

Manufacturers should also take a

DLP; the leading products in thiprevent unwanted copying,

transmission of certain data,

include the identification an

capabilities required for a compl

protection of IP.

The fact is that two of the are

organisations are weak in dat

understanding data and enf

regarding its usecan be addre

single technology investment: DL

DLP also enables the continuous

data is being used. This provid

those managing the COA, ensurin

available to those with legiti

access, understanding new usa

redefining policy.

For example, a new partnership

certain confidential documents

shared on a regular basis wit

another organisation. This may

rise in the blocking of the docuby email, flagging the need for a

und 25% of the

survey, leaving

sure way of

osed by data

deployed by

and least by

t government

ns data and the

ncial services

of deployment

.

n urgent look at

s area not onlyprinting and

but they also

classification

te COA and the

s where many

governance

orcing policies

ssed through a

.

tracking of how

es feedback to

g critical data is

ate need for

e patterns and

ight mean that

can now be

employees of

lead to sudden

ents being senthange in policy.

Making sure policy kee

practice also makes it

behaviour and maintai

mechanisms.

As IAM and DLP sol

integrated, there will bhow information is s

present, many web acc

tools use static access c

being explicitly assig

resources). Linking WA

can enable dynami

decisions.

WAM will then have an

access control layer.

securing of resourcesMicrosoft SharePoint).

access a document, th

call to a runtime DLP c

check if the content

suitable for the reques

action gets taken.

Adaptive access contr

prove critical to sec

resources. Current sta

complex and expensive

The increased confiden

organisation should

Those that have it i

confidence in their ab

personally identifiable i

18) and to prevent de

valuable data with them

May 2010

Page 11

ps pace with acceptable

asier to spot anomalous

adaptive access control

tions get more tightly

e significant advances incured. For example, at

ess management (WAM)

ntrol mechanisms (users

ed access to certain

with DLP technologies

c, on-the-fly security

adaptive, content-aware

This will simplify the

such as portals (e.g.When a user tries to

WAM tools can make a

mponent to dynamically

ithin the document is

ted use and appropriate

ol approaches will also

uring cloud computing

tic models will be too

to maintain.

ce that DLP can give an

ot be underestimated.

place have far more

ilities to protect IP and

nformation (PID) (Figure

arting employees taking

(Figure 19).


12/16

You sent what?

Quocirca 2010

A COA cannot be implement

without fostering a complianc

across a business. This und

valuable benefit of DLP tools

educationalfor instance alertcertain actions are in violatio

security policies. Ultimately, t

awareness and drive behaviour.

6. Conclusionattainingstandards

This report has used the term CO

of practices and tools that can b

protect data. These involve linkin

through a set of well defined

policies.

The aim is to avoid the costly da

can cause reputational da

competitive advantage and the

the regulators. To achieve this,

of a comprehensive set of IAM

recommended and this report s

that have done so reap the bene

confidence in how they use and s

ed successfully

-aware culture

rlines another

they can be

ing users thatof corporate

hey will raise

the highest

to define a set

put in place to

people to data

and enforced

a breaches that

age, loss of

ire and fines of

he deployment

nd DLP tools is

ows that those

its of increased

are data.

A COA need not be inve

be based on widely ado

standards such as ISO

strong link between the

Organisations that hav

more likely to have de

tools; these help them

specified by the standar

It is interesting to no

adopted ISO 27001 bu

implementation are t

adopted IAM and DLP

discover how much the

The fact that quite a fe

ISO 27001 have also pu

in place merely suggest

standards to help achie

Either way, it requires

to constantly improve

to give an organisation

data flowing safely. De

that underpin a

architecture can help

quantum leap along the

compliance.

May 2010

Page 12

ted from scratch but can

pted information security

27001. In fact there is a

two, as Figure 20 shows.

adopted ISO 27001 are

ployed full IAM and DLP

put in place the controls

d.

e that those that have

have not completed its

e least likely to have

clearly they are yet to

se technologies can help.

that have not adopted

t these two technologies

s they are using different

e a COA.

n evolutionary approach

he way data is managed

the confidence to keep

ploying the technologies

compliance-oriented

any organisation take a

road to better regulatory


13/16

You sent what?

Quocirca 2010

Appendix 1: demographic

This Appendix shows how the

were distributed across the co

company size and job roles categ

the survey.

270 interviews

untry, industry,

ries covered by

May 2010

Page 13


14/16

You sent what?

Quocirca 2010

Appendix 2: IT spendin

industry

This Appendix shows some

industry, of total IT spending a

limit security spending.

trends by

ore detail, by

nd factors that

May 2010

Page 14


15/16


Quocirca 2010 Page 15

About CA

CA Inc. (NASDAQ: CA) is a global information technology (IT) management software company. We enable

organisations to secure and manage IT in all environmentsmainframe, distributed, virtualised and cloudto help

control risk and compliance, drive operational excellence, and facilitate business growth and innovation.

CA Security products and solutions help customers secure and control identities, their access and how they use

information. They give customers the control to help them confidently move their business forward. By implementing

robust, comprehensive and integrated solutions that help optimise all user identities and their access to critical IT

resources, organisations can operate in a more adaptable and efficient manner. With more than 3,000 security

customers and over 25 years experience in security management, CA offers pragmatic solutions that help reduce

security risks, enable greater efficiencies and cost savings, and support delivering quick business value.

CA DLP (Data Loss Prevention) discovers, classifies and sets control policies for information across physical, virtual and

cloud environments. The solution empowers organisations to reduce risk, comply with regulations and support

business agility. It controls sensitive data at rest or in transit and prevents its inadvertent or malicious movement

within or outside organisational boundaries. By rapidly reducing risks, organisations are able to better addresscompliance and privacy requirements while protecting corporate brand and competitive advantage.

While the proper use of information is essential to the operations of a business, it also needs to be protected from

various forms of misuse and loss. CA DLP helps organisations understand where critical information is located

throughout their environment, who is using it, and in what context. By combining deep content analysis and control

with an identity-centric approach, CA DLP provides more accurate and business-relevant results to help organisations

achieve the appropriate mix of business continuity and risk remediation.

Founded in 1976, CA is a global company with headquarters in Islandia, NY and offices in more than 40 countries. CA

had fiscal year 2009 revenues of $4.3 billion. For more information, visit www.ca.com.

For additional background information on the report please visitwww.ca.com/gb/mediaresourcecentre.


16/16

About Quocirca

Quocirca is a primary research and analysis company specialising in the

business impact of information technology and communications (ITC).

With world-wide, native language reach, Quocirca provides in-depth

insights into the views of buyers and influencers in large, mid-sized andsmall organisations. Its analyst team is made up of real-world practitioners

with firsthand experience of ITC delivery who continuously research and

track the industry and its real usage in the markets.

Through researching perceptions, Quocirca uncovers the real hurdles to

technology adoptionthe personal and political aspects of an

organisations environment and the pressures of the need for

demonstrable business value in any implementation. This capability to

uncover and report back on the end-user perceptions in the market

enables Quocirca to advise on the realities of technology adoption, not

the promises.

Quocirca research is always pragmatic, business orientated and conducted

in the context of the bigger picture. ITC has the ability to transform

businesses and the processes that drive them, but often fails to do so.

Quocircas mission is to help organisations improve their success rate in

process enablement through better levels of understanding and the

adoption of the correct technologies at the correct time.

Quocirca has a pro-active primary research programme, regularly

surveying users, purchasers and resellers of ITC products and services on

emerging, evolving and maturing technologies. Over time, Quocirca has

built a picture of long term investment trends, providing invaluable

information for the whole of the ITC community.

Quocirca works with global and local providers of ITC products and

services to help them deliver on the promise that ITC holds for business.

Quocircas clients include Oracle, Microsoft, IBM, O2, T-Mobile, HP, Xerox,

EMC, Symantec and Cisco, along with other large and medium sized

vendors, service providers and more specialist firms.

Details of Quocircas work and the services it offers can be found at

http://www.quocirca.com

REPORT NOTE:

This report has been writtenindependently by Quocirca Ltd

to provide an overview of theissues facing organisationswith regard to compliance anddata loss prevention.

The report draws on Quocircasextensive knowledge of thetechnology and businessarenas, and provides advice onthe approach that organisationsshould take to create a moreeffective and efficientenvironment for future growth.

Quocirca would like to thankCA for its sponsorship of thisreport.

You Sent What - Linking identity and data loss prevention to avoid damage to brand, reputation and...

Documents

Transcript of You Sent What - Linking identity and data loss prevention to avoid damage to brand, reputation and...