July 2011 E-newsletter
Play It Safe with DLP
As Barrington Central Unified School District 220 in Illinois and the Public Schools of Northborough and Southborough in Massachusetts lay the groundwork for deploying data loss prevention (DLP) software over the coming months, both are brushing up on the emerging technology and how it can meet their districts' needs.
“DLP would help us protect students, faculty and staff from identity theft and make sure sensitive data isn't leaking out of the school via e-mail,” says Russ Vander Mey, network operations manager at Barrington CUSD 220, where he helps oversee the technology needs of 9,100 students and 1,200 staff across 12 schools.
DLP is software that can be deployed at the endpoint, such as a notebook or desktop, or within the network to detect and manage sensitive data at rest and in motion. Based on predetermined settings, questionable data can either be erased or quarantined as the IT staff and users are notified.
“In the past, DLP technology was targeted at very well-funded financial, government and healthcare institutions because it was considered cutting-edge security,” says Phil Hochmuth, program manager for security products at research group IDC. “That has changed, as the technology has become more affordable and more organizations need this granular level of protection.”
He considers the growing number of federal, state and industry compliance mandates an equally important driver for increased interest in DLP among K–12 school districts.
“Almost every organization now has to be careful about inadvertent transmission via e-mail or file transfers of sensitive data [for which] they may face fines, legal repercussions or reputational damage,” Hochmuth says.
Protecting Sensitive Data
Although Barrington CUSD 220 already has role-based access, antivirus, firewalls, filtering and other security tools layered in, Vander Mey worries that personally identifiable information (PII) and other sensitive data such as student records might get into the wrong hands.
Thus far, he has worked with managers throughout the district to define what is considered sensitive data according to HIPAA, FERPA, the state's disclosure law and other mandates. Vander Mey says laying the groundwork will give him a running start when the district finally does purchase a DLP solution.
Jean Tower, director of technology at the Public Schools of Northborough and Southborough, is on a similar track. She says identifying PII is increasingly important as faculty and students push to bring their own devices, such as tablets and notebooks, into the district's 10 schools.
The amount the U.S. Veterans Affairs Department paid to settle a class-action lawsuit that stemmed from the 2006 theft of a notebook containing data about more than 26 million veterans
DLP would complement the technology and processes already in place to protect data, such as using third parties for monetary transactions and preventing the storage of certain types of sensitive information. “A lot of what we've done to safeguard data is not to handle it,” she says.
Similar to Vander Mey, Tower is well aware of the myriad mandates that she must follow and says DLP could seal up any holes that might be left in compliance. However, she considers it a hard sell to district leadership in this restrictive economy.
“Anything that's in a closet behind the scenes and seems like it is taking money away from [serving] children poses challenges in terms of obtaining funding,” she says.
Both Vander Mey and Tower hold out hope that the more light shed on the need to protect sensitive data, the greater the potential to get approval for DLP.
DLP on the Rise
Industry analysts expect increased interest in data loss prevention software in the months ahead.
“There are enough breaches and exposures across industries to warrant consideration of DLP solutions, not to mention compliance requirements,” says Rich Mogull, analyst and CEO at Securosis, a security consultancy in Phoenix.
DLP software can be sold in stand-alone or appliance form, depending on where it is being deployed in an organization. McAfee, Symantec and Trend Micro all offer endpoint DLP solutions. Whether bundled into existing endpoint products or rolled out separately, endpoint DLP ensures that sensitive data is either banned from being stored locally, properly encrypted or deleted in accordance with retention requirements.
Network DLP, offered by Cisco, McAfee and RSA among others, protects sensitive data in motion. For instance, such tools would prevent employee financial data from being sent outside of an organization. The parameters for DLP monitoring are set by an organization based on its own definition of sensitive data.
DLP from McAfee also can be used to discover the sensitive data in an organization, according to Phil Hochmuth, program manager for security products at research group IDC. “Rather than taking a hair-on-fire approach and encrypting everything, you can locate sensitive data and strategically protect it,” Hochmuth says.