DLP Requires Focus And Time To Build Operational Value
Use and implementation of Cloud in business
To me, the major "noise" around cloud security involves the implementation of controls that have been part of security frameworks for quite some time, but not commonly implemented on a regular basis. Concerns with shared hardware, software, and storage have led to conversations around how cloud vendors handle controls like access auditing/logging, host-based IPS/IDS, and file integrity monitoring. The advantage of cloud becoming such a buzzword is that it has made me, as well as other security professionals, think about the control frameworks in a more comprehensive fashion. Allowing us to not only focus on what we want to see from a cloud offering, but what we want to see from our internal security infrastructure.
In addition, the security posture of cloud vendors is improving as well.
Utilizing security resources like Cloud Security Alliance has been extremely useful in helping us focus on our assessment approach, what is important, and how a cloud vendor’s security controls can map back to our own internal control framework. One of the first thing we look for from a cloud vendor is how much visibility we can get into our hosted environment. And is this visibility provided by vendor-implemented controls or Capella-implemented controls? Next, we look for the ability to audit that environment or obtain audit information provided by the vendor. It is important to understand the vulnerability landscape as much as we can within our own internal environment.
Building An Effective DLP Program
First and foremost, DLP requires focus on requirements. I heard your chuckle… but I have been part of some very unsuccessful DLP implementations because the focus became more about the "cool spinning/blinking things DLP can do" or the "vaporware from a demo that is not available in reality" than the core requirements that made you think about DLP in the first place. DLP is not easy and becomes more complicated depending on the depth of the product you select.
Secondly, DLP requires time. Time for the basic implementation. Time to monitor and learn. Time to tune. Time to understand the business requirements taking into consideration process and workflow. DLP is on our horizon at Capella. During our last security steering committee, someone asked a very good question to sum up my point Why wouldn't we want to go ahead and install DLP agents and get started?”. I explained some of the challenges to implement DLP and why it is important to take a measured approach.
In order to build operational value from DLP, everyone has to understand it is a business problem and not an IT one. As soon as you can break down that misconception and dig into the business side of the conversation, the better you can design an implementation that will be relevant and effective.
Today's Threat Landscape Requires Adaptive Security
Staying Abreast of Application Development and Delivery
How to Ensure Information Security when Outsourcing Your Projects
This Is How Your Computer Gets Hacked!
By Patrick Quinn, CIO, Acuity Brands Lighting
By Ritesh Ramesh, Chief Technologist, Global Data and...
By James Streeter, Global VP Life Sciences Strategy, Oracle...
By Leebrian E. Gaskins, CIO, Texas A&M International University
By Anthony Hill, Executive Director Business & Enterprise...
By Bryan Tantzen, Senior Director, Kinetic Industry...
By Anu George, Chief Quality Officer, Morningstar
By Ron Winward, Security Evangelist, Radware
By Cynthia Johnson,Ex VP & CIO, California Resources...
By Miguel Lopes, VP, Product Line Management, Dialogic
By Hiro Imamura, Senior Vice President and General Manager,...
By Diana Bittle, Chief Technology Officer, American Fidelity
By Brady Jensen, Senior Director, Global Human Resources...
By Dave Pearson, Executive Vice President & CIO, Sykes...
By Plamen Petrov, VP, Artificial Intelligence, Anthem, Inc
By John Dyer, Deputy Chief Compliance Officer, Western Union
By Matt Rider, CIO, Information Technology, Franklin...
By Ian Glazer, Founder & President, IDPro
By Tim Skinner, Director Information Security, BlueCross...
By Brad Mitchell, CIO & Head of IT, CTBC Bank Corp. (USA)