Mark Settle, a seven-time CIO and decorated author of IT management books, recently published a great paper, NextGen DLP: Data Misuse Protection, that looks at the transformation underway in how enterprises approach data security. In it and the accompanying intro blog, Mark clearly spells out why the days of traditional DLP tools are past and introduces a new concept to take their place, which he dubs “data misuse protection.” 

Naturally, this is a notion we at Cyberhaven agree with wholeheartedly. Traditional DLP solutions require exorbitant effort to deliver unsatisfactory results, and more often than not they simply aren’t applicable to most types of data and the ways modern organizations use and consume that data. However, those same conclusions carry more weight when coming from someone who happens to be a successful serial CIO, author, and industry leader who has lived through those problems in the real world.

I strongly recommend reading the full paper if you have time (you can download it from the intro blog page), but I want to highlight a few points from the paper that really caught my eye. Let’s take a look:

Data Doesn’t Have to Be Lost to Cause Damage

Corporate data can be internally employed in ways that are illegal, unethical, or inconsistent with the terms under which it was originally acquired without ever being lost or stolen.
— NextGen DLP: Data Misuse Protection

One of the shortcomings of traditional DLP is that controls are typically applied at the egress boundary where data actually leaves the organization. Even if we ignore the many reasons that DLP technologies fail to protect data at egress, we can start to see a bigger problem—data can be misused and cause damage to an organization even if it isn’t “lost” in the traditional sense. 

For example, consider unreleased quarterly financial results of a publicly traded company that are exposed to internal employees or consultants who aren’t authorized to see that information. These internal leaks can cause damage even if the file itself never leaves the organization. The same can be true for product release plans, sensitive HR data, sales strategies, M&A plans, legal briefs, or any number of forms of intellectual property or corporate trade secrets. 

And while direct access to these crown jewels is often tightly controlled, there are virtually endless opportunities for internal data sprawl. Users can always share a file directly with another user, and the rise of enterprise collaboration tools makes it far easier for users to gain unauthorized access to content. Important data can be copy/pasted and shared via countless applications. Users may download or store copies of data to work on without affecting the “gold” version. Any of the many apps and services used by employees and teams may hold or back up sensitive data automatically. All of these behaviors, which are natural in modern enterprise workflows, can create latent risk that doesn’t involve data loss in the way that DLP tools would expect. Data Misuse Protection rightly forces organizations to take a broader look at how their data can cause damage and how that data needs to be managed and controlled.

Safeguarding Data Is a Business Priority

DMP is a business imperative, not simply a technology challenge.                                                                                                                                                                                 — NextGen DLP: Data Misuse Protection

As someone who leads a security firm, I tend to get focused on the technical side of a security problem. What are the unsolved problems, and what technologies can we use to solve them? But Mark calls out a really important point here. The way that an organization secures its data (and the data of its customers and partners) is directly tied to the way it maintains trust within the broader marketplace, including investors, customers, and the extended community. 

This makes DMP and the data security strategy an important topic for all levels of management, not just the CIO or CISO. It also requires top-down leadership from the management team so that the goals, values, and high-level strategy around DMP are well defined. Without the appropriate guidance and backing, it will be almost impossible for security practitioners to build the programs and specific controls required to meet the needs of the business. And this is yet another way that DMP starts to become a much bigger concept than DLP. DMP takes what was previously defined as a point technology or product and elevates it to include strategy and vision as well as an encompassing approach to security controls and procedures.

Why DLP Is Failing and the Path Forward

…empirical evidence suggests that the forces of technical complexity, organizational confusion, and unpredictable end user behavior frequently overwhelm the safeguards provided by conventional DLP solutions.                                                                                                                                                                                       — NextGen DLP: Data Misuse Protection

The paper gives an excellent summary of why traditional DLP tools are failing. And as a seven-time CIO, Mark certainly has the real-world experience and battle scars to know. With the shift to cloud-based assets and SaaS-based services as well as pervasive end user collaboration and sharing apps, data simply moves in ways that DLP was never designed for. Additionally, he highlights how DLP is built on some of the “castle-and-moat” strategies of threat prevention tools and the problems this causes for modern data protection. We recently published a longer piece specifically on this topic that you can read here.

However, far more importantly, the paper lays out a vision for what Data Misuse Protection actually is or should be and how the industry can get there. I’m happy to note that data lineage plays a major role here.

Critical data assets should possess a comprehensive understanding of their genetic family tree. Primary assets should contain metadata describing how, when, why, and where they were originally constructed…All derivative assets should inherit the lineage metadata possessed by their parents.

To be clear, data lineage is not the only technology that plays a role in DMP, which encompasses more of an overarching strategy that includes a variety of technologies and controls. However, it is certainly exciting to see the concept of data lineage and data tracing with this level of visibility in a seminal paper.

Additionally, I think that Cyberhaven’s approach actually goes well beyond the data lineage capabilities described in the paper. For example, instead of applying data lineage and metadata to critical assets, Cyberhaven automatically tracks the lineage of all data. By knowing the lineage of all data, you can find sensitive data even if you didn’t know to classify it as sensitive when it was created. The who, what, when, and where of data simply becomes a standard context that an organization can have for all its data instead of just applying that rigor to a few files. This ensures that organizations have the full visibility of data environments and gives them the flexibility to adapt their security policies as circumstances change over time. 

Again, these are just some of the key points you can find in the document, and the full document is well worth the read. I am hosting a private invitation-only virtual roundtable with Mark Settle and other senior security and IT leaders on April 20th. If you would like an invitation, please email howard@cyberhaven.com.