The Problem of Data Loss Intelligence

Data Loss Intelligence (DLI) concerns the information that is available to you when your data has been compromised. It’s distinct from Data Loss Protection (DLP) technologies, which are more concerned with preventing your data being compromised in the first place. Think of DLI as your last line; it tries to let you know when DLP has failed, and what is happening now that your data is out in the wild.

Tracking data is hard. It’s even harder when you lose control of its distribution. Whether it’s through an insider leak, external attack or innocent mistake, once data leaves the confines of your regular security perimeter, it is often entirely lost. Knowing who has your data, where they are keeping it and what they are doing with it is an increasingly important part of managing your sensitive business assets and intellectual property.

 Data is Inert

The heart of the problem lies with the fact that data is inherently inert. Typically it cannot itself execute or exhibit behaviours. It is entirely dependent on a counterpart piece of software, a reader, to parse its content and interpret any actions that file suggest be performed. Any attempt to contact the outside world or “call home”, for example, may be honoured by the reader. Often this is not the case, however, as this directly conflicts with an end user’s desire for privacy by allowing their actions to be tracked. Where an external call is permitted, usually each data type has a plethora of available readers and the behaviour may not be consistent across them all.

 The Problem of Consistency

While on the topic of consistency, even if you could guarantee a call home with one data type, your data is often not in a single discrete format. With each separate data type and reader, a different track technique will be needed, resulting in confusing and tedious operating procedures. One of the approaches taken to address this is to abstract the concept of protection away from being embedded in the data itself. This is done by wrapping, or “enveloping”, the data in a protective layer of encryption. The problem here is that at some point, in order to allow legitimate access, you must provide the key to the end user. Once decrypted, the content is unsecured again, and is subject to traditional threats. Even if the software which applies the envelope does not explicitly allow access to the decrypted material, a skilled attacker may be able to capture the key and use this to decrypt the original content.

Ultimately, to have a robust DLI solution, we need to be able to guarantee a behaviour on a computer we don’t control. This is a challenge as it’s near identical to the goals of malware and, as such, is rightly proactively hindered by various security mechanisms and product updates. Somehow we need to balance the need for user privacy and data control. It’s a problem that’s been going for years, with strong similarity to DRM (digital rights management). This is a problem we are actively investigating at Nettitude.

To contact Nettitude’s editor, please email