ERROR 1
ERROR 1
ERROR 2
ERROR 2
ERROR 2
ERROR 2
ERROR 2
Password and Confirm password must match.
If you have an ACS member number, please enter it here so we can link this account to your membership. (optional)
ERROR 2
ACS values your privacy. By submitting your information, you are gaining access to C&EN and subscribing to our weekly newsletter. We use the information you provide to make your reading experience better, and we will never sell your data to third party members.
Information technology security has traditionally been a matter of protecting computer systems from malicious hackers. However, given the rising flow of data through corporate IT systems—often via portable devices such as smart phones and laptops and increasingly within virtual cloud computing environments—it’s clear that IT systems are subject to a wide range of vulnerabilities. Nowadays, one of the biggest threats to IT security is the well-meaning employee who inadvertently triggers a data breach by e-mailing work to be done on a home computer over the weekend.
The standard firewall around a corporate network is no longer enough to secure a company’s computers. Instead, IT managers are beginning to look more closely at the data within their systems, devising means of identifying and tracking the most sensitive data and implementing access controls. Although software products have been developed to assist in this endeavor, the job is largely one of IT department police work.
David Kepler, chief information officer (CIO) at Dow Chemical, has seen a distinct shift on the IT security front in his 10 years on the job. “The threat has changed,” he says. “There are a lot more indiscriminate hackers, and there is more intentional access—people who have directly targeted your company in order to get something. In addition, the nature of employment has changed, with an increased number of contractors and outsourcing partners.” The constant exchange of data inside a company and with its partners and customers poses a huge risk, he says.
Managing that risk is a matter of implementing security software, including firewalls and other perimeter-control devices, but it is also a matter of top-down IT department policy enforcement, Kepler points out. “We have security officers, a long-standing record management committee, and a record retention policy,” he says.
Dow’s enterprise resource planning (ERP) system, developed by the software giant SAP, supports IT security efforts, such as data-access control, with a suite of applications for governance, risk, and compliance. But automation needs to be supported by staff training, data classification, and management oversight. Nor is an SAP system alone likely to provide all the IT support necessary. “There is nothing one big company supplies to do it all,” Kepler says.
Nonetheless, software developers are actively pursuing the data-security market. Given the chemical industry’s concerns about plant security and intellectual property in R&D, they see Dow and other chemical companies as a good target market for data-security products.
Major suppliers of antivirus and other computer protection software for personal and commercial computing have introduced several data-loss prevention (DLP) products. Symantec, the manufacturer of Norton AntiVirus software, purchased DLP software pioneer Vontu in 2007. McAfee, another big name in antivirus software, has also entered the field.
DLP software provides IT managers with a means of getting a handle on critical data and implementing security controls, according to Paul Proctor of IT industry analyst firm Gartner. Products detect sensitive information within computer networks and track that information’s movement. “It can detect data being copied to a laptop or other device where it doesn’t belong,” he says. Most important, it controls user access to data and guides users in transmitting data according to IT department policies.
DLP software is fundamentally different from other IT security tools, Proctor notes. “DLP is not like a firewall or antivirus software which runs in the background,” he says. “It is not transparent—it is in the user’s face. It is specifically designed to change user behavior. It will tell the user to do things.” The software leaves much of the control function in the hands of managers who use it to guide them in implementing policy.
Kevin Rowney, director of breach response at Symantec, is one of the founders of Vontu. The company launched in 2001 with software that, according to Rowney, addressed a major shortcoming in IT management: data-access control. “Prior to 2001, companies were protecting containers of data, but not the data itself,” he says. “They had firewalls that protected corporate local area networks, but they had nothing for access control. The innovation in data-loss prevention is an algorithm that hunts confidential data and stops the flow.”
DLP software, he explains, first gained traction in the financial services market, where theft of customer data is a major concern. “The venture capitalists were amazed that something like our software didn’t already exist yet,” Rowney says. “Although 2002 was the Ice Age of venture capital, we got $5 million.” IT organizations were initially cool to the idea of implementing new security software, but “the business managers instantly got it.” The software quickly gained momentum in manufacturing industries, he says.
SAP, the leading supplier of ERP systems to the chemical industry, has been expanding its data-security offerings via partnerships, explains Jean-Bernard Rolland, the firm’s director of solutions management. SAP announced an agreement with Computer Associates in July under which the firms are developing “connectors” between SAP’s NetWeaver ERP system and CA’s data-security products including DLP software.
Data-security software, however, does not need to operate in conjunction with an ERP system. Nor does a security program need to be controlled from a central site. At Cytec Industries’ engineered materials division in Tempe, Ariz., for example, DLP software supplied by NextLabs is used exclusively to convert sensitive paper documents to electronic files that reside in a controlled-access database, according to Michael Cuendet, Cytec’s director of business process improvement. Once entered into the system, the paper document is shredded. The DLP software is not used to manage other electronic data.
Although Cytec’s overall approach to data risk management can be broadly described as perimeter control, Cuendet says IT managers are careful to define areas within the company that require special protection, including manufacturing shop floors, where computer systems that control equipment need to be shielded from hackers.
“Areas where we find vulnerability are loaded up with extra precautions,” Cuendet says, noting that the company has a central IT security team at its headquarters in Woodland Park, N.J. “It goes beyond simple firewall protection,” he says.
NextLabs, according to the firm’s chief executive officer, Keng Lim, has partnerships with IBM, Microsoft, and SAP, and its software can be installed to link IT security to business process security functions. DLP software is also an effective workforce management tool, he argues, pointing to productivity gains achievable by controlling access to data and enhancing IT policy development and enforcement. And the software allows managers to finesse their approach to a company’s greatest area of vulnerability: its workers.
“Companies are not looking to be Big Brother,” Lim says. “They want to trust their employees.” More than 90% of data breaches from commercial IT systems result from unintentional loss or user error, he says. “The solution of treating 100% of the workers as malevolent will not work. You need to enable the workforce and increase its awareness of risk.”
Gartner’s Proctor agrees that DLP software can be viewed as a tool for managing workforce behavior. The trick, he says, is developing the right policy, which hinges on management’s awareness of where sensitive data reside in the IT network.
Despite a proliferation of new products, guarding against data loss remains primarily a nonautomated function, Proctor emphasizes. “These software products do not bring any magic with them,” he says. “You need to know what your sensitive data look like, and you have to spend time figuring out where it is. If the system isn’t tuned properly, it just lights up like a Christmas tree.”
Join the conversation
Contact the reporter
Submit a Letter to the Editor for publication
Engage with us on Twitter