Is There a Difference Between Data LOSS and Data LEAKAGE Prevention?
I was reading Stuart King’s blog entry titled "Is Data Loss Prevention Really Possible?"
Besides a very interesting and reasonable question to ask, I was also intrigued by a difference I spotted between the title of his article and the first sentence in the body.
Specifically, in the title Stuart asked if "Data Loss Prevention [is] Really Possible?" but in the body he asked if it "…is really possible to prevent data leakage?"
In my opinion, data loss and data leakage are two different issues, albeit with some degree of subtlety. I’m interested in your position.
I will explanin my opinion via an update here once folks comment so as to not color the outcome.
What’s your opinion? Loss versus leakage? Talk amongst yourselves.
/Hoff
Categories: DLP
I don't know what everyone else thinks, but generally loss is intentional and malicious leakage is unintentional and not malicious.
Loss = malicious and intentional theft of data for nefarious purposes
Example 1: Attacker A steals Chris Hoff next blog post and then sells it to the highest bidder, which will undoubtedly capture ~ $100,000 in pure profit.
Example 2: Rabid Clintonista infiltrates Barack Obama's campaign managers home computer and steals Obama's schedule.
Leakage = accidental leakage of data due to inadequate controls, poor process or lack of policy awareness.
Example 1: Bob in accounting downloads company financial records to his unencrypted USB stick so he can work on some analysis over the weekend on his home computer.
Example 2: Kim in HR accidentally sends confidential payroll spreadsheet to all managers instead of the filtered spreadsheet which only lists personnel, reporting structure, and department number.
Obviously the leakage scenario's are easier to prevent
I agree with Amrit's characterization, but would add that when someone knowingly discloses information they shouldn't I consider that "leakage," too.
I notice Stuart responded to your comment saying they were pretty much the same thing. I disagree. Even if, as he claims, "data loss prevention" is becoming the "new bandwagon term" I think it's a mistake to blend the terms.
It's like shoplifting, "shrinkage" (employee theft), and accidental breakage in retail. They are 3 different problems, each with different remedies.
I agree with Amrit's characterization, but would add that when people knowingly disclose info they know they shouldn't that's data leakage, as well.
I notice Stuart responded to your comment and said that the two terms mean the same thing to him. I disagree. Even if, as he posits, "data loss prevention" is becoming the new "bandwagon term" I think it's inaccurate to lump them together.
It's like in retail: shoplifting, shrinkage (employee theft), and accidental breakage are 3 different things. Each has different remedies, and should not be lumped together into one catch-all term.
I agree with Amrit's categorization as well, except to add that ever since a colleague of mine mispronounced Onigma as Olestra, I haven't wanted to use the word "leakage" at all.
I think that both errant data flow due to careless actions and malicious internal breaches/theft due to motives of revenge or personal gain are data "loss". It doesn't really matter what the motive; the data is gone, so there is loss in both cases.
If it breaks down to motive, the accidental cases are most likely due to the lack of internal controls or lack of ability to enforce policies. Malicious cases are due to breakdowns in trust, as well as the lack of internal controls.
The definition of loss is really broader than this. It should also include deliberate or accidental destruction of data, as well as deliberate unauthorized alteration of data or industrial sabotage in cases such as chemical formulae (eg. pharmaceuticals or fragrances). This type of thing is certainly not going to be found by an edge DLP appliance. Only multi-level integrity (MIS) offers any kind of defense here.
Ack, I propose that they're both hyperbole because the prevention thing doesn't work for me–the whole product class is like an acronym waiting for somebody to build something to satisfy it. I know you're not supposed to take it literally because it's marketing-speak, but it still chaps my buttocks. How about "protection" instead?
Loss is a financial or reputation damage *or* what happens when you leave your laptop in a DC cab. Leakage is what happens when data flows through your diaper of a WAF onto your great-grandmother's tea dress. Any questions?
To me, 'loss' implies something accidental whilst 'leakage' implies something intentional.
For example, if I 'lose' a USB stick with company confidential information on it then the loss is accidental – I didn't 'intend' to lose it. The action of loss is unintentional.
However, if I take the same USB stick with the same data on it and give it to a journalist or rival company, this implies 'leaking' the information. The action is intentional.
For the subjects of the loss or the leakage (i.e. the parties who the data is about or concerns), the impact from their perspective is likely the same, especially if the information is personal or sensitive information – it doesn't really matter whether the loss was intentional or accidental – the data is still 'out there' where it shouldn't be.
As to whether one is easier to prevent than the other… – as soon as humans are involved, all bets are off!
data loss prevention: a good tested backup and recovery solution
data leakage prevention: a mixture of solutions to provide best effort prevention of data being sent outbound via FTP, SMTP, HTTP, etc, combined with user training, full disk encryption on laptops, encrypted USB tokens, use of cell phones which encrypt transport and and prevent storage, and faith, trust and pixie dust.
Something is wrong w/ the Universe. I've agreed w/ Amrit more in the last 3 months than I have in the last 3 years. π It looks like he is finally coming around.
There are subtle differences between loss and leakage even if both end up w/ the same result of "lost" information or data. Leakage is usually unintentional and through a common avenue and common means. Loss, although often unintentional, is most often through uncommon avenues and uncommon means. It may be a little nit picky to debate the differences, but I'm sure that Hoff has some great points and thoughts on it.
How about this one?
Data loss: someone stealing your data (or being allowed to steal it)
Data leakage: someone doing something stupid with their data.
"Data loss" is a term that *should* be used to refer to the availability of data. In other words, when we talk about data loss, we should be thinking about malicious or accidental deletion or corruption of data.
"Data leakage" is a good blanket term to refer to unauthorized *disclosure* of data, again irrelevant whether it's intentional or not. I feel like the term as it's currently used connotes accidental disclosure, but I don't think that's particularly useful.
Both of those terms have been invented for marketing purposes. It's kinda silly to attempt to find a deeper meaning in something that was just a catchy acronym and nothing else. It reminds me a bit of psychic tea leaves reading… If you stare at it long enough you can start seeing anything you want π
I think everyone is just jumping on the Amrit bandwagon here because no one had thought of it till now. π
I agree with rybolov because I think the terms are crap. I think it is about what your risk is, which helps you make a decision on the product you purchase or service you implement to stop the loss / leak / cramps / diarrhea / shitbomb. The terms are just there for us to make fun of the marketing departments.
But, so I can make my point (and for the CIO's who come from the business side), let's assume Amrit is right on with his explanations / scenarios (insert "ass – u – me" joke here). If you are trying to prevent "loss", you are likely focused on some very specific data and will make some big efforts and buy some hardcore strength products to protect that data from being stolen. If you are trying to prevent "leakage", you are worried about a lot more and you tend to put more effort into stopping accidental leakage by people doing dumb things. You might also focus on training the user on how to not do dumb things.
I agree most with Amrit, but I also have to wonder why even bother with sniggling over marketing terms.
If Stuart feels that both terms are the same to him, what/who would be the authority to say they don't mean the same thing? I think there is no real authority on this, so basically if you connote that one term is accidental while the other is intentional or they are both the same, then fine on you!
@LV
Well, before I sum up my thoughts, the reason I asked this can be answered as an analog:
"There's knockin' boots then there's makin' love" — sure, they're basically the same act, but intent, attitude and how you do it count for a lot.
π
Also, since our lives are controlled by the evils of the analyst marketing mothership, it's no longer smart to dismiss the "what's in a name" query. It means everything depending upon which side of the fence you're on — if it don't exist in a magic quadrant, you don't either…
Now, that "shouldn't" matter, but it does…
Catch my drift?
Both are just marketing terms created by the DLP companies. I know, because I was on the phone call when they came up with it.
That said I think there is a real distinction between leak and loss as Amrit described, but the practical reality is that the terms have entered the marketing lexicon as equivalents.
I've hated the term DLP and the loss vs. leak argument from the beginning, and I'd rather kill them both than try and string them along.As the guy that wrote the MQ we used CMF, but eventually had to cave in and use DLP since otherwise people didn't know what we were talking about. Point set and match to Vontu who pushed the term DLP most strongly.
There's a difference. It's not clear, and it's almost entirely local perception. It is what you think it is. Try finding a synonym for "synonym" on "synonym.com" !!
Can one believe that there is a difference magnitude between loss and leakage (Fire hose versus dripping tap) – yes.
Can one believe that there is a difference in "intent" such as deliberate or accidental – yes
In reality, does the difference REALLY matter ? Can the difference between the two words be ignored and still achieve the goals of the statement? – Almost certainly
Feel free to call them what you will. Add to the existing plethora of:
Data Loss Prevention
Data Leakage Prevention
Anti-Data Leakage
Anti-Data Loss
Enterprise Content Protection
Information Loss Prevention
they are tantamount to the same thing, with potential subtle differences, but that's all in the interpretation and thus there isn't a definitive yes or no – though I admit, I lean towards the "no difference" side in varying degrees.
Now, is there a difference between Prevention, Protection etc. Same argument, for which I'd certainly lean towards the "yes, there is a difference" side.
We all know that, often, the information we see from vendors is 80% "marketecture" (alternate names abound, but removed to maintain PG rating). With so many vendors paying lip service to capability it's not surprising that they want to re-name essentially the same "thing" to pretend they have some differentiator. By lip-service I mean claiming support for X when they really only have "x" (little x) – and in some cases they actually have y and lied about x completely. I've presented my issues on this topic in a number of presentations with concrete examples, but just think when we're told that a vendor has a "PCI Policy" when what they really mean is "we can detect credit card numbers in email – Yeah, that;s only a fraction of requirement 4…oops….and sorry about the other 11 requirements for which we do nothing !!!"
I could prattle on for hours about this one, but it would be a) uninteresting and b) the cause of me not getting my work done, but in short (yeah, I could have put this first) – there may be a difference, but I fear it's not really that interesting or relevant – other parts of the DLP acronym on the other hand…
And I really miss "Extrusion Prevention." Let us bring that chunk of clarity back to the lexicon.
Stick with the point please. Nevermind playing with words. What's the functional difference in mainstream DLP appliances?
This post was written in 2008.
I'm sure you can find the information you're looking for from any number of analyst companies.
So can I say generally that loss is intentional and malicious leakage is unintentional and not malicious.
No. Both loss and leak can be intentional or unintentional and can be malicious or just errors.
Loss = Destruction, theft, data corruption. Data is lost forever.
Leak = Unauthorized people get access to data.
Loss = malicious and intentional theft of data for nefarious purposes
Loss = Damaging data beyond recovery. Intentional or intentional. For example deleting files that are not backup and can never be recovered. Or sending a file that is corrupted in transit without the possibility to restore the file and send it again.
Example 1: Attacker A steals Chris Hoff next blog post and then sells it to the highest bidder, which will undoubtedly capture ~ $100,000 in pure profit.
Example one shows intentional data loss due to theft (malicious but not nefarious) β however if Chris Hoff has a backup of the blog then it would be a data intentional leak.
If Attacker A find the blog and corrupts it using a virus, then it will be an intentional data loss with nefarious purposes. The $100,000 will be a financial loss resulting from data loss.
Example 2: Person A infiltrates Person B’s campaign managers home computer and steals schedule.
Again, the schedules cannot be recovered = loss, but if the schedule can be recovered = leak.
Leakage = accidental leakage of data due to inadequate controls, poor process or lack of policy awareness.
Example 1: Person A in accounting downloads company financial records to his un-encrypted USB stick so he can work on some analysis over the weekend on his home computer.
If the person has access to the data to do his\her job there is no leak. The leak would happen if somebody who does not have a valid business reason to use the data downloads it to the USB stick. Or if the employee shares the information with somebody who should not have access β this would be an intentional data leak.
Example 2: Person B in HR accidentally sends confidential payroll spreadsheet to all managers instead of the filtered spreadsheet which only lists personnel, reporting structure, and department number.
Yes, this would be an unintentional data leak.
So obviously the leakage scenarios are easier to prevent.
@Amrit