With over 20,000 users spread across 22 Indian telecom circles, the rollout of enterprise-wide data loss prevention (DLP) technology has been a challenge to reckon with for a massive entity like Bharti Airtel. According to Airtel’s CISO Felix Mohan, the telecom major set about acquiring a DLP solution for its IT infrastructure across India in 2010. Prudence dictated that Airtel keep pace with global trends in infosec, which has veered from perimeter defense to a data-centric model, he explains.
Several business motivations prompted Airtel to adopt DLP technology. In addition to its massive user-base, Airtel’s IT infrastructure spans four data centers across India. The most obvious use-case for this technology was the prevention of sensitive information leakage. It was also essential to ensure security of business critical data on endpoints in remote locations.
DLP and IRM success stories in India
Given heavy regulatory penalties in telecom, a lapse could cost Airtel dearly, informs Mohan. The benefits accruing from DLP would ensure Airtel's customer data privacy and bring regulatory compliance, while providing forensic artifacts in legal disputes.
Implementing DLP technology could concurrently achieve discovery of business critical data locations, and identify sensitive business processes that access such information. In addition, Airtel had plans to provide employees with social media access.
Zeroing in on the right option
Competing DLP technology products were evaluated, with proof-of-concept exercises that compared features and compatibility. False positives and recognition ratios were assessed, along with ways in which the applications allowed fingerprinting and recognition, keyword searches and image detection.
The product that best fulfilled the predetermined business requirements and settled in with existing frameworks carried the day. No external consultants were involved, and the project was handled internally from conception to completion.
At that point in time, systematic data classification was already being done at Airtel for seven years [based on confidentiality, integrity and availability (CIA) sensitivity ratings]. When data was created in a data store or application, the business owner marked an initial sensitivity rating. The security team moderated or amended this rating as per requirement. No separate data classification exercise was required for implementing DLP technology, says Mohan.
Belling the cat
Airtel’s DLP technology implementation went live in December 2010 after six months of work. The DLP initially ran in monitoring mode for two months. According to Mohan, the biggest challenges were:
- Fine-tuning the implementation to reduce false positives.
- Creation of an incident management workflow for the DLP technology project. Deployment of the DLP agents wasn’t a problem, since provisions existed for centralized endpoint deployment.
The broad stages of this DLP technology implementation are:
Fine-tuning is an ongoing activity, says Mohan. Initially, the team held interactions with business functions’ heads to pinpoint critical information riding with these functions, which was used for fingerprinting. Hashing ensured retention of the document’s essential construct, even in cases of format changes. This was undertaken for enterprise-wide critical information. It’s an ongoing activity for created data, which keeps the DLP database up-to-date with new entries, and helps Airtel achieve less than 5% instances of false positives.
- Incident management workflow:
A detailed incident management workflow is in place. This live process involves constant review and refinement to raise incidents to the reporting managers, with well defined turn-around times. The DLP technology project is centrally managed by Airtel’s Gurgaon-based security function for each of Airtel’s four broad geographies. Close to ten people make up the support team, handling only incident management and 24x7 operations.
No infrastructure re-engineering was required to bring the DLP technology on board, says Mohan, since Airtel already had sophisticated network segmentation and traffic routing. Before the DLP, Airtel used a gateway system to proxy all requests. A streamlined endpoint control system with robust access control policies was in place for external storage, centralized printing and email. Given the existing setup, the DLP solution was a neatly fitting piece, says Mohan.
The DLP initially monitored Airtel’s email and Internet gateways. The second milestone brought USB ports, external storage and endpoints under its purview in a phased manner, followed by coverage of print media.
In its present configuration, the DLP technology rollout captures data from all gateways. It monitors incidents involving storage media, print media and data egress through Web or email gateways. All data egress points on Airtel's network (across four Indian locations), are monitored without exception.
- Data classification post DLP:
Data classification is now modified, with data being sent to the DLP team. Classification is done post fingerprinting, keeping the business stakeholder in the picture. During incidents, the tool gives a percentage match on pre-defined classification parameters.
Poorly configured polices are the bane of any DLP technology implementation, cautions Mohan. These may cause exponential rise in logged incidents. Even a wrong keyword can cause erroneous capture of enormous amounts of data. Keywords may map on to other words resulting in false positives; these incidents cost considerable time and effort.
More on data classification and DLP
Implementation gains and RoI
The DLP technology rollout has resulted in several business processes undergoing fine-tuning, even re-engineering. It meets all the proposed business’ requirements. DLP technology has also helped Airtel achieve regulatory compliance with its proactive security.
Airtel’s management and users are extremely enthusiastic about the DLP technology product, says Mohan. As a bonus, this tool has made it possible to allow use of social media, generating immense goodwill toward the security initiative. This DLP technology implementation has also helped bring about employee awareness, with training sessions conducted in close involvement with the top management.
Future road map
Airtel has plans for DRM and IRM, which Mohan calls the classification puzzle’s second piece. He plans to integrate DLP technology with DRM/IRM products to handle data classification. This will give Airtel complete granular control over data access within its network and beyond. Mohan expects all applications, perimeter devices and DLP to be integrated by March 31, 2012.
Please send your feedback to vharan at techtarget dot com.
This was first published in February 2012