FRAMEWORK FOR DATA LEAKAGE PREVENTION
SOLUTION: A CASE STUDY
Sharifah Izora Farah bt Syed Marzuki, Saiful Adli,
Rasimah Che Mohd Yusoff
Advanced Informatics School, Universiti Teknologi Malaysia, Jalan Sultan Yahya Petra, 54100 Kuala Lumpur, Malaysia.
Abstract
In today’s corporate and business world, many organizations use data leakage prevention
to manage their sensitive and business critical information. The need to protect
confidential data is a key component of the organization which must be looked into
seriously. Data Loss/Leakage Prevention (DLP) has been found to be one of the effective
ways of preventing Data Leakage. The purpose of this paper is to propose a data leakage
prevention framework. The proposed framework added the factors of organization;
people; awareness and readiness to the current DLP framework.
Keywords: Data Leakage (DLP), Data Loss, Data Leakage Prevention, Sensitive
Information
1. Introduction
Over the years there have been abundance cases of data leakage in many companies which
has tarnished their reputation. Being the recent one, In Jan 2015 for example, the website
of an airline company has been hacked by a group that proclaimed support for the Islamic
State and also vowed to release data stolen from the site They also posted a link to a
screenshot of what appeared to be a passenger flight booking from the airline’s internal
email system. (News Straits Times, 27 Jan 2015).
Information in airline companies are important, sensitive and also confidential which are
being kept electronically. Confidential documents include various reports that are
important for secrecy, which must be protected and secured. Any malicious act for
example stealing or illegally removed of this information by the irresponsible personnel or
outsiders to competitors may jeopardise the company integrity among its peers and also
customers locally and globally. As the result of data leakage, the image of the company
will be damaged.
According to the report by CISCO, (2010) the cost of these data breaches is on the rise.
Incidents such as data theft, privacy abuses and others have emphasized the potential of
unethical behaviour related to the use of information. It is important to identify the factors
influencing to the information leakage due to the increased utilization of computers and
the Internet. It is also essential to study the factors that influence the implementation of
information leakage prevention solution framework in airline companies. Therefore, this
paper focuses on identifying the factors that lead to data leakage. In addition this research
will propose a framework for data leakage prevention in order to reduce the data leakage.
2.
Related Works
2.1 Data Leakage
Data leakage as a silent and severe type of threat which is considered as one of the greatest
challenges that an organization faces (Shabtai et al, (2012). It is a risk that can cause
serious damage to the company’s business. Any company is impeached with preserving a
trusted reputation and preventive environment. Customers rely in a company’s ability to
preserve intellectual property and customer data. According to Symantec (2010), the
intellectual property is hard to find and even harder to protect. Corporate management
must ensure that the company meets its target and goals. The ability to implement
security software is needed in order to minimize risks, protect against data breaches
(Tipwong, 2011).
Data leakage is increased by transmitting data (both internal and external), for example
emails, instant messaging, website forms, and file transfers among others, are not being
monitored to their destinations (Shabtai et al.2012). In addition, there are cases ,whereby
sensitive data are being shared among external and third parties for example vendor
working from outside the company’s premises (example on laptops), business partners and
customers. This will give rise to the risk of confidential information to fall into
unauthorized hands which can seriously damage a company.
2.2 Data Loss Prevention
Data loss prevention (DLP) is an action of exploring and preventing confidential data from
being “leaked” out of a company boundary for an illegitimate use. Nonetheless, while
DLP solutions have the competency to intercept some malicious or criminal activity to
steal information, the technology is not yet adequately created to deter more intelligent
methods of data theft. Data loss prevention (DLP) is a set of technologies targeted at
reducing the loss of sensitive information that happens in companies across the world. By
targeting on the location, classification and monitoring of information at rest, in use, and
in motion, this solution can help a company control and control on what information it
has, and in halting many leaks of information that take place each day (I S A C A Report,
2010).
2.3 Data Leakage Prevention (DLP) Conceptual Model
The below model shows, the relationship between technology and the human role to
ensure information security of an organization is being practiced. Therefore, it is
important to note that a strong governance structure is needed for a good Information
Security in any organization. This DLP controls cannot operate effectively without highquality governance. An effective DLP is required for any program to be successful, the
links to other information security processes must be understood so that multiple layers of
defense are established and monitored.
Figure 1. DLP Conceptual Model (Ernst &Young, 2011)
3.
Methodology
This study used qualitative research using focus group interview. Interviews were
conducted to three IT security expert in ABC, which were IT security vendors and ABC
IT security manager. Qualitative data were collected . The participant’s combination of IT
internal expert and external expert agreed that industrial pressure for example Personal
Data Protection act by the government will make a huge impact on the decision making by
ABC management on the purchase of any Data Leakage Prevention solution.
4.
Results
4.1 Focus group interview
The purpose of the focus group interview was to determine whether the factors,
technology, organization, environment/people and security are sufficient information in
order to develop the proper interview questions later. The interview participants are as per
the table below. The demographics profile of the participants for the interview is shown
in Table 1.
ID
Position
Participant 1
Participant 2
Participant 3
Educational
Background
Head,IT Risk &
Degree
Security
Controller,IT
Master
Risk & Security
Vendor
Degree
Roles in IT
Department
IT
Security
Operations
IT
Security
Operations
Service
Provider
Years
of
experience
15 years
5 years
20 years
Table 1. Demographics profile of the focus group interview
Result of the interview gathered from the focus group discussion reveals that the adoption
of Data Leakage Prevention depends mostly on the cost. The study also highlighted that
technology readiness and company policy are also important factors that need to be
consider before the adoption of the Data Leakage Prevention.
Ideally, the participants group agreed that technology, security, organization and
environment are the most important management factors that will influence ABC in the
adoption of Data Leakage Prevention solution. Most of the participant’s claims that
Management awareness is one of the factor influence the decision to adopt Data Leakage
Prevention.
4.2 Relationship between Technology, Organization, Environment/People and
Security
The interview discover that there is inter-related relationship between Technology,
Organization, and Environment/People in influencing the decision in implementing Data
Leakage Prevention solution. Based from the result of the interview, all the participants
agreed on all the factors. Below are the examples of inter-related relationship among the
factors:
5.

Technology readiness required management support to implement and it is
inter-related with cost in considering the value of Data Leakage Prevention
solution

Security of Data Leakage Prevention solution will affect the technology
readiness in order to provide the proper infrastructure for ABC

Security of Data Leakage Prevention solution will also inter-related with the
awareness of the staff and management

Policy plays a very important factor in preparing ABC staff towards moving in
Data Leakage Prevention technology. Guidelines on how to protect
information in ABC must be in place
Proposed Data Leakage Prevention Slution Framework
As discussed earlier the objective of this study is to identify causes that may lead to data
leakage and to propose data leakage prevention solution framework for ABC Airlines
Company (ABC). Therefore, based from the findings, it is proven that the four factors
need to be embedded in the organization. Figure 2 shows the proposed Data Leakage
Prevention solution Framework for ABC Airlines Company.
New
Existence ABC Framework
New
Data Leakage Prevention solution Framework for ABC
Figure 2 Data Leakage Prevention solution Framework for ABC Airlines Company
Based from the literature review, it has been established that a good foundation is required
for Data Leakage Prevention solution. However to be more effective, data governance is
not good enough, a holistic approach need to be well established and an efficient
monitoring by risk management department and internal audit are also required to ensure
that the program is successful. Management readiness is important in order to ensure that
all staff are ready to embark on the new solution.
Technology solution will need to cover the whole document lifecycle which is document
in use, document in transmission and document in storage. The whole document life cycle
need to be protected. Therefore policy need to be in place in order to give guideline to the
staff. All documents need to be classified, register and label accordingly. Security and
enforcement are important in order for the solution to take place. Proper security must be
in control for access control of the data, document rights, data integrity, data
confidentiality, document expiration and copy protection.
Lastly, in any organization, there must be check and balance of all the activities. Therefore
auditing must be done at least once a year to ensure the integrity and reliability of the
solution. Also, by doing so, the organization is complying with the rules and regulations of
the government. For example Personal Data Protection Act, Payment Card Industry.
Finally, in order for the organization to implement the new solution, a change
management activity must take place. For example, to change the whole infrastructure of
the organization, new system, and new desk top must get the approval of the change
management committee. It is also discovered that the awareness training need to be done
regularly in order to have an “Information Security Culture in “ABC”
6.
Conclusion
The findings shows the important of all the factors that will influence the decision by the
management to implement Data Leakage Prevention solution in ABC Airlines System.
This study confirm that cost of the solution and technology readiness are the main factors
that will influence the decision. Other interrelated factors such as organization and
industrial pressure are also considered to be important. One of the driving factor to
implement Data Leakage Prevention solution is the need to maintain business reputation
and control brand damage.
The study has used the qualitative method in gathering information’s and opinions from IT
professional on their perception in implementing the solution. The findings may help ABC
Airlines Company in preparing guidelines to the management and IT professional in
implementing a more thorough and detailed Data Leakage Prevention solution Framework
References
[1]
[2]
[3]
Blanke,W,J., (2011) Data loss Prevention using an ephemeral key.
Deloitte Report. , (2013). Data loss prevention risk assessment.
Ernts &Young Report.,(2011). Data loss prevention keeping your sensitive data out
of the public domain.
[4] Gordon,P., (2007) Data leakage and mitigation.
[5] Manasdeep. (2012).Data leakage prevention –Implementation and challenges – Network
Intelligence.
[6] Shabtai et al.,(2012). A Survey of Data Leakage Detection and Prevention Solutions, 5
SpringerBriefs in Computer Science.
[7] Tahboub,R., (2014). Data Leakage/Loss Prevention Systems (DLP), College of
Information Technology and Computer Eng.Palestine Polytechnic University
Hebron,
Palestine , 1 (1), 13-19
[8] Tipwong,P.,(2011) IT, Reducing Data Loss and Saving Money by Acquiring Data
Loss
Prevention Software.
[9] Tore Torsteinbø,T.,(2012) Data Loss Prevention Systems and Their Weaknesses.
[10] Verizon.Report (2012) Data breach investigations report.
[11] New Straits Times, 13 October 2008, Paltform to tackle data loss crisis
[12] Data Loss Prevention Software, Retrieved on January 10, 2015, from
http://en.wikipedia.org/wiki/Data_loss_prevention_software Retrieved on
January 10, 2015, from Information Systems Audit and Control Association
(ISACA).
[13] Wee Choo Keong Blog.,(2013).Retrieved on January 10, 2015, from
http://weechookeong.com/2013/11/28/mas-net-loss-of-rm830-mil-for-9-monthsjan-to-dec-2013/