The following introduction was originally published in the BCS Information Security Now Magazine, Winter 2011 issue (Volume 6, Issue 1), which was on the topic of Digital Loss Prevention:
“Gareth Niblett, Chair of the ISSG, says that many people see DLP software as something that magically stops your data from being lost, whereas the reality is quite different.
DLP is often used as a catch-all term for technology that somehow magically stops all unauthorised information flows once it has been installed.
In reality DLP has much wider implications in an organisation and can be quite nuanced. It could be considered as part of information lifecycle management, and should focus on ensuring the organisation can share the information it needs to, both internally and externally, in a correct, accountable and secure manner – data loss is then also prevented as a beneficial by-product.
To achieve robust inter-organisational collaboration capabilities, we would need common policies for identity proofing and verification (IPV) of organisations, people and devices, issuance of credentials, authentication, authorisation so that interoperability can be obtained (for consistency and cost reasons).
Add a bridge, to tie together disparate systems and organisations with cross certification, along with an independent verification process, to ensure assurance is provided to all parties. Mix.
Levels of trust
One leading initiative, which I am involved with, is working towards such federated trust, at higher levels of assurance between regulated companies and industries. The British Business Federation Authority (BBFA) http://federatedbusiness.org/ is a not-for-profit self-regulating organisation born out of a government request for a body to represent the needs of UK industry in relation to identity management, which came at a joint BCS/eema seminar in 2009.
The BBFA Steering Group is made up of companies from regulated industry sectors and, along with its policy management authorities, is working with both private and public sector organisations towards standards- based and interoperable IPV, strong authentication and authorisation, federation and PKI bridge policies, procedures and mechanisms, as it recognises that without these no technology can meet the real needs of customers and end users.”
A PDF version of the magazine is available online at: