Data Loss Prevention Case Study: The Challenges Facing Financial Institutions
In this exclusive interview, Jason Vander Meer of RealTick discusses his organization's DLP strategy, and the solution he deployed from Code Green Networks.
Additionally, Dan Udoutch of Code Green Networks offers advice for organizations faced with similar DLP challenges.
Vander Meer is currently responsible for Information Security and IT Infrastructure Project Management at RealTickÂ®, the electronic trading industry's premier global, multi-broker, broker neutral, cross-asset Execution Management System (EMS). He joined RealTick in 2005, and has since been the lead of managing Information Security risk assessment and mitigation. Vander Meer has a MS degree in Information Technology and Information Assurance from DePaul University in Chicago.
Udoutch is the President and CEO of Code Green Networks. As a 25+ year Sales, Marketing and CEO veteran of Silicon Valley, Dan has a unique set of skills and successes with bringing innovative and market leading solutions to the Enterprise customer. He held significant executive-level roles at notable firms including Commerce One, NavTeq and Netscape Communications. Earlier in his career he worked for IBM and Tandem delivering mission critical solutions to various industries including financial services and healthcare.
TOM FIELD: When it comes to data loss prevention, what are some of the latest strategies and solutions?
Hi, this is Tom Field, Editorial Director with Information Security Media Group. We are talking today about DLP today and we are talking with Dan Udoutch, President and CEO of Code Green Networks, and Jason Vander Meer, Information Security Officer with RealTick.
Dan, Jason, thanks so much for joining me today.
DAN UDOUTCH: Glad to be here.
JASON VANDER MEER: Thanks for having us.
FIELD: Hey Jason, why don't you start us out here and tell us a bit about yourself and about RealTick please?
VANDER MEER: Right. I have been with RealTick for five years, managing various technology infrastructure architecture products/projects. Currently, I am the Information Security Officer heading up the security program here at RealTick.
RealTick itself is a company, and we provide a product called RealTick, our flagship product, and it is essentially an execution management system, and we have been providing solutions such as this since 1985. RealTick is essentially a highly configurable platform that provides access to global market liquidity, a wide range of electronic execution products, and then we provide access to various broker dealers.
FIELD: Now, Dan, could you do the same please? Tell us a little bit about yourself and about Code Green Networks.
UDOUTCH: Sure, Tom. I have been the President and CEO of Code Green Networks for about two years now. We are a five-year-old company, venture funded, and I came in when the product was really ready to hit the market and build a company around that.
We are an independent company solely focused on DLP, and we have seen pretty substantial success and growth over the last couple of years in two primary industries, one being financial services and another in healthcare. So, I am anxious to talk through why and how that is happening with Jason and yourself today, Tom.
FIELD: Well that's a good tee-up to our conversation here. We are going to talk about DLP, and Jason, I want to ask you first: What were the specific challenges that drove RealTick to look at DLP solutions?
VANDER MEER: Right. We are a financial technology hub, so a lot of client-generated market data and financial data come through our facilities, and in certain cases it is stored in our facilities, so our clients and we have a vested interest in protecting this data.
We work with our clients regularly to ensure that our security controls are satisfactory to them. We do this through regular audits and security reviews. Over the past few months and year, we have noticed a growing concern that our clients have of how are we protecting their data.
We keep up with best controls and do risk analyses to ensure that the controls that we have in place are satisfactory and effective. We use network segregation, firewalls, least access concepts, complex passwords -- the very standard security controls. The growing concern for data leakage has prompted us to look elsewhere to enhance these security controls and to put a solution in place to tie all these together tighter and add another layer of security. So one way that we have been seeing of what people are doing to protect data is essentially to block access to where data can leak.
Our view at RealTick and our professional security teams is: You can't block everything, and it is much more effective to protect data closer to the source. So rather than going through and having a list of things that people can't do, we want to have a better knowledge of where the data is, how it is being used, where it is moving, what it is and why it is being accessed. Then at the same time we want to keep access high and innovation and creativity and ease of use within RealTick. We are a leading financial technology company, and we want to have that access open while we are still providing proper security.
FIELD: Well, that's good, Jason. Now Dan, how did Jason's issues map to what you hear from banks and other financial organizations that are weighing DLP solutions?
UDOUTCH: Good question, Tom. Jason and RealTick have done not only the big fix in terms of best practices, but I think they have extended that quite a ways from what I hear him describe in the more traditional security approaches. I think the innovative financial institutions we are seeing have a very similar view of the world of 'Let's look from the inside out; let's look at the core data,' because the world is changing so quickly, and I think to block, as Jason described, absolutely squelches innovation and access, and it is not really what the new economy is based on. What you want to do is be able to allow all of those productive collaborations and sharing and access of data, but at the very fundamental core have great awareness and control over those data elements. I would say a very similar story to those that have thought through it at the next level in terms of what their issues and challenges are.
FIELD: Jason, let me come back to you for a couple of questions here. One is: I would like you to walk us through, if you could, the steps you took or are taking to ensure that your clients data is protected.
VANDER MEER: Right. So as I mentioned before, we have policies and security controls in place that are managed quite effectively, and we have had a lot of success with those. But with the growing need for information security and data protection, we need to have a better idea where the data is and how it is being used and how it is moving.
So before we even did anything DLP related or anything with Code Green, we started a full data classification review, which lasted two to three months in the bulk of it, but it is still going on now. The classification that we did essentially took a look at interviewing data owners and saying 'Okay, what is your data, what is your most important data, how is it being used, how is it important to our clients and ranked is this confidential? Is this public data, is it private data?' And once we found all of this, we documented this and passed it around, and we put this into a quarterly process where we take a look at this to ensure that everything is up to date and add any new items as needed.
So once the data classification was done, we knew where all of our data was, and we knew how important it was, so choosing a DLP platform like Code Green, we were able to just essentially drop into our environment and have it point to and analyze the data that we have classified in the data classification. Once we got a better idea of how the data is being used and where it was moving using a centralized appliance, we were able to tune our security policies much better and create a higher degree of data security within our environment.
FIELD: A follow up question for you, Jason. What solutions did you look at, and why ultimately did you choose the Code Green Networks DLP solution?
VANDER MEER: There are a lot of great DLP solutions out there, and we spent quiet a bit of time last summer and fall analyzing these and looking at all of the characteristics of each of them. But what we at RealTick wanted was a holistic platform that did everything -- the data security, endpoint security, network DLP -- and we wanted something that was lightweight that didn't interfere with essentially the high speed activity of our business and of what my company is. So it came down to five or six other products that we took a look at. We examined all of their pros and cons, and Code Green was able to satisfy all of these products, and it was the one that we went with.
FIELD: Very good. Dan, a couple of questions for you, and the first one is: If you could boil it down, what steps do you recommend that organizations take to protect their client sensitive data much like what RealTick did?
UDOUTCH: Well, for part of it, let me sort of play off of Jason's response to the last question, which was having a holistic solution that includes the network, the discovery and the endpoint. Let's take a customer best practice view of the problem. RealTick and Jason and his team started correctly with the data classification project to try to determine locations, sensitivity and priority of the different data elements. Sometimes, either by lack of focus in the past or just sheer size of organizations, they are not able to accomplish that task quite as readily. But what you are trying to do is get closest to that data classification problem.
We all know of examples throughout the industry of wonderful cool technology that even if you install it, you forget what the problem was you were trying to solve or if it is delivering value, so I think part of the nice fit of DLP into enterprises is if you have a focus around your data classification, you are really able to determine a risk profile and ultimate value in remediating that risk. So, I would say for a client to focus on the data classification question --and we can talk a little bit more frankly about some tools and elements -- we have to help that part of the process, I think that is where you are going to get the greatest success with that as a starting point.
FIELD: Dan, let me follow up on that, especially in terms of financial organizations. What are the special tools that can help when it comes to identifying sensitive data?
UDOUTCH: We try to lead customers to a couple of different places. Number one, our product itself is a very nice tool in terms of trying to frame your risk and your data, and that is in terms of it is a very integrated all-in-one appliance, with a number of very useful industry specific pre-built policies and reports. So oftentimes we are able to put it in a pilot or evaluation with the customer to really help them in a really pure monitoring mode. Let's look at what data is leaving the enterprise through what various channels and what frequency to what destinations, etc. So, without a lot of overhead in terms of setting up a large number of servers and databases, etc., the tool itself can be helpful in that way.
And something that we are investing heavily in as a separate piece of the solution now is discovery. So an awful lot of larger organizations, especially those that have been built through acquisition and roll up, they don't even know where to start in terms of 'Where is all of this data located throughout my enterprise?' So, with some key enterprise wide scans or example levels in terms of server level discovery, that in addition to this easy-to-set-up monitor mode, we give you a couple of really nice tools without spending a lot of money or taking big risk on the technology to just, again, help you frame the problem and know where to focus.
FIELD: Well, that is a good overview. I have got one last question for both of you, and Jason I am going to ask you first. Given your experience, what advice would you offer now to other financial organizations faced with similar DLP challenges?
VANDER MEER: Well, as Dan said, data protection has to be holistic from start to end. There is no silver lining solution that you can just drop in place and make all of your problems go away.
Data protection has to protect all data across all dimensions of the business, and the best advice that I can give is going on the line that we were talking about earlier, which is you have got to start out with data classification, and it is a hard, grueling process. It is a semi-manual process, but you have to understand where your data is, what is important to you and your company, and you have to find that, you have to understand how it is being used, and you have to document that and keep up on that.
From there it is learning and understanding how that data is being used from an electronic standpoint, and that is where Code Green DLP has rally helped us at RealTick greatly. Because after the data classification was done, we can pop in a Code Green appliance and understand how our data is moving around the environment. And then from there you can enhance and set further security controls and policies to ensure that data is further protected to the degree it needs to be.
FIELD: Very good. And Dan, the same question for you: What advice do you offer to financial institutions faced with these challenges?
UDOUTCH: Well, I would be remiss if I didn't turn that back to what I think is a primary advantage of Code Green. Once a customer determines the need for data leakage prevention, and also goes through the rigorous exercise of classification, what we have really tried to do is--you know, the easier it looks on the surface, of course, oftentimes the harder and more creative engineering has gone on under the covers. So we are able to deliver an enterprise-class product in a very integrated all-in-one appliance. Our goal was to deliver that level of functionality to someone like Jason and RealTick without requiring months of professional services to install a solution or one or more FTE's to run the solution.
So I think what I would ask or implore financial institutions to do is to really talk to references, envision this in a productive, ongoing environment because data loss prevention can't be a one-time effort. There certainly is an ongoing process to benefit form a solution like this, and I think we have worked very hard to make that very usable.
FIELD: Very good. Dan and Jason, I appreciate your time and your insight today. Thank you.
UDOUTCH: Thank you, Tom.
VANDER MEER: Thank you.
FIELD: The topic has been DLP strategies and solutions, and we have been talking with Dan Udoutch with Code Green Networks and Jason Vander Meer with RealTick. For Information Security Media Group, I'm Tom Field. Thank you very much.