Thursday, June 17, 2021

What a DLP-mandated system might look like

Ann Cavoukian freely admits that when she has a captive audience, they’re going to hear a lot about her favourite topic – privacy – before she moves on to theirs. So it was Wednesday at the SC Congress Data Security Conference and Expo in Toronto.

“You can’t have privacy without security, but you can have security without privacy,” Ontario’s privacy commissioner told the audience.

Of course, IT security and privacy are inextricably linked, and often at odds. Cavoukian’s concept of privacy by design posits that the zero-sum privacy-versus-security game has to end, and in a properly designed system, it’s a plus-sum situation – the two enhance each other.

Of the tales of privacy breaches in Ontario’s health care system, most involved unencrypted data on lost or stolen laptops or USB keys. But one that stood out was telling for a different reason.

In the parking lot of a northern Ontario methadone clinic, a woman driving a newer model vehicle saw something on her rear-view assist video monitor she didn’t want to see. A CBC investigation showed that the clinic required urine samples from patients, but rather than accompany them personally to prevent tampering, the clinic had installed a wireless camera in the washroom. When contacted by the CBC, a horrified Cavoukian called the clinic and had it shut down and replaced by a wired system. To their credit, Cavoukian said, clinic staff were equally horrified.

The point: Whatever policies are put in place to ensure privacy, staff can’t think of everything. Without exception, the breaches Cavoukian noted involved capable staff who had simply overlooked something.

I asked Cavoukian if she had considred mandating enterprise-wide data loss protection technology to prevent data from leaving the system at all. Her eyes widened.

“That sounds perfect!” she said. “Give me your card. I wanto toalk to you about this later.”

“Damn,” I replied. “I wish I worked for a company that sold data loss protection technology right now.”

It gave me pause to think about what that system might look like. It’s something that a health care system could mandate, and that any enterprise that handles sensitive or personally identifiable information (PII) could consider a best practice.

I think it would look like this: End-user machines would access their desktops through a virtual desktop infrastructure. DLP technology would ensure that data is downloaded to end user machines only according to specific policies. For example, data sets could only leave the server de-identified, stripped of PII, and only in an encrypted state. VDI obviates having to install DLP on thousands of end user machines, and also makes it easier to control accounts that are orphaned when a staffer moves on. And if the data can only leave the server in an encrypted form, encrypted USB keys and hard drives would be unnecessary.

I’ve promised Cavoukian a collection of stories we’ve run on DLP technology, and I’m sure she’ll devour them. Her techie contacts and associates are going to be answering a lot of questions about data loss prevention technology. She is tenacious when it comes to your privacy.

Would you recommend this article?

0
0

Share

Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication. Click this link to send me a note →

Jim Love, Chief Content Officer, IT World Canada
Dave Webb
Dave Webb
Dave Webb is a freelance editor and writer. A veteran journalist of more than 20 years' experience (15 of them in technology), he has held senior editorial positions with a number of technology publications. He was honoured with an Andersen Consulting Award for Excellence in Business Journalism in 2000, and several Canadian Online Publishing Awards as part of the ComputerWorld Canada team.

Related Tech News