Project Obama Delivers Data Loss Prevention “Change”

When the news came out last week about the unauthorized access of President-elect Barack Obama’s cell phone records by employees from his cellular carrier, I immediately anticipated repercussions. The Warlord has an insatiable appetite for the news and is constantly drawing parallels to our business, and I suspected he would draw a line directly to me. Of course, these linkages often translate into new—and typically urgent—IT projects.

It didn’t take very long for the Warlord to call his warriors into battle. A calendar invitation for an 8 AM meeting was in my inbox when I checked my email from my handheld the next morning. The subject line read “The Obama Project.”  

Scoping the chain of custody problem

I decided to bring Berkeley with me. He constantly preaches about the evils of privacy invasion in the Internet age, and I surmised he would tackle the project with an equivalent amount of passion and energy. (The only downside would be the onslaught of his daily homilies on the subject.) The C-Man explained during the meeting that the Warlord wanted assurances that a similar incident couldn’t occur at our company. As we have some very high-profile customers, individuals over which the media would have a feeding frenzy in the case their personal data was accessed, the Warlord wanted confirmation that we had the “right plan” in place.

Custody hole with databases

I explained to the C-Man that we could demonstrate an end-to-end custody chain once data was backed up to our disk and tape storage systems. (We had implemented a storage encryption solution the previous year.)  However, before the data was backed up to the storage systems, there was a hole in our processes: the records on our databases could be accessed by various employees, and there was no system in place to monitor, manage, and track access to the data.

The report from the C-Man back to the Warlord was not well received. He indicated the Warlord had give us an edict: we needed to identify and deploy a solution within a month. Berkeley and I subsequently called a meeting of my staff for that afternoon to inform them of our newest challenge to tackle. Berkeley was almost giddy with the opportunity and spent 20 minutes giving the team a historical overview on the violation of personal privacy.

An expensive solution

We reconvened the next day, and I gave the team a mandate to come up with a solution by the end of the day. The ideas floated back and forth throughout the day. The team finally settled on one that restricted database access to a select number of dedicated staff; all inquiries for access would need to go through them. We then scoped the responsibilities and determined it would require four full-time administrators. As we currently had only two database administrators, we would need to either reallocate existing staff from other projects or hire two additional staff.

With the resolution in hand, I went back to the C-Man; he wasn’t pleased the solution would cost us more than $200,000 annually in labor costs, but this was the best idea that had been identified. The Warlord was pleased to hear that we had pinpointed a viable solution; however, like the C-Man, he wasn’t enthralled with the additional labor costs. Perhaps the only one who was smiling at the end of the day was Berkeley; when he pulled out of the parking lot in his electric car, he had the stereo turned up and was playing “Truckin” by the Grateful Dead.

Hey Eugene, Symantec Data Loss Prevention allows you to discover, monitor, protect, and manage confidential data—both in motion and at rest—across your IT environment. This includes information stored on your databases. Indeed, with Symantec Data Loss Prevention, you can avoid hiring those two additional database administrators and put the money back in the bank.