CA Updates Data Leakage Portfolio

CA has announced a broad series of new and updated products and integrations aimed at the enterprise security and risk management markets. CA Access Control 12.5 includes features for privileged user management and host access control as well as improved integration of CA Identity Manager 12.5 and CA Role & Compliance Manager 12.5, including Smart Provisioning capabilities. Also included in the design is CA DLP 12.0 with extended discovery, protection, and control of sensitive data, and new integrations to complementary solutions. CA Records Manager 12.6 has features for governance, content protection, and compliance, and CA Governance, Risk & Compliance Manager 2.5 (CA GRC Manager) offers new risk and compliance features.

According to Gigo Mathew, CA vice president of security product marketing, integration of multiple functions is a central thrust of all the updates and product releases. "Being able to ultimately do more things proactively rather than as a simple reactive process is important. For example, provisioning is a huge part of this," he says, explaining, "Smart Provisioning Integration checks separation of duties and checks permission patterns to make identity lifecycle management a lot smarter. It then brings this together with identity management. No one has linked identity management and compliance before this."

Mathew goes on to say, "We look at three layers of management and governance. The top level is GRC Manager, governance of risk and compliance, and gaining visibility into all the types of compliance issues and risks to the organization, then mapping policies to those requirements. Smart Provisioning is next level. Active Control 12.5 is the third level, giving control around privileged users." Mathew points out that many security functions hinge around this privileged user, typically a security admin or DBA. They tend to have the keys to the kingdom, and the new products are designed to give a level of visibility and control over those users. This can prevent things like the San Francisco incident where a rogue administrator can lock people out of systems.

Joe Ford is VP of professional services and CTO of Patriot Technologies, a system integrator who has been a CA reseller for two years. He says that Patriot recommends CA products but also uses them internally, though many of the CA solutions are intended for organizations considerably larger than Patriot Technologies' 65-employee head count. Ford says that the granularity of the new CA solution is an important part of its appeal to organizations. "CAs DLP product extends the traditional thought of data leak to a more granular level of identifying with identity management to let you create rules based on your data and place it in a matrix based on the user roles hierarchy. Traditional DLP might not let you email social security numbers outside the company, but the CA tool would let you allow someone from HR to email those to the payroll company," he says. Ford points out that the data protection functions in conjunction with user role based controls, amount to capabilities that he hasn't found in other, competing products.

Ford points out that the truly difficult part of deploying any data leakage prevention system is properly classifying data that organization wants to protect. Much as the hardest part of most ERP installations is considering and formalizing business rules, understanding and formally classifying data types is the most involved part of a DLP installation. Companies tend to overlook this rather tedious classification process, unless they have an external reason, such as dealing with classified information, until they are faced with something like a DLP deployment. Then they bundle the cost into the DLP system while complaining about the TCO of security. In fact, understanding the company's data and its importance is a core IT function that should be part of every organization's charter from day one. Waiting until a DLP system is deployed is begging for a significant data breach.