Challenge

In the course of normal business operations, Accenture processes vast amounts of sensitive information, ranging from client-supplied data and corporate intellectual property to personally identifiable information. At a time of rising security risks, this information presents Accenture with a challenge each and every day: how best to protect internal and client-sensitive data across an enterprise that operates in a highly distributed environment.

Strategy and solution

Data Loss Prevention (DLP) enforces data transfer rules to protect against unintended data disclosures, identify when people are processing sensitive and/or proprietary data, and allows Accenture to uphold its contractual obligations held with clients to protect data. It also mitigates the risk of data loss by identifying unapproved, outbound movement of such data types from Accenture workstations and e-mail accounts destined for unsanctioned e-mail domains or storage destinations, such as cloud, GitHub and USB.

More than a decade ago, Accenture initiated a Data Loss Prevention program. In infancy, the program was passive, monitoring outbound movement of limited Personal Identifiable Information (PII) data, and reacting to alerts, determining data exfiltration from legitimate data transfer. With the foundation set, focus shifted to prevent risky movement of PII data, and extend protection to client-sensitive data and internal intellectual property.

Accenture’s Information Security organization in collaboration with Accenture’s internal IT organization continued the transformation by further building out the DLP capability to monitor and protect sensitive data, while respecting data privacy regulations around the world. The combined team implemented a solution to monitor data activity across almost half a million end points in a global network spanning more than 50 countries. The solution was overhauled in recent years and every year since enhancements are added to the way Accenture protects the company’s and its clients’ environments.

Some of the security enhancements included:

  • Partnered with the business to deploy focused DLP policies to establish what is a risky data transfer versus a service requirement Accenture provides to a client.
  • Deployed a DLP agent on user workstations/laptops that monitors the flow of data and reports DLP events centrally to the Accenture Security Operations Center (ASOC).
  • Implemented an e-mail DLP capability to mitigate the risks of data loss via e-mail. The system protects both managed and unmanaged endpoints, including mobile devices. When data is found to be in violation of enforced policies, events are reported to the ASOC.
  • Enabled rules to flag and block identified client-sensitive or intellectual property when transferred outside authorized locations. This includes files sent to personal accounts such as Gmail, Dropbox, or external devices.

The technical challenges confronting the combined team during the project were significant. Working with third-party experts, the team defined the architecture for the solution, including the technical infrastructure and required network and server configurations. Working with legal advisors, the team ensured that the solution would meet governmental, regulatory and data privacy standards in applicable jurisdictions around the globe, with legal clearance being obtained on a country-by-country basis.

During the implementation of the security enhancements and improvements, numerous process changes required consistent review of events and, when necessary, intervention and investigation. The team was challenged with managing competing deployment and privacy requirements and restrictions across Accenture’s diverse enterprise environment.

“Today’s DLP challenge is finding the best balance between protecting enterprise and client data on the one hand and respecting the privacy of our employees on the other,” says Jason Lewkowicz, Managing Director of Accenture’s Cyber Incident Response Team. “We have built effective coverage across Accenture’s entire enterprise—encompassing all endpoints and network e-mail—without impeding the free flow of business communications and operations, all while protecting employee privacy.”

"We have built effective coverage across Accenture’s entire enterprise without impeding the free flow of business communications and operations, all while protecting employee privacy."

— Jason Lewkowicz, Managing Director – Accenture Cyber Incident Response Team

Transformation

Accenture’s Information Security organization proved a successful model for extending data protection to include client data and reduced risk to Accenture and its clients by proactively preventing incidents. Accenture’s DLP capabilities now provide greater security with increasing ease. The flexibility of the DLP solution enables Information Security personnel to ensure policy and contract compliance, allowing easy creation of new policies that address specific contractual obligations. This technology also allows for local data control to manage specific business unit or engagement data flows.

Subscription Center
Stay in the Know with Our Newsletter Stay in the Know with Our Newsletter