If you have been following the security technologies landscape, chances are that you have already heard of Data Loss Prevention. The concept behind DLP is simple- safeguarding your organisation’s sensitive data by scanning your network and other systems. However, DLP means different things to different people with more than half a dozen different and even more technology approaches. What does DLP entail? That depends on who you ask.
“Data Loss Prevention is a protection control that is placed by an organization to help mitigate and control the loss of data through unauthorized channels. Examples of this could be the risks associated with the loss of a laptop on which the hard drive is not encrypted or relating to the copying of confidential data to a USB that is subsequently lost,” says Bahaa Al Hudairi, Senior Security Consultant, McAfee Middle East.
Alexei Lesnykh, Business Development Manager, DeviceLock, offers another definition: “DLP is a software, appliance-based or hybrid solution that primarily seeks to prevent corporate data breaches resulting from insider negligence, accidental mistakes or deliberate misconduct, as well as malware infiltrations. It helps organizations secure their sensitive data that are critical for the enterprise’s longevity, reputation, client privacy, information security and compliance.”
Bulent Teksoz, Regional Technology Manager, Symantec, pares the fat further, saying DLP is a concept in which by defining rules and policies we can control the data flow inside and outside the corporation. “Enterprises are concerned about their risk and look for confidence to demonstrate compliance while protection their customers, brand and intellectual property.”
While definitions are abound in the market, the primary reason why enterprises adopt DLP is probably the same. “Many enterprises in their efforts to secure data often end up causing so much disruption that their projects fail. Most enterprises right now are considering DLP for one of three reasons- They’ve had too many close calls with data loss (or actual events) and know that there is significant business risk; their management team is concerned as a result of liabilities introduced through regulation; and it’s the hot thing in the market to work on, once other key areas like AV, Firewall, Encryption are covered off,” says James Lyne, Senior Technologist in the CTO’s office, Sophos.
Gartner advises that businesses should plan a thorough DLP strategy before talking to suppliers. Vendors are likely to sway discussions to specific aspects of DLP, when a full strategy is required for the technology to be effecting, according to the analyst house.
What should be an ideal enterprise DLP strategy? “Firstly, enterprises must look at all the countries where they do business and the laws about data loss in each. Then, consider the amount of data inside the organisation, from customer and employee information to unique intellectual property and the possible fines or costs of any consequential loss of any of that content. Then, they should speak to a supplier of DLP products and try a proof of concept for a week or so, the devices can highlight data being transferred out of the organisation and let them calculate the potential threat,” says Nigel Hawthorn, VP of EMEA Marketing, Blue Coat Systems.
The ideal strategy should start from identifying the “crown jewels” of an enterprise – the most sensitive data that, if leaked, would put in serious danger the company business, according to Riccardo Della Martera, DLP Product Consultant, Websense. As a second step, a company should look for unauthorized copies of such data in places where those should not be located (by running what is known as a Discovery task). In parallel, all the most common means of software-based communications (i.e. emails, web, ftp, IM, external devices) should be put under control appropriately. Once that is done, the scope of DLP project can be widened to more departments and business units, hence extending the protection to data with a lower level of confidentiality, he says.
Ray Kafity, Regional Sales Manager, Cisco Ironport Systems, adds that the ideal enterprise data loss prevention strategy is to look at all aspects their data security strategy. “ They have to give attention to physical security, human/employee factor, enterprise exit and entry points and enterprise policy and control.”
After defining a complete strategy for DLP, organizations need to consider some key points before deploying the solutions. Most security vendors will tell you they have just the thing for your DLP needs. But some industry experts say enterprises often buy products that, once installed, don't perform all the functions necessary to keep sensitive information safe.
“DLP is a key investment area for security and a great indicator of the direction of security towards data protection. However, enterprises need to ensure that they deploy solutions that maintain business flexibility,” says Lyne.
The first step is to implement a Data Loss Assessment exercise with an experienced security expert. This will allow certain types of data to be classified in to different levels of security requirements, says Nick Black, Technical Manager, Trend Micro. The next step would be to evaluate the various channels that this data can be transported out of the company network, such as email, Instant Messaging, FTP, USB devices, CDs or even printed documents. Based on this information a comprehensive set of rules and policies can be created and enforced across the end user devices and managed centrally, he adds.
Companies should address DLP in a phased approach with the ultimate goal of protecting all data leakage exit points such as web traffic, mails and removable devices/media. Customers should start with full hard disk encryption of laptops/desktops; phase two would be ideally to control removable media as they are the root cause of many malware infections and data loss incidents.
“The next phase would be to conduct a data classification study before implementing a full DLP solution, to help them understand where and what are the critical data in conjunction with an effective data policy in place,” says Al Hudairi.
This should be followed by the next step of deploying the DLP solution and venturing into monitoring mode. “The aim of this project phase is two-fold: at first, it facilitates the refinement of the baseline data protection policies for all endpoint computers and their users. The second goal is to identify the most malicious users of the corporate network already during this first DLP deployment phase,” says Lesnykh.
When the baseline DLP polices have been fine-tuned, IT managers could switch DLP agents from “only monitoring” to “enforcement” mode while at the same time start logging peripheral device access related user actions, as well as their data transfer operations from and to endpoint computers. It is since now that forensic investigations into the most serious data leaks should become a routine part of the IT security department operations, he adds.
A company can buy every top-of-the-line security product known to man, but it won't make a difference for data loss prevention (DLP) unless end users are educated on their own role. Technology is indeed critical to DLP, but security experts say user awareness is key to keeping sensitive data safe from online predators. DLP is a process first. The technology is simply an enabler for the automation of the process. The process needs to include education and awareness training and cover human resources, records management and compliance.