Few security technologies have received as much attention over the past few years as Data Leakage Prevention (DLP) solutions have. The concept behind them is exciting, offering the ability to scan traffic on your network and in your systems, and assign rules-based protections to the data that you want to protect. Someone e-mailing out a copy of customer records with SSNs? The DLP system will block it or encrypt it on the fly. Someone trying to copy IP to a USB drive? Alert management and block the action. It can be a great way to protect your most critical information assets, but as many have found, it is not an end-all, be-all solution to your data leakage problems.
Data leakage or data loss prevention systems have gradually entered the mainstream as their increasing maturity has allowed increasing adoption. “The key concept behind data loss protection solutions is their ability to monitor and audit the movement and usage of data. This is a fundamental requirement for businesses today, in order to enforce good policy, prevent unauthorised access and reduce the risk of data breaches,” says Greg Day, Principal Security Analyst EMEA, McAfee.
It almost goes without saying that the greatest threat to the security of an enterprise network often comes from within. Security professionals can shore up their borders, lock down their devices, and search bags on the way out, but there might never be a way to be 100% certain that an employee is not abusing access to sensitive data. “Data generally exists in three states: data in use, data at rest and data in motion. Having visibility into data as it moves around allows you to see where sensitive information is going, but also requires you to know when sensitive information is leaving the perimeter of your organisation,” says Samer Shaar, Regional Director for Juniper Networks Enterprise.
Each state often requires a different approach to DLP. For example, encryption can help to address data at rest and data in motion, but not data in use. Deep inspection is very useful for data in motion, but not so much for data at rest. Data loss is a significant technology, policy, and policy management issue, and we continue to see numerous examples in both the public and private sectors, he adds.
Companies are adopting DLP for a variety of reasons, with compliance being the strongest. “Data Loss Prevention is an essential component in every organization’s security strategy as the number and severity of data breaches continues to rise at an alarming rate,” Johnny Karam, Regional Director for Symantec.
The spiralling cost of data breaches is another reason why companies are turning to DLP, says Day. “There are numerous reasons for applying data loss prevention controls, most of which correlate directly to mitigating cost to the business. As examples, this can be the cost of brand damage when data leaks become public knowledge, the costs of intellectual property loss, the cost of validation in terms of what data actually has gone missing and, where required, the cost of notification and finally the cost of fines applied by industry groups or as a result of governmental legislation.”
It's no easy task implementing a data loss prevention (DLP) program when there's so much disagreement in the security community over what DLP entails. But those who've been through it have good news: It can be done. Several IT security practitioners told us they achieved a reasonable DLP programme once they stopped listening to vendors trying to sell so-called “DLP out of the box” products and focused instead on mixing myriad security technologies with training programs to help users defend themselves — and, in turn, the companies they work for.
Though the people policies are pretty consistent across business sectors there is no one-size-fits-all approach to the technology side of things. There are common tools, mind you, but they are not assembled the same way in every enterprise.
A DLP solution needs to be part of an overall security solution that should include multiple layers of security. Security must be intelligent, efficient and ubiquitous. Well-integrated, open-standards-based solutions should be able to work in a multi-vendor environment and not lock users into a single approach or technology, says Shaar.
Symantec’s Karam says the first step in creating a prevention and response strategy is to identify the types of confidential data your organization needs to protect and use that information to measure your risk of exposure. “Once you are able to define and prioritize your data risk levels, the next step is to engage stakeholders and form a project team—which should include IT security, compliance, and business data owners—that can evaluate solutions and recommend actions.”
The greatest challenge with DLP is defining “success”. Because the goal is to prevent something from happening, provable success is proof of a negative — not possible. In fact, everything in the history of security and computing tells us that if the success expectation of DLP is that it blocks all leaks, then it is impossible to succeed. Most organizations, instead measure the success of DLP either by what is caught or by the degree in which DLP “trains” users to change risky behaviors that are rarely malicious. DLP is a great tool for awareness — it trains users to use secure means of transmission where necessary and it trains IT departments to provide secure means of transmission where they are needed but do not exist.
DLP is not a silver bullet. Identifying and blocking all sensitive information is neither possible as an outcome nor wise as a goal. But with a narrower goal of preventing the most egregious leaks and helping both users and IT discover better ways to send information securely, DLP can be very successful. Ultimately, it will be a standard part of any company's security portfolio.