You know the feeling you get when you see someone who has invested in state-of-the-art gear – say, a high priced vintage Fender Stratocaster, a Marshall stack, and a dozen effects pedals – but hasn’t invested in guitar lessons? It’s the same feeling I get when I see a company invest in the latest, greatest Data Loss Prevention (DLP) system, plug it in, and forget about it. It can be exasperating. And while I’m not the guy who can help you play like Buddy Guy, I can help you get the most out of your DLP investment.
Letting Your Guard Down?
In many ways, DLP can be one of the most dangerous investments an organization can make. Simply implementing DLP – without supporting and operationalizing it – can create a false sense of security. With the data protection “checkbox” checked, an organization may focus less intently on security program development and good information security practices. The good news is the appearance of security can match up with its reality, through effective data loss prevention program management. To that end, I offer my “Four Do’s of DLP”:
- Deploy the system so that no sensitive data remains outside its reach
- Integrate it with governance, risk, and compliance (GRC), and other security tools
- Staff it with the right resources
- Communicate with all stakeholders, proactively
DLP systems are not plug-and-play, yet many organizations treat them as such. The design and deployment of the system will largely determine its effectiveness, and there are several key factors to consider:
Expect some heavy lifting
Deploying DLP is a non-trivial exercise. It requires a significant amount and degree of planning, design, and coordination across every department in the organization. Underestimating the upfront effort can lead to cutting corners, and missing major areas of need – resulting in an incomplete and ineffective solution.
Recognize true scope
For DLP to be effective, it must cover the entire infrastructure, from back office communications (network, Web, and email), to collaboration systems, cloud services, and endpoint computers and other mobile devices.
Don’t forget the Z:/ drive
Every organization creates digital archives. Over time these data repositories become veritable treasure troves of sensitive information – sometimes more than a decade old! Don’t overlook them when deploying DLP.
Cover the cloud
Google apps, Dropbox, Office 365, Salesforce, social networks – these are just a few favorites, so make sure the long arm of DLP extends into the cloud.
These days, it’s almost impossible to do business without some sort of GRC (Governance, Risk, and Compliance) program and/or tool in the organization. You might think that GRC would be in lockstep with a DLP implementation, but that’s not often the case. Ensure that GRC and DLP work to inform each other directly, such that rules related to data security, privacy, and protection are built into DLP, and the DLP system provides reporting and feedback back to your GRC program.
On the other end of the spectrum, remember that DLP is largely useless without integration into your data-in-motion, data-at-rest, and data-in-use environments. Think MTAs, Web proxies, network TAPs, filers and shares, databases, endpoint computers, and POS devices. Directory services should be carefully investigated, and integrated with, for maximum incident context and incident response impact. SIEM and managed SOCs are also critical integrations, for operational reporting purposes.
DLP requires specific expertise, from initial design, to deployment, to tuning, to measuring total impact (i.e., quantifiable risk reduction over time). DLP can’t be managed effectively by over-tasked and under-trained team members. While many companies take an IT resource aside for a year and train them, it is not necessarily the most cost-effective approach, even for large enterprises.
Developing a relationship with a trusted partner that lives and breathes DLP incident response and administration – and can deliver top-notch managed services – may ensure that your system delivers on its real promise.
Lack of communication is one of the biggest mistakes in DLP deployment, but also one of the easiest to fix. A DLP system deployed in secret can create a suspicious, “us vs. them” atmosphere in an organization. Employees within all levels of the company may sense that they’re being spied on, or singled out for scrutiny.
Many data losses are the result of innocent mistakes in handling sensitive data. When the entire organization is aware of the realities of data loss and data leakage, and DLP is positioned as protection for everyone involved, it can become a trusted safeguard. In parallel with a campaign to raise security awareness, we’ve seen DLP create positive, measurable change in employee behavior.
Getting Committed to the Program
With DLP, like all areas of information security, there must be a commitment to the process and program itself, and not just to a perceived destination or technology. There is no such thing as 100% secure, and there is no such thing as a 100% perfectly designed and deployed DLP system. Don’t let perfect become the enemy of the good, however.
If you’re committed to building a program, and not just ticking off another checkbox on the company to-do list, DLP is a very powerful mechanism for effective, measurable risk reduction. You will find you get out of it much more than what you put in.
Sean Steele is Co-Founder, Managing Partner, Technology & Professional Services at Infolock.
- CISO, We Have a Problem
- Managed DLP Services
- Drowning in Data?
- Buying Bad
- Learning from the Equi-Fail
- Data is the New Black
- Data Loss in a Galaxy Far, Far Away
- Peak Vendor: Reclaiming InfoSec Priorities and Budgets in the Age of Big Marketing
- The Four Do’s of DLP
- Building a New MSSP, Overcoming the DLP Blame Game