This article can also be found in the Premium Editorial Download "Information Security magazine: Does security make the grade in Windows Server 2008?."
Download it now to read this article plus other related content.
The last major component of DLP solutions is endpoint agents to monitor use of data on the user's desktop. A "complete" agent theoretically monitors network, file and user activity such as cut and paste, but few real-world tools provide full coverage. Most products start with file monitoring for endpoint content discovery and to detect (and block) sensitive data transfers to portable storage. Rather than completely blocking USB thumb drives to protect data, an organization can use these tools to restrict file transfers based on content.
Endpoint DLP tools are starting to add more advanced protection, such as limiting cut and paste, detecting sensitive content in unapproved applications such as certain encryption tools, and automatic encryption based on content. Over time, they will increase the type and number of policies they can enforce and integrate more deeply into common endpoint applications.
MANAGEMENT & WORKFLOW
| and provide user interfaces for technical and non-technical incident handlers. Many organizations find that compliance, legal and HR departments play just as large a role in policy enforcement as IT security.
Central policy management allows a user to define the content to protect--like a customer identification number--then apply different enforcement actions based on where the violation is triggered. You define the content once, and then build rules based on context. These policies are distributed throughout a DLP infrastructure, including the network, storage and endpoints. Policies apply differently to different users, are rated at different sensitivity levels, have violation count thresholds, and are assigned to specific business units or incident handlers.
For example, a policy could be set that says: "The customer relations team is allowed to email a single account number to a recipient, but block account numbers in any other channels or by any user. Only customer team members can store account numbers on their laptops, but only if encrypted. Account numbers cannot be transferred to portable storage, and are only allowed on these servers."
This was first published in February 2008