This article can also be found in the Premium Editorial Download "Information Security magazine: Does security make the grade in Windows Server 2008?."
Download it now to read this article plus other related content.
Enforcing this kind of policy requires integration with enterprise directories and dynamic host configuration protocol (DHCP) servers to identify the user's location (system and IP address)--a critical feature to look for in the evaluation process. Role-based administration and hierarchical management ease management overhead and are particularly important in large deployments.
DLP policy violations are extremely sensitive and usually require dedicated workflow. Unlike virus infections or IDS alerts, these incidents lead to employee dismissal or legal actions. The heart of the DLP management system is the incident handling queue, where incident handlers see open violations assigned to them, take actions, and manage workflow for investigations. A good workflow interface eases identification of critical incidents and reduces incident handling time, management overhead and total cost of ownership.
Last year, a DLP customer chose its product ultimately on workflow. After narrowing the field to two vendors it considered equal in terms of technical features, the company selected the product with the workflow and interface its non-technical users (legal, HR and compliance) preferred.
Beyond policy management and incident handling, look for a tool that integrates well with existing infrastructure and includes robust management tools like incident archiving,
| backup, and performance monitoring. Since senior management and auditors might be interested in DLP activities, robust reports are needed for this non-technical audience and compliance support.
Organizations report that DLP deployments tend to go more smoothly than other security installations from a technical level, but it may take up to six months to tune policies and adjust workflow, depending on the complexity. Many find they only need part-time resources to manage incidents, but this varies based on the intricacy and granularity of policies. A 5,000-person organization, on average, only needs a half-time incident handler and administrator to manage incidents and keep the system running.
This was first published in February 2008