|
The DLP market started with passive network monitoring tools focused on detecting information leakage over communications channels such as email, IM, FTP and HTTP. These simple monitoring and alerting tools evolved into more comprehensive solutions, adding email integration and gateway/proxy integration for Web, FTP and IM. This allows organizations to block traffic before the data escapes, rather than just being alerted when it's already gone. (See "Network Monitoring Tips," below).
Network Monitoring Tips
Performance requirements for monitoring outbound communications are less than expected.
When shopping for network monitoring tools for data loss prevention, don't get hung up on high performance. Since outbound communications traffic is the only concern, even if a company is running gigabit Ethernet, it will likely only monitor a fraction of that traffic.
Large enterprises typically need to monitor about 300 MB/s to 500 MB/s at most, while midsized enterprises fall below the 100 MB/s range, and small enterprises as low as 5 MB/s.
Also, make sure to determine if a product monitors all protocols, or just a subset, and if it requires hard-code port and protocol combinations or can detect traffic on non-standard ports. The stronger tools also detect tunneled traffic, like IM over HTTP.
--RICH MOGULL |
For email, DLP vendors embed an MTA (mail transport agent), which is then added as another hop in the email path to block, quarantine, encrypt or even bounce messages back to the user. Since email is a store-and-forward protocol, integration is fairly straightforward. A few tools support similar actions on internal mail by integrating with Exchange and other mail servers.
Other channels, such as Web, FTP and IM, are more difficult to block since that traffic uses synchronous protocols. By integrating with proxies, a session analysis can be performed to reconstruct and evaluate content before it's released. Few DLP tools provide proxies and instead partner with major gateway/proxy vendors, or use the Internet Content Adaptation Protocol (ICAP). When integrated with a tool that proxies SSL traffic, you gain the ability to sniff encrypted traffic.
DLP for data at rest is often equally if not more valuable than network monitoring. This is called content discovery; these tools scan enterprise repositories and file shares for sensitive content. Imagine knowing the identity of every server storing credit card information, and being alerted to unapproved ones.
Content discovery falls into three categories: network scanning, local agents and application integration. With network scanning, the DLP tool connects to file shares for analysis, which provides wide coverage but limited performance. A local agent may be available on major platforms to scan directly on the server rather than across the network, which is more effective for large repositories but requires more management. Some tools integrate directly with document management systems and other repositories to leverage native features.
|
