Vendors have blurred the functional boundaries between data leakage prevention, digital rights management and even...
endpoint device control, to the extent that IT should reset expectations for DLP deployments.
The recent Burton Group report on DLP summarizes the market from a vendor offerings point of view, with heavy emphasis in vendor rankings given to companies with large market shares and marketing budgets. DLP can be a powerful weapon for security teams balancing threat protection with data protection and acceptable use policies, but only in well-defined business scenarios.
There are at least two main problems with DLP that challenge IT to scale the solutions to enterprise levels while keeping operation expenses acceptable. The technology effectively relies upon pattern-matching algorithms to detect confidential data. However, unlike AV where the vendor is responsible for maintaining the pattern definition files, the customer IT and security organizations are responsible for the administration of data patterns. The more encompassing the data protection program, the more effort IT needs to spend on defining data detection patterns.
Eric Ogren's recent security columns:
Phishing protection begins with training, antiphishing evangelist: IT organizations can take a lesson from marketers by sending three phishing education emails to users before the holiday season.
Feds push cybersecurity jobs, PCI DSS changes ahead: The federal government plans to fill cybersecurity jobs, the payment industry is studying PCI virtualization best practices and Microsoft offers free endpoint protection software.
Whitelists, SaaS modify traditional security, tackle flaws: It is time for IT professionals to transform security into a capability that is as dynamic as the attack landscape, says security expert Eric Ogren of the Ogren Group.
DLP is also very difficult to keep aligned with a dynamic business. Enterprises must share confidential data to be able to put the data to work as a corporate asset -- the data is only retained because it has value to some important business process. This places IT in the position of having to frequently tune DLP to determine -- based on sender, receiver and data classification -- the legitimacy of a business communication to avoid false positives in alert or blocking decisions when data is in motion, at rest, or in use.
Enterprise security teams should keep DLP focused on a tight set of data and business uses of that data to get the most effective use out of their DLP investments.
Enterprises can start by letting every employee know the company has DLP technology and finding all abuses of data handling policies. The most effective deterrent to intentional theft of large amounts of confidential data is the likelihood of getting caught and the knowledge that archived security logs likely contain evidence of the theft. Let every employee know that sensitive data is a strategic corporate asset and that the business is monitoring communications for abuse of acceptable use policies. Scanning email attachments will detect violations and present an opportunity to educate users on data security.
Classify data first to control the scope of a DLP implementation and to stay aligned with acceptable use policies. Many DLP implementations fail because blocking data transmission is counterproductive to the legitimate business needs of sharing data with partners, customers and investors. DLP is good for high regulated organizations with easily recognizable sensitive data and clearly defined policies for individual access; DLP implementations fail when the multitude of sensitive data types, users and dynamic business roles turns administration into an expensive nightmare. Classify and prioritize sensitive data to limit the scope of DLP to insure success.
Use DLP auditing features to discover sources and destinations of traffic. Network DLP can be useful in research showing the traffic patterns of sensitive data, which can then be used to evolve the infrastructure for efficient access processes. Security teams are usually the last to know how sensitive data is being used to support the business. DLP can give security the intelligence to recommend improvements to IT and network management.
Analyst reports are often good, objective views of a market segment, but IT still must be conscious of its organization's data security needs and operating costs constraints. Be sure to overlay specific organization requirements, tolerances for smaller vendors and cost analyses onto analyst reports to derive a short list that best aligns with the precision of a focused data protection program.
Eric Ogren is founder and principal analyst of the Ogren Group, which provides industry analyst services for vendors focusing on virtualization and security. Prior to founding the Ogren Group, Eric served as a security industry analyst for the Yankee Group and ESG. Ogren has also served as vice president of marketing at security startups Okena, Sequation and Tizor. He can be reached by sending an email to email@example.com.