Data loss prevention was once a nicety that only larger enterprises or organizations with sizable information security budgets could justify or manage. Now that we're seeing how data breaches are playing out in organizations of all sizes, it's clear that DLP systems -- both on-premises and for the cloud -- are more of a necessity if the end goal is to keep information assets in check and stay out of legal hot water.
DLP installation is not enough
As with any IT or security control, just because DLP is in use doesn't mean it's working well. Many DLP implementations are arguably for show and provide minimal value to the stakeholders. The false sense of security such security controls create can do more harm than good. So, what should you be looking for in terms of DLP weaknesses? Each situation is, of course, unique but it often boils down to a gap (or gaps) in people and process and, to a lesser extent, the actual technology. Whether you're new to the DLP-based approach to security or you simply need to tweak your existing setup, there are three key areas of DLP systems you need to pay attention to.
- Data residency
Where, exactly, is the data that you wish to protect? According to a 2015 Ponemon Institute study, only 7% of IT and security professionals can answer this question. The reality is, it's everywhere: in on-premises networks, on mobile devices and in the cloud. Has a baseline been performed to uncover the locations of this data? If so, make certain it's being protected by the security controls you have in place. Quite often there are side-channel workflows that completely bypass security, leaving sensitive data vulnerable. Is content inspected prior to delivery to the cloud? Where is it ending up once it goes out, and can you get it back? Most of the DLP discussion focuses on unstructured data risks, but structured data found in databases should not be overlooked. This requires encryption that's reasonably balanced with your access and functionality needs.
- DLP engine
Evaluate how the system performs in real-world tests. False positives are bad because they create complexity -- the exact opposite of what anyone working in security needs. False negatives (i.e., missed vulnerabilities) are even worse. Does the system do basic regular expression (regex) checks or more advanced data-identifier checks that combine regex checks with LUHN analysis? Also, how does the system scan for sensitive data? Is it done on data at rest across storage systems, on-demand when data is accessed, or both? Can it check files already stored in your cloud service providers, and can it scan publicly accessible areas of your network or that of your outside vendors? It's not easy to find a best-of-all solution, but you need to consider these issues. It's better to find these answers early on rather than realizing that your investment isn't scalable for what you truly need.
You must consider how policies are enforced for on-premises data versus cloud-based data. Consistency is key. However, you need to ensure you don't create any unnecessary work by having two unique DLP systems for policy enforcement. Perhaps a cloud access security broker (CASB) system that complements an internal DLP implementation is what you need. CASB products from vendors such as Skyhigh Networks and Netskope have the ability to monitor and control data both locally and traveling to and from the cloud, through controls such as reverse proxies, agents and application program interfaces that connect to existing DLP systems and cloud applications. This can show you the rest of the story -- what's really happening on your network. CASBs have the ability to do all of this via one system of record, which can dramatically minimize complexity.
It takes time
Keep in mind that when taking on a new system such as DLP you're going to have to set aside time to tweak and manage it long term. Perhaps you have the time to do so. Maybe you don't. In fact, I believe the latter is what causes many people to shy away from using DLP systems, but that doesn't make it right. In the end, the best approach to data protection is to get management and legal on board, explain what's at stake and how DLP can help, and then let them make the ultimate decision on what they're willing to defend.
With DLP, you no doubt get what you pay for. The good news is that with all the vendors now in the space, combined with the emerging CASB solutions, pricing will be more competitive than ever. Look at your risks, your needs and your overall environment; do DLP right the first time or fix what you know needs fixing with your existing system.
Start soon but go slow, and revisit these issues often. If you do the proper testing, baselining and gradual tightening down of your DLP rules, you'll help ensure that it ends up being a core security control you can rely on over the long haul, one that might save you from that next breach.
Learn about the role of CASBs in implementing DLP cloud controls
Read how company culture can contribute to enterprise information security
Discover five technologies that complement your enterprise's DLP system