As important as data loss prevention (DLP) is to any data protection endeavor, that doesn't mean it's the right...
tool for your business. Many organizations buy and implement these technologies, yet fail to obtain any value due to poor tool selection, implementation choices or inappropriate expectations.
The most important thing to remember is data loss prevention is a risk-reduction tool, not an infallible security control. It only looks for the data you tell it to look for, in the locations you designate, and it will completely miss plenty of malicious activity if the perpetrators take the right precautions. DLP won't alert you to that new product plan developed in the bowels of some business unit, which was never registered in the DLP tool or isn't using "common" language you can key in on. It can't scan that file server you forget to point it at; and no DLP product on the market today does a very good job of detecting a custom-encrypted file transmitted to the outside world over a non-standard port and protocol combination.
Then again, how often is that likely to happen? And is missing those extreme use cases worth reducing your overall data security risk by 80% or 90%? This is why it's so important to set the right expectations. DLP might not find everything in your organization, but right now the odds are you're completely blind to how your sensitive information is used, as well as where it is stored. It may miss some attacks or inappropriate activity, but the reduction in audit costs alone (due to scope reduction, thanks to content discovery) might pay off the tool, regardless of any security benefits.
One of the biggest factors to understand before jumping into DLP is knowing what data you are trying to protect. The technology is better tuned to help when you can somehow define the data in a technical sense -- and it quickly falls off when you don't know exactly what you are looking for. Although statistical analysis techniques are starting to appear in products, this type of content analysis technique is still relatively new and untested in production with many customers. DLP works well when your data has a defined pattern or is stored in a database or within identified documents (and files, like source code). It is less useful if you want to protect generic intellectual property that lacks a definitive source you can point at.
DLP tends to be more useful in organizations with regulated data (for example, credit card numbers), customers' personally identifiable information, or well-defined intellectual property. Industries such as financial services, healthcare, high-tech manufacturing, retail, pharmaceuticals and engineering are good fits. As I've mentioned, it may be particularly helpful for compliance, even though it isn't necessarily required. DLP allows you to provide technical proof to auditors or assessors; you control where the regulated data is or isn't within your organization, and you can use this to sometimes dramatically reduce audit scope.
While basic DLP policies might work OK out of the box, for anything with any degree of refinement, you will need to dedicate effort to building, tuning and managing policies to fit your environment. This takes time and effort, and you shouldn't walk into a DLP project thinking you can click a few checkboxes and not worry about it. Pre-built categories will get you started, but will likely have the highest levels of false positives and negatives.
In a smaller organization, this might meet your goals, but midsize and larger organizations will almost certainly need to plan to dedicate some resources to build and deploy new policies, especially at the start.
Finally, is your organization ready for DLP? Do you know what you want to protect? Can you map those desires to technical rules to implement in a tool? Do you have the willpower to monitor employees and potentially block activity when they violate policies? Do you know your environment well enough to scan sufficient file storage or even gain access to the repositories? Are your directory servers clean enough that you can tie users to activities? Does management know that while DLP will dramatically reduce the risk of different kinds of data loss, it clearly can't stop everything?
Lack of preparation and the wrong expectations will quickly kill any DLP project. Even common data types are used in incredibly diverse ways within different organizations -- this is very different than network or endpoint security where general best practices don't vary all that much between organizations.
DLP isn't an overly complex boondoggle of a technology and it will provide incredible value, but only if you are ready to not only understand how protected data is used within your business, but also build your policies and process around that.
About the author:
Rich Mogull has nearly 20 years of experience in information security, physical security, and risk management. Prior to founding independent information security consulting firm Securosis, he spent seven years at Gartner Inc., most recently as a vice president, where he advised thousands of clients, authored dozens of reports and was consistently rated as one of Gartner's top international speakers. He is one of the world's premier authorities on data security technologies, including DLP, and has covered issues ranging from vulnerabilities and threats to risk management frameworks and major application security.
Explore the strengths and weaknesses of today's DLP tools
Test your knowledge of data loss prevention