Data loss prevention systems are not a one-size-fits-all technology; different organizations have different needs...
-- and there are different products and services available to fulfill those needs.
Below are eight questions your enterprise should ask itself to ensure that it purchases the data loss prevention (DLP) product that best fulfills its business needs.
Do you need full-suite DLP or DLP-lite?
Not every organization needs a full-suite DLP tool; in some cases, it makes more sense to use DLP-lite features that integrate into existing products. Worried about email but don't want to perform generic network monitoring? Many email security gateways already include basic DLP. Want to find credit card numbers on employee laptops? It isn't unusual to see basic scanning as an option in your endpoint protection platform. Want to keep an eye on employees sending data over webmail? Either a Web gateway or next-generation firewall might fit the bill. But the moment you want more complex content analysis -- or you want to manage data across more than one location -- it's time to step up to a full-suite tool.
Do you know your users?
One of the biggest problems in data loss prevention deployments is messy directory servers. If you don't have a good way to tie users to their activity on the network, systems or file servers, it is very hard to build refined DLP policies -- or even handle basic incidents.
How will you monitor Web traffic?
Basic passive network monitoring is extremely limited in today's environments, especially where most of the traffic on your network is stuffed into SSL/TLS encrypted HTTP connections. Aside from connecting to SPAN ports for broad analysis, can you proxy and monitor Web traffic? This should be a key factor in your buying decision, and may involve purchasing or integrating with a Web gateway or other SSL proxy. You are wasting your time if you ignore this traffic.
Where will you start?
Typically a DLP project has a starting point -- network monitoring, email, content discovery or endpoint. Even if you plan on buying a full-suite product and growing your deployment over time, you will need to start somewhere, and this will skew your feature prioritization. For example, if your primary goal is finding credit card numbers to reduce your PCI audit scope, then prioritize your selection there. This doesn't mean you ignore everything else in your selection, but if your first project fails, you won't get to move onto the rest anyway.
What kind of content?
While every vendor claims it supports the same content analysis capabilities, in practice there are a lot of differences, especially once you move past basic pattern matching. Are credit cards your focus? Intellectual property? Healthcare data? You should put together a prioritized list before you start looking at the products, then dig into the content analysis techniques they use. Ideally, you should ask for references who are working with the same data (or check with your peers), because it's only in production that these differences really show up. And you can ignore all the wonderful marketing materials touting a vendor's university-developed proprietary techniques; experience shows that no matter how good it looks on paper, it is how it works in the real world that matters -- and the two don't always match.
What is the pricing model?
Some DLP tools charge a flat rate per server/appliance or per user (or a combination of both), but others charge based on features. For example, there might be separate per-user fees for network monitoring, email integration, network filtering, storage monitoring and so on. This pricing structure might work if you only want specific features, but if you plan to grow your deployment over time, you need to understand whether the licensing model meets your budget requirements.
What resources are required?
One of the toughest things to do is predict how much effort managing your DLP tool will take over time. For basic policies, there might be very little human effort involved since all you need to do is manage incidents and occasionally add or tune policies. But most of the time, there is more up-front effort to get things up and running and policies tuned. Also, content discovery in particular can take a lot of time since you need to identify repositories to scan, scan them, identify file owners and work through all the business issues of how to handle files violating policies. Make sure you have the people available to support your project, and keep this in mind as you evaluate the tools and their capabilities.
Do you need full deployment or risk assessment?
If you don't know exactly where to start, you might look more towards tools with a wide range of prebuilt policies and collection capabilities. Then you install it, turn everything on and see where you identify the most problems. Now, don't expect to actually manage all these incidents -- hitting the checkboxes and not tuning policies will return all sorts of inaccurate results -- but it will give you a really good idea of where to focus your efforts to reduce risks. Then, uncheck the boxes and start building out policies to address the most glaring issues first.
About the author:
Rich Mogull has nearly 20 years of experience in information security, physical security and risk management. Prior to founding independent information security consulting firm Securosis, he spent seven years at Gartner Inc., most recently as a vice president, where he advised thousands of clients, authored dozens of reports and was consistently rated as one of Gartner's top international speakers. He is one of the world's premier authorities on data security technologies, including DLP, and has covered issues ranging from vulnerabilities and threats to risk management frameworks and major application security.
Check out additional considerations to keep in mind when buying and implementing data loss prevention products.