BACKGROUND IMAGE: iSTOCK/GETTY IMAGES
Once an organization understands which business problem it is tackling -- as well as how the product capabilities...
within this spectrum vary -- it's usually straightforward to determine which option will actually help fix the problem. This is especially true when it comes to data loss prevention (DLP). But which version of DLP is best for your business? If you work in an industry with a wide range of regulated data, such as financial services, you need a full-suite DLP tool. A small business that's worried about credit card numbers on laptops should be fine with DLP lite.
The business benefits of DLP fall into a four broad categories:
- Knowing where your data is
- Understanding where the data goes
- Knowing how the data is used
- Educating your employees and blocking unwanted activities
In this set of tips, I will discuss these four main benefits.
Know where your data is
Knowing where your data is within an organization is one of the more difficult challenges any security professional faces. Despite any formal policies or documentation, data has a habit of appearing in the most unlikely of locations. If something has value, employees are using it. And if they are using it, it will end up pretty much anywhere and everywhere. The simple act of creating a spreadsheet, saving it to a server and emailing it to a few colleagues instantly spreads that content across dozens of servers and locations. This becomes an intractable problem when audit time comes around and you have to assure an external assessor that regulated data is only stored where it's supposed to be, protected by the right set of security controls.
DLP benefits organizations in this situation. It can help find data by scanning known data repositories (such as file shares), monitoring the network to see who is sending and receiving it (generally just to the outside world due to performance limitations, although tracking internal email is also sometimes an option), and scanning employee laptops and desktops to see who has a copy on their hard drive.
However, DLP isn't a panacea: You need to know where to point it, define rules for what you are looking for and have access to those locations to actually scan. But these tend to be mechanical problems solved with a little planning and elbow grease, not insurmountable technical obstacles.
We call the process of knowing where your data is "content discovery," and it can be incredibly useful for compliance. Now, you can not only show auditors where regulated data is but you can document and prove where it isn't. This reduces audit scope and has the potential to reduce audit costs, which will more than pay for the tool.
Know where your data goes
Information moves constantly, both inside and outside your organization, and DLP benefits organizations by helping them keep track of where data is going. The three ways it does this is by monitoring the network, watching employee hard drives and tracking sensitive data moving to portable storage. For many organizations, this is their first foray into DLP, typically starting with email -- even though that's rarely your main source of risk, most harm from data loss is associated with breaches, not email leaks.
Network monitoring with DLP is almost always limited to communications outside your organization since monitoring internal networks is performance- and cost-inhibitive. This still helps with a wide range of business problems since you can find out when people send sensitive information to customers or competitors, see when employees move protected data to consumer services (such as webmail or personal cloud storage), or catch things like unintentional data leaks to social media services. DLP is minimally invasive since it only looks for what you define in your content-awareness policies and ignores personal communications or other activities that don't involve abuse or misuse of the data you care about.
Network DLP may also catch bad guys stealing data, although this involves a little extra effort since the tools can't scan inside encrypted files or detect some other exfiltration techniques. DLP will need to be combined with additional network security tools -- such as outbound firewalls that block unapproved outbound connections or next-generation firewalls that look at application activity inside SSL traffic -- to find some of these more advanced extraction activities.
Endpoint DLP can track which employee systems have sensitive information on them by scanning the local hard drive. This is especially useful for compliance because you can detect when regulated information moves onto an employee system -- authorized or not -- and take corrective actions. It also tracks when files are moved to portable storage, allowing you to limit data loss through USB drives and other devices without completely shutting them off.
Know how your data is used
The combination of network, storage and endpoint monitoring paints a picture of how sensitive data -- or any designated data -- is used within an organization; however, the DLP benefits of these features can vary greatly. Depending on the tool you pick, you might be able to track when users cut –and --paste sensitive information between applications, or when they print or fax copies. Some data loss prevention tools today are starting to integrate with file activity monitoring tools to track when users access files from storage repositories. From a business standpoint, this helps you understand where sensitive data is used within your organization and which workflows it is integrated with. For example, you can track how often data is communicated to outside customers or organizations, or which business units rely on the data.
While this function requires more manual analysis than simple security scenarios, it can be extremely valuable because you can use it to adjust business processes to better meet your security objectives instead of blindly blocking certain uses of data and hoping you don't break anything.
Educate employees and block unwanted activity
You'll notice we saved the proactive security benefits for the end.
One of the most powerful benefits of a data loss prevention product is that it helps you educate your own employees on better handling of sensitive information. Instead of silently blocking actions, when someone violates a policy you can notify them directly, automatically and immediately. Most data leaks are the result of accidents or lack of understanding rather than malicious behavior. DLP catches these problems right when they happen. In talking with hundreds of organizations that use DLP, they universally report a drop in unwanted activity once they start notifying employees of their mistakes or bad choices.
All DLP tools can block policy violations. You can prevent employees from sending customer lists to webmail, saving credit card numbers to portable storage or uploading intellectual property to their personal cloud storage. You can even automatically encrypt customer emails with regulated healthcare data or quarantine source code from personal hard drives.
DLP is a broad technology that provides a wide range of potential business benefits, from supporting compliance to better protecting your intellectual property. The key is to understand your specific objectives before you start looking at the technology because there's such a wide range of options available between the various tools.
About the author:
Rich Mogull has nearly 20 years of experience in information security, physical security and risk management. Prior to founding independent information security consulting firm Securosis, he spent seven years at Gartner Inc., most recently as a vice president, where he advised thousands of clients, authored dozens of reports and was consistently rated as one of Gartner's top international speakers. He is one of the world's premier authorities on data security technologies, including DLP, and has covered issues ranging from vulnerabilities and threats to risk management frameworks and major application security.