by Stephen Marchewitz, SecureState - Data Loss (or Leakage) Protection (DLP) has been a hot topic for a while now, and while as a concept DLP has a lot of merit, most organizations are not ready to implement.
The concept of Data Loss is fairly simple; it is the movement of Intellectual Property or Personally Identifiable Information (PII) from its intended place of storage or path of transmission. As a general rule, a known place of storage will have better security controls than one that is unknown. It makes sense if you think about it; a repository designed to hold sensitive information will (hopefully) have multiple security controls.
There are many reasons that data loss can occur, some being intentional or malicious, and others being due to human error or simply misconfigured systems. Obviously, there are many consequences to data loss, from a damaged reputation for the organization to legal and contractual liability. DLP systems are designed to "detect and prevent the unauthorized use and transmission of confidential information."
Some software vendors will lead you to believe you are ready. While some of the software out there is tremendous, the sales process for DLP typically follows a tried and true script. Before getting funding for a six-figure-plus solution, organizations will need to build a business case, and vendors are more than happy to provide one, generally with a proof of concept. They will install a trial version of their solution on the organization's network, and tag simplistic, known data strings (such as social security numbers, credit card numbers, PHI, etc.), and track where the data goes. The big finish comes when they bring the reports from the software and announce that you have PII leaving the organization. This announcement will be peppered with comments about the sizes of possible fines, as well as a few sensational news stories about the horror stories of organizations that have lost data. The close comes when they explain how their software can prevent the data loss.
What they won't tell you, however, is it always comes back to the age old "people, process and technology." Because different types of data have different threats and thus need different controls, there is no single software solution that can provide true "DLP." While the software may be helpful or automate some parts of the program, preventing unacceptable data loss requires a true enterprise information security program.
Therefore, before deciding on any DLP solution, consider (and answer) the following questions:
1. Do you know your risks? Have you performed a Risk Assessment? This is the foundation of almost any program, and the benefits of a risk assessment are well chronicled. As it relates to DLP, questions to consider include "What types of data are in our network? What is that data's value? What are the general threats and specific vulnerabilities relating to that data? What type of loss are we not willing to accept (as everything has a cost)?"
2. Do you know the Regulatory & Privacy Gaps for the organization? What are the regulations pushing us to do? Where are we deficient? What controls must we implement regardless of risk?
3. Do you know where the data is? Have you performed Data Discovery? Before you go after the unknowable places data is stored, do you even have a handle on the knowable? Where is all of this data currently?
4. What is the scope of the initiative? Successful projects have a very clearly defined scope that is far more specific than just "sensitive" or "valuable" data. Would it make sense to start small, and build from there?
5. Do you have a Data Loss Response Plan (as part of the Incident Response Plan)? The goal is to handle the situation in a way that limits damage and reduces recovery time and costs. Do you know what constitutes a data loss incident? This is closely aligned with question 2, as regulations and contracts often dictate elements of the response.
6. Are your Policies, Standards, and Procedures useful and appropriate for DLP? This is closely coupled with the IRP and is a step-by-step process that should be followed when an incident occurs.
7. Have you classified your data? Have you even begun to think about it? Even starting simply with structured data will get the ball rolling.
8. Have you budgeted for a DLP Software Implementation, and the ongoing maintenance costs? Have you considered all the expenses? Software alone is in the six figures for a medium size organization.
9. Are you prepared to manage a DLP Program? Consider management of the CAPD as well as Training and Awareness.
Once these questions have been considered, it is essential to remember that the DLP software is not a silver bullet. No matter what you are told, simply writing a check to a software vendor and installing some code will not prevent all data loss. Depending on the intricacies of the organization, the money that DLP solutions require may likely be better spent on other security initiates.