Softer data-leak prevention
Data-leak prevention is growing at 10% a year, a bit slower than anticipated but still pretty fast compared to other security technologies. In this year's research we see DLP use or active evaluation among 36% of research participants. The primary driver is compliance, as with most security funding. In looking at DLP deployment over time we noticed something very interesting: quite a few companies that deployed DLP last year pulled back on their deployments because of a backlash from users and management.
The common characteristic of companies that did not succeed in their DLP implementations was that they saw DLP as an enforcement tool and not an awareness tool. When DLP is implemented as an enforcement tool, the controls are strict and run the risk of disrupting business. Here's why:
Most leaks are not leaks by determined adversaries. Those are pretty much impossible to stop anyway -- there are too many ways to leak information if one is determined. As I discussed in a previous article, if Iran can't stop leaks with the threat of massive violence, what makes you think you can do it? Accidental leaks can be stopped, but to do so we must understand why they occur and accept that some of the responsibility lies with IT itself.
The vast majority of leaks, at least according to what we see in the media and hear from our research, occur accidentally. Dig a little deeper and you find that they are not simply the result of negligence or irresponsible users. In many cases, leaks occur when duly authorized users of the data, in the process of fulfilling a legitimate business process, choose an insecure means to store or transmit the data. They're trying to do their job, the best way they know with the tools they have. An accounting manager needs to send the latest quarterly numbers to an external accounting or audit firm. He doesn't have encrypted e-mail, encrypted FTP or PGP. So he sends it by e-mail. Crude DLP only makes this problem worse: you stop the e-mail, they try gmail; you stop gmail, they try IM or facebook or whatever else they know. Whose fault is it if they don't have encrypted e-mail or SFTP or some better way of doing this? Not the user's fault -- IT is to blame.
If you look at DLP as an awareness tool, then you can actually fix these broken processes. Each of these mistakes contains several opportunities for improvement. You can train the user about why certain methods are dangerous. You can tell them about better methods that are available. Most importantly, IT becomes aware of dangerous practices for which they have not provided better alternatives. IT professionals: you think you know how the business runs? Put a DLP in "soft" reporting mode for a few months and you will find out that you don't know.
Soft DLP is DLP focused on training and awareness for all sides (IT and users). It allows exceptions ("if you're sure then click continue to do it anyway") and logs the results so that improvements can be made. It's incremental, non-judgmental and business friendly. Eventually, you can tighten controls. You might discover that with soft-DLP, better alternatives and training you don't need as much enforcement. Turns out DLP is not a tool for controlling users, but a tool for teaching IT about the business. That's what makes it so valuable.
Read more about wide area network in Network World's Wide Area Network section.