January 24, 2011, 8:18 AM — by Stephen Marchewitz, SecureState - Data Loss (or Leakage) Protection (DLP) has been a hot topic for a while now, and while as a concept DLP has a lot of merit, most organizations are not ready to implement.
The concept of Data Loss is fairly simple; it is the movement of Intellectual Property or Personally Identifiable Information (PII) from its intended place of storage or path of transmission. As a general rule, a known place of storage will have better security controls than one that is unknown. It makes sense if you think about it; a repository designed to hold sensitive information will (hopefully) have multiple security controls.
There are many reasons that data loss can occur, some being intentional or malicious, and others being due to human error or simply misconfigured systems. Obviously, there are many consequences to data loss, from a damaged reputation for the organization to legal and contractual liability. DLP systems are designed to "detect and prevent the unauthorized use and transmission of confidential information."
Some software vendors will lead you to believe you are ready. While some of the software out there is tremendous, the sales process for DLP typically follows a tried and true script. Before getting funding for a six-figure-plus solution, organizations will need to build a business case, and vendors are more than happy to provide one, generally with a proof of concept. They will install a trial version of their solution on the organization's network, and tag simplistic, known data strings (such as social security numbers, credit card numbers, PHI, etc.), and track where the data goes. The big finish comes when they bring the reports from the software and announce that you have PII leaving the organization. This announcement will be peppered with comments about the sizes of possible fines, as well as a few sensational news stories about the horror stories of organizations that have lost data. The close comes when they explain how their software can prevent the data loss.
What they won't tell you, however, is it always comes back to the age old "people, process and technology." Because different types of data have different threats and thus need different controls, there is no single software solution that can provide true "DLP." While the software may be helpful or automate some parts of the program, preventing unacceptable data loss requires a true enterprise information security program.
Therefore, before deciding on any DLP solution, consider (and answer) the following questions: