I was at a customer event recently and was party to a discussion on the ‘disappointment’ or disillusionment in deploying Data Loss Prevention and comments like ‘well, it just doesn’t do what it’s supposed to do’ or ‘it’s too tricky to deploy’. Well, the truth is DLP technology is not something that comes off the shelf in a one size fits all package. Here are the things DLP is not going to do for you:
1. Classify your data for you
2. Tell you where your sensitive data is if you haven’t done your due diligence to work out what data is critical to your business
3. It is not going to tell you what enforcement mechanism you need to apply to protect your data
4. It is not going to tell you what GRC requirements apply to your business
5. It is not a standalone product to be deployed as part of an overall IT Security Strategy
There, that’s my list. The point to note is that DLP technology can be very successfully implemented if you have some of the answers to the above. Also, recent deployments are primarily focused on protecting custodial data i.e. PII or credit cards numbers which must be protected to meet regulatory requirements. This is typically the type of information that is easy to find using regular expressions in DLP technology. If you were to have a breach of this type of custodial data then the good news is that you can recover from it. The cost to do so will be high in terms of clearing up the breach and any additional fines incurred. But just look, for example, at the TJX companies as an example of a major breach in the last decade. It doesn’t appear there’s anything wrong with their bottom line now. Did they lose customers? In the long term I don’t think so.
Image credit: freedigitalphotos.net
APTs are the new evil and they aren’t targeting custodial data, they want your intellectual property. Cybercriminals behind APTs are in it for the value of the information. Think about a nation state-sponsored attack on your organization that steals your next big pharmaceutical discovery of your next product design. This is not as easy to recover from as loss of custodial data and the damage from IP theft could be permanent.
So, some tips for successful deployment of DLP:
1. Make sure you understand the type of data, custodial and intellectual property to be protected
2. Take note of your GRC requirements
3. Classify this data accordingly
4. Create policies to enforce appropriate controls to protect this sensitive data
5. View DLP as a ‘holistic’ deployment; go back to the basics and think about people, process and technology
6. Deploy DLP across all channels i.e. ensure your endpoints, email, web, data at rest, data is use and network are all covered otherwise you are leaving the door ajar
In the current threat environment all organizations must consider DLP as a very viable technology provided it is implemented correctly to fight against the evil of APTs.