One of the most common misconceptions about data loss prevention (DLP) technology is that it is owned and implemented by IT security teams. DLP isn’t strictly a security project — it’s part of a broad data protection program that demands a co-existence of people and process with technology.
In Part 1 of this series, we examined the benefits of establishing organizational policies prior to implementing security controls for internal use of data. Now, with an approved set of administrative data protection controls, let’s look at how organizations can begin to design and implement DLP to help enforce those controls.
DLP solutions may be offered as enterprise class, third-party/reseller packages, or add-on (DLP-lite) solutions, and each of these offers a different level of capabilities. There’s no “right” choice — each one is designed to meet the size and type of organization involved.
That said, it is important to note that while channel or add-on DLP solutions offer targeted risk mitigation, enterprise solutions support a more scalable and unified infrastructure that can enforce data protection policies no matter where the data is — at rest, in motion, or in use. If you need to implement a reseller package in the near term but your long-term strategy is toward an enterprise solution, then think about sequentially deploying different components of an enterprise solutions as they are needed. Just as you would do before you purchase a new car, you will want to do some degree of research to see what is available in DLP, which products have the features you want, and which are within your budget. Look for online data from security research firms, such as Gartner and Forrester, which offer insights on the different criteria you can use when selecting a DLP product. No one DLP technology is the right choice for all organizations.
After going through the reference materials, you should be able to identify a number of DLP solutions that meet your organization’s data protection requirements. You can tie this data in with the results of the maturity assessment, which we discussed in Part 1, to generate customized criteria to help you evaluate these DLP solutions.
Some of the most common criteria for evaluating DLP products are ease of administration, business integration, infrastructure complexity, and cost of ownership.
As you develop your evaluation matrix, it will be evident that some criteria are more important than others. Integrating a weighting system into the matrix allows the organization to evaluate each criterion with an eye on how critical it is to your organization. Be sure to factor in your pre-established business relationships — such as the business partners your organization works with — to ensure continued alignment of business objectives with technical security controls.
Once you’ve chosen a DLP package, it may seem attractive to implement the entire DLP solution in a single phased approach, but such an approach can be a big mistake. Such sweeping implementation initiatives can result in failed deliverables that do not align with business objectives and cannot easily be re-engineered afterward.
The best approach to implementing DLP is to roll it out in separate, but interdependent, phases to reduce the likelihood of misinterpreted deliverables. To illustrate dependencies and provide a means of measuring key milestones, create an implementation plan that you can share with all the stakeholders. This will ensure that all of the players are involved, while demonstrating to executives the progress of the data protection program.
Whether you are implementing an enterprise solution, a reseller package, or an add-on product, you need to be sure that your DLP architecture is sustainable and can be scaled to accommodate future growth. Think about designing a shopping mall. The engineers and architects know they need to design a facility that is spacious enough to support a sufficient number of subsidiaries, can be easily navigated and managed, and allows patrons to maximize their experience. Similarly, the builders of a DLP solution must remember that while it will be used for one underlying purpose, it must provide the organization with a level of versatility.
In addition to the DLP technology itself, organizations should consider implementing physical protection controls to reduce the risk of data exposures. The principles of Crime Prevention Through Environmental Design (CPTED) have been used by physical security professional to control the human factor as a preventive means of reducing the likelihood for crime to occur.
To support DLP and reduce insider threat, you can use CPTED principles in four ways: to design spaces that effectively monitor personnel activity; control access to least privileged spaces; establish boundaries to controlled areas; and allow for the continued secure use of space. To successfully implement data protection controls, you must align business objectives with technical and physical security controls. Prior to making a decision on appropriate data protection controls, you need to know what the technology can and can’t do. And you need to recognize that the business will change and grow, potentially changing priorities and controls. Implementing a data protection program is essential for every organization, and it doesn’t have to be a painful process. The key is making DLP something that makes the business work better and more securely, rather than acting as an obstacle.