DLP – Protecting What Matters Most

Data Loss Prevention (DLP) products exist to help organizations monitor and protect sensitive data.  This data could be customer information, credit card numbers, employee’s personal information, project plans, intellectual property, trade secrets, whatever the crown jewels may be.  If this data were to be lost or stolen, it could create significant legal liability, financial loss, security risks, as well as reputational and regulatory hardships.  DLP keeps sensitive data from falling into the wrong hands.  NetworkWorld has a collection of excellent DLP articles for those that are concerned with the topic.  Find the related items at the end of this entry.

You can put in place all of the intermediary policies and risk mitigating conrols from perimeter to storage server that you can afford.  One thing with technical security controls is almost certain,  a determined attacker will find a way to violate your strongest safeguards.  Filter web traffic and they resort to encryption and obfuscation.  Isolate sensitive systems from the Internet and they plug in a USB drive.  Disable USB support and they reboot a with CD.  Disable CD/DVD booting in CMOS and block the USB ports with super glue and they use a cellphone camera to snap a picture of sensitive material on screen.  Create a policy barring cameras and enforce it, and the attacker will reach for a pencil.  DLP is just shy of a silver bullet from my perspective in Incident Response.  It is a security control that if implemented and managed correctly, protects the data from inappropriate exfiltration. 

Think about the many layers of controls that are in place on your typical bank network.  Remote access controls and authentication mechanisms try to identify each person entering network resources as best they can.  Local access control mechanisms ensure that everyone going in is properly credentialed and supposed to be there.  NIDs and HIDs watch for intrusions like infra-red sensors waiting for someone to break their mesh of beams.   What’s missing to make theft of your data an impossible mission?  Well, when you lift the Hope diamond, you expect an alarm should sound!  Try to leave with data that is flagged as confidential, and you should be stopped and questioned.

Some believe that the primary task of DLP technology is to help guide users in the proper handling of sensitive data.  Some consider DLP to be just another audit or compliance tickbox.  Still others believe it should prevent and alert an insider when accidentally or intentionally leaking data.  Network World’s “The dark side of DLP”  discusses some of the ethical questions centered around monitoring employees’ digital activities.  These different ideas regarding the “primary task of DLP” will require different approaches for realization, but all share the need to identify data that shouldn’t be leaked, and stop the leakage from occurring.

All technical controls will eventually fail, and it then comes down to the “wetware” basics, ethics, awareness training, and other non-technical controls, to protect the organization.  Smart DLP vendors will not only focus on finding ways to plug the leaks, but will also provide convenient ways for users to perform their job functions securely, and guidance to reinforce all of those non-technical controls.

Related Content on NetworkWorld: