DLP – Success & Failure

Data Leak Prevention adoption is growing at an estimated 10% a year.  Slower than anticipated by DLP vendors but still fast compared to many other security technologies.  The primary driver for adoption of this technology remains compliance, as is true with most security project funding.  Make sure that when you deploy it, you deploy it with the correct ruleset, a clear definition of what it is meant to accomplish, and consideration for “soft-mode” as an awareness tool.

Quite a few companies that have recently deployed DLP have pulled back on their deployments because of user and management backlash.  This indicates to me that there may have been a lack of planning, and the deployment did not adequately define success factors.  DLP was commonly deployed by these firms as an enforcement tool and not as an awareness tool at all.  When DLP is implemented as an enforcement tool, the controls are black and white, and generally very strict, running the risk of disrupting normal business processes.

The problem DLP is deployed to resolve is the leakage of data to unauthorized recipients.  Most data leaks are not caused by attackers bent on getting access to your corporate data.  The most common source of data leakage, accidental leaks, can be stopped.  To do so one must understand why these leaks occur, then how, and be prepared to accept that some of the responsibility for addressing them lies with IT itself.

Accidental leaks are not simply the result of negligent, stupid, or irresponsible users.  In many cases, leaks occur when authorized users of data choose an insecure means to store or transmit the data in the process of fulfilling a legitimate business process.  They’re doing their jobs the best way that they know how, with the tools that they have available.  Think about the Manager who needs to send her quarterly numbers to an external accounting firm.  She doesn’t have e-mail encryption capabilities or secure FTP at her disposal, and probably doesn’t understand the need for them during this seemingly innocent and quite common communication event.  She sends the confidential information as an attachment by e-mail, like always.  The communication is sent in the clear, across numerous unknown networks, subject to capture, manipulation and abuse.

DLP deployed with a hard rule enforcement policy may serve to exacerbate the problem.  The e-mail is detected and stopped, as designed, due to its sensitive contents.  The Manager wants to do a good job, and doesn’t understand why the accounting firm is not receiving the time-sensitive email that she so dilligently sent.  Perhaps she percieves that IT, who doesn’t understand or care about her dillema, has just put up another hurdle for her to get the required job done, so she tries Hotmail.   IT filters Hotmail, because it is a security and DLP risk.  She tries Instant Messanger, Facebook, RapidShare or whatever other distribution method she can think of.  Whose fault is it if the business doesn’t provide a better way of doing what needs to get done in the course of a business day?

If DLP is deployed as an awareness tool, it can actually identify and help fix these broken processes.  Instead of blocking the original email, educate the user about why certain communication methods are dangerous when sending sensitive information.  Let the user know the dangers and impacts associated with these insecure communications.  Tell them about secure IT services that are provided for this specific purpose, or engage them to identify a specific need, to set in motion the needs analysis and requirements gathering needed for the provisioning or improvement of secure practices and services.  IT will become aware of dangerous practices within the organization for which they have not yet provided better alternatives. 

DLP deployed in “soft-mode” focuses on training and awareness for both IT and the user community.  It allows the identification and development of exceptions and logs the results of various communications so that improvements can be made in their handling.  It is incremental, non-judgmental and business friendly.  Over time, some DLP controls can and should be tightened and restricted, increasing enforcement, but soft-mode should remain a viable option for many types of standard communications.

DLP is about preventing data loss, not blocking the business from moving forward.  Take the opportunity to build an extended or permanent soft-mode period into your DLP project plans.  It can educate your users, getting them thinking about security, while at the same time educating your IT staff about how your business actually functions, getting them thinking about how to provision better, easier to use, and more secure services to the users that they serve.