Why / When / How To Implement DLP?

This Data Loss Prevention question was posed on the Security Basics mailing list.  I thought that I would share in case others that have not subscribed to this good list can find it and do so, and those with similar questions can see what I and others have said about it.

—–Original Message—–


 I would like to have your opinion about when/which organizations need a DLP solution? How the need depends on organizations work  area, country,region or culture ? How to implement the solution and handle the data classification and coorperate with data owners, business  departments.



—–My Response—–


In my opinion, EVERY business needs a DLP strategy and solution.  It can be homegrown, it can be freeware, it can be commercial.  You are talking about identifying and protecting critical, private and confidential data from being stolen.  That is a no-brainer, and is at the very heart of information security.  If you are not taking steps to protect that information, you are doomed.

The need depends on the connectivity available and the technology used, not location, culture, or even legislation.  Survival is the driver, or soon will be.  If your company connects to the Internet to share and collect email, you need a DLP solution that manages that connectivity.  If your company uses Instant Messaging, you need a DLP solution that handles that.  If you provide FTP services, you need to address that.  Whatever methods and services the company uses to connect and share information with others needs to be considered and addressed.  Addressing  them may entail stopping their use, monitoring and reporting their use, restricting their use through policy and monitoring, filtering with technology, or other means.

How to implement the solution?  Well, to answer that would take a book.  Or several, because not every solution is the same, and not every implementation is the same.  Best advice that I can offer for implementation would be stage it.  Do it in phases.  Pilot it first with a medium sized group, and put it into monitoring only mode. This will aid in identifying your baseline, what is “normal”, and what is in need of investigation.  Like an IDS/IPS solution, this is a disruptive technology that is initially prone to error, both false-positive and false-negative.  It will need to be tuned and maintained regularly.  Once you understand what is being sent, where, and by whom, you can start modifying the
rule-set and tightening up your classifications.

Gaining buy-in, identifying data owners, working with other departments, that is what a good consultant does as part of your project.  That sort of intell never comes free, and if it does, it is suspect.  In this economic climate, you need to support your local businesses, and start
bringing in the expertise that you don’t have.  Make certain that Knowledge Transfer is written into the engagement contract, and DON’T let the PM or Consultant nibble away at the time allotted to this part.  It is how you will learn to tweak, adjust and manage the new infrastructure devices that you will be introducing to the environment.

Just my 2¢, collect the whole dollar!