The Ten Commandments of Data Loss Prevention

As Data Loss Prevention (DLP) emerges as one of today’s hottest technologies, it remains among the least understood.

(Gawkwire.com) Organizations continue to invest in tools and processes that make information available and portable.  This availability risks leaking confidential data into the public domain and potentially the hands of competitors.  This year alone I’ve met with more than 95 organizations interested in data loss prevention (DLP) technologies. They get it. Unfortunately, management at many businesses misunderstand the nature and the extent of the problem, and the technology required to address it.

Through my “On DLP” blog I stress that the vast majority of data leaks are the results of good employees making mistakes - an email sent to the wrong person or an upload of the wrong document.  Data loss is as pervasive and complex as the business itself.  Fortunately with the right technology the solution is far less complex.  To effectively address the problem, however, organizations must implement a data loss prevention solution that addresses ten key requirements.

#1) … Thou shall accurately identify data
Whether its credit card numbers (CCNs), social security numbers (SSNs), source code, or business plans, the key to an effective DLP solution is its ability to identify all forms of confidential data accurately. Many solutions come with built-in policy templates covering a broad array of data types, but few offer fingerprinting, the most accurate form of data identification.  Accurate data identification reduces false positives and negatives, simplifies workflow, requires fewer management resources (i.e., lowers cost of ownership), and provides a solid platform for automated enforcement.

#2) … Thou shall address data in three states: data at rest, data in use, and data in motion
Data can be stored, used, and exchanged in many places and ways.  A DLP solution must provide the necessary coverage to identify, monitor, and protect the data regardless of where the data is and how the data is being used.  A DLP solution must be able to discover where users store confidential data (data at rest), and monitor and protect how data is used (data in use) and transmitted over the Web, email, and other business communication channels (data in motion).

#3) … Thou shall provide content and context analysis
Employees will have varying needs and rights to store and use different types of data.  An employee in human resources, for example, may have permission to access and use confidential employee information whereas a salesperson would be prohibited.  That salesperson, however, may be authorized to send customer information (not employee) to SalesForce.com.  A DLP solution must discern both the content (the data) - including meta data - that is being stored, used, or transmitted, as well as the context (the user and destination) of who is using it, how they’re using it, and where it is sent.  Having integrated content and context awareness provides the necessary visibility to secure data without inhibiting business.

#4) … Thou shall include an advanced policy framework
The four key variables used to design a business intelligent policy are:

1) What data was sent, used, or stored
2) Who sent, used, or stored the data
3) Where data was sent, used, or stored
4) How data was sent, used, or stored

An effective DLP framework will marry these variables together in a policy so that you can manage who and what go where and how, or in the case of data at rest, who stores what, where, and how.  A mature solution, for example, can prohibit financial consultants from posting confidential information over HTTP to blogs and chat Web sites, but allow those employees to post non confidential data to those same sites.  With an advanced policy framework, administrators can identify bad business processes, secure good business processes, and remediate violations.

#5) … Thou shall include robust workflow and reporting
Data loss prevention is a business problem, not an IT problem. The burden, however, falls on IT.  The technology in place must offer robust workflow and reporting with full automation.  DLP solutions provide visibility into business communications and processes.  Administrators and policy makers can use this visibility to design controls and automated workflow, and to pre-assign specific types of incidents to specific personnel.  For example, HIPAA related incidents may automatically route to human resources while patent violations go to legal.  Likewise, weekly and monthly reports can be created and distributed automatically, putting the onus of day-to-day incident management and reporting on the folks that own and use the data, the business units.

#6) … Thou shall be manageable
To be effective a solution must be easy to deployment and manage.  A mature DLP solution comes preloaded with wizards and hundreds of policy templates.  It will be relatively easy to deploy and train on, and include clear documentation.  It will also offer Web-based administration with role-based access and control (RBAC), so multiple users can logon to the system concurrently and yet have different views depending on their role in the organization.  Finally, it will offer centralized management of all product modules and throughout a distributed environment, without having to purchase and deploy a management system.

#7) … Thou shall be scalable
A DLP solution must meet the demands of a growing enterprise.  DLP solutions will include features such as high availability, load balancing, and archiving.  Data loss prevention technologies must be able to perform continued deep content inspection amidst spikes in traffic, and consolidate events on the network and endpoint across a distributed organization.  Finally, the solution must have a flexible architecture so that it can meet the constraints of a non-standard deployment.

#8) … Thou shall integrate with a wide range of technologies
Organizations today use many integrated security and networking tools.  A DLP solution must leverage and extend these tools, including directory services, mail, web filtering, proxy, SIEM, ticketing, and encryption.  Integration creates efficiencies and eases system management.  A DLP technology, for example, should be able to manage policies by users in directory services, automatically route mail to an encryption gateway, and create tickets within support desk systems.

#9) … Thou shall be from a viable vendor
The DLP market has consolidated over the last 24 months.  Security vendors have acquired the most mature and comprehensive solutions leaving behind a few remaining startups faced with a challenging economy.  It’s important that the solution purchased be from a reputable vendor with a strong cash flow and balance sheet.  In addition to financial strength, the vendor should be technologically strong and be able to demonstrate a history of and roadmap for investment in DLP technology, validated by customer acquisition and references.

#10) … Thou shall offer a reasonable cost of ownership
A DLP solution must provide a reasonable return on investment and cost of ownership.  This can sometimes be difficult to quantify since DLP technology is a risk management tool.  When evaluating DLP, management must fully weight the cost of the solution, not just acquisition and deployment costs, against a quantified risk.  A full cost analysis will include costs of ongoing management, maintenance, and remediation, as well as the impact to other systems and processes that may require attention to support the solution’s operational readiness.  For more information on the return on investment of DLP technology, read the ROI of DLP.

DLP technology offers many benefits to organizations.  A DLP solution reports on and ensures regulatory compliance, protects an organization’s crown jewels, secures a competitive advantage, and safeguards brand and reputation.  The key to unlocking the power of data loss prevention is to make sure that the solution in place can address all of the organization’s requirements, both now and in the future.  Many technologies have “data loss prevention” affixed to their marketing materials.  Few of them, however, address the ten commandments of DLP and are capable of solving the problem of data loss.

Blog Link: http://ondlp.com/2008/11/11/the-ten-commandments-of-data-loss-prevention-dlp/

Add to: del.icio.us Digg Technorati