About this series: Companies are clamoring for Data Loss Prevention (DLP) tools to keep their data safe from online predators. But there is much confusion over what the true ingredients are. In this series, CSOonline talks to security practitioners, analysts and other experts for a crash-course on what DLP is, what it isn't and how to get on the right track. We'll begin with the proper technologies to use, followed by the right people policies.
Most security vendors will tell you they have just the thing for your DLP needs. But some industry experts say enterprises often buy products that, once installed, don't perform all the functions necessary to keep sensitive information safe. [See also: Security Analyst to DLP Vendors: Watch Your Language]
We reached out to several IT security professionals in an effort to zero in on the true elements of an effective DLP program -- from the technology to people policies -- and how best to fit the pieces together. This article will focus specifically on five technological approaches that, when used together, offer a solid data defense.
1. Data discovery, classification and fingerprinting
Richard Stiennon, chief research analyst at IT-Harvest, said a complete DLP solution must be able to identify your IP and make it possible to detect when it is "leaking."
William Pfeifer, CISSP and IT security consultant at the Enforcement Support Agency in San Diego, agrees, calling data classification the prerequisite for everything that follows. "You cannot protect everything," he said. "Therefore methodology, technology, policy and training is involved in this stage to isolate the asset (or assets) that one is protecting and then making that asset the focus of the protection."
Nick Selby, former research director for enterprise security at The 451 Group and CEO/co-founder of Cambridge Infosec Associates, said the key is to develop a data classification system that has a fighting chance of working. To that end, lumping data into too few or too many buckets is a recipe for failure.
"The magic number tends to be three or four buckets -- public, internal use only, classified, and so on," he said.
This is a tricky one, as some security pros will tell you encryption does not equal DLP. And that's true to a point.
As former Gartner analyst and Securosis founder Rich Mogull put it, encryption is often sold as a DLP product, but it doesn't do the entire job by itself.
Those polled don't disagree with that statement. But they do believe encryption is a necessary part of DLP. "The only thing [encryption doesn't cover] is taking screen shots and printing them out or smuggling them out on a thumb drive. Not sure I have a solution to that one. It also leaves out stereography, but then is anyone really worried about that?" Pfeifer asked. Specifically, he cites encryption as a DLP staple for protecting data at rest, in use and in motion.
Stiennon said that while all encryption vendors are not DLP vendors, applying encryption is a critical component to DLP. "It could be as simple as enforcing a policy," he said. "When you see spreadsheets as attachments, encrypt them."
3. Gateway detection and blocking.
This one would seem obvious, since an IT shop can't prevent data loss without deploying tools that can detect and block malicious activity.
Sean Steele, senior security consultant at InfoLock Technologies, said the key is to have something in place that provides real-time (or close to real-time) monitoring and blocking capabilities for data that's headed outbound at the network perimeter, data at rest ("sensitive or interesting/frightening data sitting on my network file shares, SAN, tier 1/2 storage, etc.," he said); and data being used by human beings at the network's endpoints and servers.
4. E-mail integration Botnets: 4 Reasons It's Getting Harder to Find and Fight Them] or sending out e-mails from the inside with proprietary company data [see Embarrassing Insider Jobs Highlight Security, Privacy Holes], partnerships between security vendors and e-mail gateway providers are an essential piece of the DLP puzzle. Fortunately, Stiennon said, "Most DLP vendors formed partnerships with e-mail gateways early on."
Since e-mail is an easy target for data thieves, whether they are sending e-mails with links to computer-hijacking malware [see
5. Device management
Given the mobility of workers and their computing devices these days [laptops, smart phones, USB sticks], security tools that help the IT shop control what can and can't be done with mobile devices is a key ingredient of DLP.
Stiennon is particularly concerned about the USB devices that could be used to steal data. "Being able to control the use of USB devices is a key requirement of a DLP solution," he said.
Next week: A look at what SHOULD NOT be accepted as DLP.