Data Loss Prevention can provide some powerful protection for your sensitive information. It can be used to discover Personal Information (PI) within your environment, identify various forms of PI from names and phone numbers to government identifiers and credit card numbers, assemble multiple subsets of PI to accurately identify a whole record, and even do all of this in multiple languages.
It can also discover and identify Intellectual Property (IP), and even be trained to learn the difference between your IP and the IP of your business partners. It can alert you when someone tries to copy or share PI or IP. It can block or encrypt attempts to email, IM, blog, copy, or print this sensitive data. DLP can also "fingerprint" certain documents that you specifically want to protect or ignore.
DLP provides a strong set of capabilities, but it is primarily used to protect against unauthorized movements of sensitive data (e.g., the various ways you may transmit, copy or print sensitive data from one location to another). And, it is intended to provide this protection in one direction (inside-out). It is not intended to protect you from receiving sensitive data, but rather it is intended to protect the data you already have.
Do your research
By implementing DLP you are about to invest a substantial amount of your company's money, time and resources. As a first step, do your research. Consult with research analysts such as Forrester or Gartner and gain a basic to intermediate understanding of the industry, the vendors and solutions available, and their particular strengths and weaknesses. Some DLP solutions offer robust features and support while others offer much less (i.e. "DLP Lite"). Understand your environment and the ways in which sensitive data moves about before undertaking DLP.
Also, leverage your professional network. Ask what your peers are doing with DLP and what success or pains they've had. Talk to several vendors and narrow the field to a few. After narrowing the field, request preliminary pricing estimates — you will need this information for budgetary planning.
Note that far and away, most company's buy too much DLP. Plan to start small, pilot test in key areas, and grow into it. You will find that it will take you far longer to install, configure, optimize and find a way to effectively manage than you could have imagined. It does you, nor your company, no good to spend money on product or subscription licenses that go unused or are poorly deployed.
Give some thought to where DLP will be needed, and what it must accomplish to be successful.
Don't apply a shotgun approach unless it makes sense for your organization. Installing DLP on everything, everywhere can be very expensive and difficult to maintain. Think about the key applications and teams within your business that really need DLP technology due to the sensitivity of the data they have access to. You may find that you are able to apply an envelope of DLP protection around just your high-risk teams.
One way to think about this is to consider Pareto's "Law of the Vital Few" (or 80/20 rule). This principle states that 80% of your risks come from 20% of your sources. By focusing your DLP protections in your high-risk areas, you will make a significant positive impact on your company's risk profile and be able to share attractive ROI figures with senior management at the same time.
Identify business requirements
Before diving into the technology and available vendor solutions, you should first build a good understanding of what your business requirements for DLP will be. Be sure that your business requirements include the following:
- Transparency: Requirements for transparency should be addressed so that it is clear what users may expect post installation. Think about how their use of data and information systems may change after the introduction of DLP into your environment. Will DLP complicate or simplify their lives?
- Performance: Consider the performance impact that your DLP solution may have on your environment. Performance of laptops and desktops may be impacted due to DLP endpoint client software, or large policies enforced at endpoints. The performance of your network and servers may also be impacted if DLP is used to aggressively discover the locations of sensitive data within your environment.
- Compatibility: Consider what operating systems and applications you will need DLP to support within your environment. Some DLP vendors provide support for Mac OS, but most don't for example.
- Availability: Consider whether your DLP solution will need to be highly available, or if best effort is good enough. If your DLP solution stops working for some reason, what will be the impact?
Define security requirements
After identifying your business requirements, next sketch out a set of security requirements to support them. You may decide you need to encrypt any PI when someone attempts to copy it to USB, or whenever someone attempts to move it off disk in any way. Perhaps you only care about large quantities of PI, so above a certain threshold you choose to block it from being moved. Or maybe you simply want DLP to alert support staff without blocking or encrypting anything. Each business has a different set of requirements. Define a set of security requirements that fit your specific business needs.
If you are pitching DLP to leadership, think "safety net" rather than "big brother." DLP should be considered a collaborative solution. Sell it in a positive light explaining how it can protect your sensitive data, keep your business out of the media (for the wrong reasons), and afford you a competitive advantage. Plan to involve key stakeholders from across the company early on. These key groups typically include IT, HR, Finance, Legal and Internal Audit. Later when you are ready to implement DLP, you will want and need support from these business leaders.
When you are ready to implement DLP, ensure that you apply good communications practices. Keep business leaders, stakeholders and users appropriately informed of your plans and timelines. The rule of thumb I follow for communications is:
- Tell them that you're going to tell them
- Tell them
- Then tell them that you told them
It seems redundant, but you will find this approach is highly effective in getting your message across. You will want to develop different communications for each segment of your business community; one for executive leadership; one for team leadership; and one for the end user population. Don't surprise anyone with DLP. Surprise in this case can quickly appear like "big brother" just moved in, and that is likely not the image you want.
Review architecture options
DLP solutions come in various forms including software, hardware or cloud-based solutions. Several DLP vendors offer a mixture of one or more of these. Depending on what sensitive data you wish to protect, where it resides, and how it is accessed, the DLP solution that is a best fit for your business may include any one or more of these.
Software-based DLP solutions include perpetual or subscription based licenses for endpoint clients and the management server. You will need to separately provide for the underlying computer hardware, operating system and virtualization software (if appropriate), a database server and management server.
Hardware based solutions include one or more DLP appliances. Minimally you will need to separately provide one or more Mail Transfer Agents (if you intend to encrypt or block emails), a database server and management server.
Cloud based DLP solutions typically represent a zero footprint subscription solution. Endpoint users are directed to your DLP cloud provider via either Web Cache Communication Protocol (WCCP) configurations on your routers, or a PAC file that is installed on each endpoint to redirect their outbound traffic to the DLP provider's cloud.
Roles & responsibilities
After you have a good idea which of the DLP architectures may best suit your needs, start to define the roles and responsibilities you will follow. Build a RACI chart which details who is responsible, who is accountable, who needs to be consulted and who is informed for each activity related to the care and feeding of your DLP solution. Doing so will clearly spell out who owns and does what. This will help you avoid conflicts with other support groups that manage DLP, or any of its underlying components, later on.
Each RACI entry is important, however, there are two particular items that you should include. First, ensure that you build in a segregation of duties to help prevent misuse. Do this by assigning rights to the security team allowing them to create DLP policies but not the ability to implement them. Then, assign rights to your support team (IT for example) allowing them to implement the DLP policies developed by the security team but not the ability to create policies. By applying this check and balance, we prevent a single team from subverting the solution or in causing harm by implementing something that should not have been implemented.
Secondly, it is very important to note that DLP will collect and report on the most sensitive information traversing your systems or networks. Think of all of the sensitive email discussions and documents shared between business leaders and board members, and HR for example. Allowing your support teams to be able to see this data is clearly inappropriate. You will therefore want to restrict access to the content of the DLP event (i.e., John Smith copied 1,000 names and social security numbers to a USB thumb drive and here are all of the social security numbers and names he copied).
On the other hand, the context of the DLP event should be available to support teams so they can address the event (i.e., John Smith copied 1,000 names and social security numbers to a USB thumb drive). Many DLP solutions provide for these distinctions. In fact, it should be a showstopper if this capability does not exist in the solution you are considering.
Deploy cautiously & develop documentation
Deploy cautiously and consciously. Keep in mind that DLP is powerful technology, and if deployed improperly can impact key components of your communications. Keep your DLP deployments small at first. Then, as confidence with the solution grows expand into additional groups. Think about deploying to some of the highest risk areas of your business early on; you wouldn't want an otherwise preventable breach to have occurred while you were busy deploying to lower risk areas of the business, and you will learn more at the same time.
Begin by enabling monitoring only. Don't start out with blocking or auto-encrypting data until you are truly ready and understand the implications of getting any of this wrong. Expect help desk calls, and prepare your support teams so they are able to respond to them effectively. Determine what you will do when you learn of a given policy violation and gain alignment with stakeholders (Legal, HR, IT) for each scenario that is likely to occur.
Ensure that you document everything related to the architecture and deployment of DLP. If you were to burn it all to the ground, your documentation should be able to guide you through full re-deployment. If it cannot, then your documentation is insufficient. Lastly, share reports and metrics with leadership that illustrate the positive impact DLP is having on your ability to protect sensitive information. They will want to know how effectively their organization's money and resources have been spent.
Curtis Dalton is the CISO of Sapient. He can be reached on Twitter at @curtisedalton