Data Loss Prevention Dos and Don'ts

Data loss prevention tools provide powerful security capabilities - if used correctly

October 10, 2007 — CSO — Data loss prevention (DLP) tools—also known as data leakage prevention or content monitoring and filtering (CMF) tools—are intended to prevent inadvertent or intentional exposure of sensitive enterprise information. According to consultancy Gartner, they do this by identifying content, tracking activity and potentially blocking sensitive data from being moved. When Jack in accounting tries to e-mail customer records to his home PC—or perhaps copy the data to a USB drive—DLP software can warn Jack and/or stop the action.

Gartner, which says this market tripled from $50 million in 2006 to $150 million in 2007, offers the following functions as basic requirements for data loss prevention software:

Perform content-aware, deep packet inspection on network traffic, including e-mail and other protocols.

Track complete sessions—not individual packets—for analysis.

Use statistical and linguistic analysis techniques beyond simple keyword matching for detection (for example, advanced regular expressions, document fingerprinting or machine learning).

Detect, block or control the usage of (for example, saving, printing or forwarding) specific content based on established rules or policies.

Monitor network traffic for, at a minimum, e-mail traffic and other channels/protocols (HTTP, IM, FTP) and analyze across multiple channels, in a single product and using a single management interface.

Block, at a minimum, policy violations over e-mail.

The tools can be classified in three groups: Network-based tools, which sit at the edge of the network, monitor data flowing through the network and in some cases filter or block data movement; host-based tools, which require an agent to be installed on individual PCs and servers, monitor static data on these systems and, in some cases, block or control actions that users can take; and systems that combine both of these capabilities. Ultimately, Gartner says, tools will not only monitor but also block any channel on the network and hosts from which data can be stolen, including the network interface, within the operating system and between applications. This requires much deeper integration with servers and desktops. For instance, agents running on local hosts could stop someone from downloading sensitive data through a USB drive, printing it and walking out the door. While vendors have significant plans in this area, product offerings are unlikely to become available in 2007, Gartner says.

Gartner says its clients find host-based data loss prevention systems more difficult to manage and less sophisticated in detections. "If someone came onto the network with a laptop [that didn't have an agent installed on it], they could gain access to files, and you'd never have insight into that activity," says Rich Mogull, research VP at Gartner. He sees host-based capabilities as critical but believes a combination of both approaches is ideal. "You should have one management console for data discovery, data in motion, data in use and data on the endpoint system," he says.