Data loss prevention, or DLP, is steadily moving from a buzzword to a useful set of information security tools that can be used to ensure regulatory compliance. Adoption of DLP, variously called data leak prevention, extrusion prevention, content filtering or information loss prevention, is being driven by
DLP is designed to solve two key issues, said David Sockol, CEO of Emagined Security Inc. in San Carlos, Calif. "Companies need to know what data is leaving or entering an enterprise and then need to determine what to do about it," he said.
Peter Firstbrook, a research director at Gartner Inc., said, "DLP helps companies improve compliance with government and corporate regulations on the handling of sensitive information. DLP can enable automatic encryption in email without involving the end user," which may be required for personally identifiable information (PII) under some data privacy laws.
Two types of DLP solutions are emerging, Firstbrook said: "Enterprise solutions, or E-DLP, that cover all possible DLP deployment scenarios, and less comprehensive single channel solution (S-DLP) that are features of existing security solutions such as email and Web gateways and endpoint protection platforms." The big enterprise solutions appeal primarily to large Global 2,000 organizations with complex DLP requirements and the resources to staff and manage a large-scale DLP deployment. The protection of intellectual property is often a primary consideration, while compliance is an ancillary benefit to these organizations."
"DLP also gives visibility into corporate data, thanks to deep content analysis, that we have never had before" said Rich Mogull, principal at Securosis LLC in Phoenix. "DLP allows you to protect data within business context, reducing business process impact."
Within the enterprise, a consistent data loss prevention solution generally has the following components:
- Endpoint: Monitoring, controlling activities.
- Network: Filtering data streams.
- Storage: Protecting data at rest.
As new social messaging platforms emerge, including so-called Enterprise 2.0 software behind the firewall or connections to external platforms like Twitter or Facebook, new challenges for the flow of information are growing, both for government and private industry. Given insider threats driven by job losses and a tough macroeconomic climate, any technology that can help to suppress data leaks is getting renewed scrutiny. That's perhaps particularly true in healthcare compliance, given the insider threats observed as enforcement of the Health Insurance Portability and Accountability Act grows stronger.
"An important side benefit of using a DLP product is the ability to raise the awareness of information use policies within the ranks of employees and other users within the enterprise," said Burton Group Inc. analyst Trent Henry in a recently released report, "Market Insight: Data Leakage Prevention 2009." That growth is reflected in the maturation of DLP software and consolidation in the DLP market, via acquisition.
Where does data loss prevention fall short?
"DLP is designed for primarily looking at gateway ingress and egress points," said Sockol. "It was not designed to sit in the middle of a network assessing internal traffic. The reason this limitation exists is DLP solutions are designed to look at raw data in packets. It is not typically designed to decode information prior to processing it."
DLP works best for content discovery and network monitoring. It's the worst on the endpoint.
Rich Mogull, founder, Securosis LLC
DLP software is useful for identifying well-defined content (like Social Security or credit cards numbers) but tends to fall short when an administrator is trying to identify other sensitive data, like intellectual property that might include graphic components, formulas or schematics. "The endpoint still needs a lot of work," said Mogull. "DLP is not overly effective for nebulous data types that are hard to define."
End-to-end encryption can protect data -- and is increasingly part of regulatory mandates from states like Massachusetts or Nevada -- but encrypting data also makes it opaque to DLP engines. "Detecting and protecting PII is a major use for DLP," said Mogull. "The specific laws don't matter all that much."
B.K. DeLong, senior analyst at the Institute for Applied Network Security, said, "Many of the current DLP products catch all of the low-hanging fruit early on and not much else afterwards. They're not robust enough to catch intellectual property leaving the company. Gateway DLP isn't able to catch user endpoint tricks such as burning to CD, transfer to USB key, transferring to iPods, etc., without a desktop agent."
There are also challenges to coordinating DLP engines with business processes. "Many companies are resistant to turn on the protection components because they could stop important business," said Sockol. "The risk of stopping traffic does not always outweigh the ability to just take corrective action. It is a management decision on how to approach the prevention components."
Firstbrook said, "DLP is reasonably good at stopping good people from doing bad things, but it should not be relied on to stop bad people from doing bad things. If they have access to the data, they will find a way to evade DLP controls. Data and information security should be addressed at the source first."
Where does data loss prevention work best?
DLP is most effective "when you have well-defined data to protect that's structured or unstructured," said Mogull. "DLP works best for content discovery and network monitoring. It's the worst on the endpoint."
DLP also "helps companies improve processes for the handling of sensitive information, i.e., uncovering dangerous practices that an organization might not have been aware of," said Firstbrook. "It only works when you have a tight definition of sensitive data and you limit policy to solve a few specific problems. Although the possibilities of DLP are vast, you have to start with very specific compliance or data issues and solve them before you move on."
Sockol also looks to the flexibility of DLP for addressing different compliance challenges. For example, a company that is considering a merger or acquisition may want to have DLP installed and operational. If data about the merger or acquisition is leaked, it may have a financial impact on stock prices or the transaction amounts.
"The majority of organizations will adopt data loss prevention as a feature of their secure Web and email gateway or their endpoint protection platforms," said Firstbrook, "rather than invest in a purpose-built enterprise-wide data loss prevention solution."
Best practices for deployment, with room to mature
Mogull has seen dozens of DLP implementations over the years. He recommends that enterprises use phased deployments and make sure they have "a good user directory, to know the people behind the data use." He said it's critical to "define your data well, and tune your policies."
Firstbrook made the following suggestions for DLP deployments:
- Staff a data management group first. "Make sure they figure out the short-term, midterm and long-term data management problems that they need to address."
- Get corporate buy-in. "Data owners and process owners will need to make changes to how business is done."
- Choose automated solutions.
"DLP software often includes policies that specifically address certain government regulations," said Firstbrook. "These are good starting points but also consider that they do not solve all compliance needs. They only address clear text transmissions and who sent them. Use these pre-developed policies as a starting point for compliance only."
DeLong explained, "Using metadata is fine and good, but educating Joe and Jane User at a company to do data classification is extremely challenging. There needs to be better artificial intelligence and recognition system to automate that process."
"The ultimate goal [would be] better role-based access control," said DeLong. "Combined with enterprise rights management -- but no one is truly there yet."
Experts also recommend companies considering DLP software should consult with legal teams. "It is very important to communicate to your employees that you are monitoring their transactions," said Sockol. "Understand that if you look inside encrypted traffic, a company may obtain access to employee private data, such as credit card numbers, bank account numbers, usernames and passwords. An organization's legal resources should determine what traffic is being monitored and how to treat any data that is acquired."
Sockol said it's important to any successful deployment for an organization to dedicate sufficient resources to the project. "DLP programs do not run themselves," he said. "They need constant attention. Either a company spends the time up front to tune a DLP or they will spend a lot of time on the back end chasing thousands of incidents."
Let us know what you think about the story; email firstname.lastname@example.org.
This was first published in October 2009