September 2010 E-newsletter
Data Loss Prevention
Data loss prevention products offer a valuable tool for detecting leakage of sensitive data, such as Social Security or credit card numbers. However, they're only one part of a bigger picture of policies, risk assessment and controls that work together to reduce organizational data loss. To ensure a successful DLP deployment, consider these strategies.
Don't Go It Alone
Involve groups from outside IT in policy development and DLP product selection. As a tech-savvy IT manager, you bring valuable knowledge to the table. But without input from groups such as human resources and legal, your security solution won't meet institutions' needs.
Start by Understanding Your Data
Enterprise networks and servers are filled with enormous amounts of data. However, only a small percentage of that is sensitive, mission-critical information. The first step is determining what data is most important to your institution and where that data resides.
Yes, it's in a database or file system somewhere, but where else? Nothing important is stored only once, and some information may be found on backup tapes, achives, mobile devices, e-mail and desktop PCs. Only when you know what you want to protect, and where the information resides, can you start to protect it.
Build Policy Based on Risk
Most DLP deployments start with the products: USB control and protection, file or drive encryption for notebooks or desktops, e-mail content scanning, or network-based DLP. But that's the wrong starting point. Instead, begin by identifying the main types of organizational risk caused by data loss and leakage.
You've already determined what information is important. Now, identify policies to help contain that risk. Just as the punishment should fit the crime, the DLP policy should fit the value of the data and the risk to your organization if it is lost.
The most effective DLP programs are based on user education and training, but all require policies. You can't enforce the rules, or train users about the rules, if you don't know what the rules are.
Keep in mind that DLP products are better at identifying leakage than stopping it. The tools can identify users who are exposing information carelessly or against policy, and this can be valuable for educating users and solving user behavior problems.
Use a Full-Strength DLP Solution
Only after the sources and policies are identified should you start to evaluate technology to assist with the enforcement of your policies.
Many security products have DLP features, but without an organizationwide view of data at rest (acquired through a process called content-at-rest scanning or content discovery), data in motion leaving your network, and a corresponding data protection policy, your DLP efforts will be fragmented at best.
Full-fledged DLP combines endpoint security and management with network scanning and monitoring to provide a single, integrated solution to the problem of enforcing policy and preventing data loss.
On the network side, full DLP solutions integrate content discovery (such as identification of organization-controlled credit card numbers or personal identification numbers, or files with sensitive data in the wrong parts of the network) with scanning of outbound traffic, typically combined with an outbound web proxy.
To be effective, the DLP solution must examine all types of traffic leaving the network, including e-mail, web traffic, file transfer and instant messaging.
On the client side, full DLP solutions secure data on endpoints, whether corporate desktops, notebooks or smartphones. These products identify data and lock it down, typically with encryption and other identity-based access controls.
Manufacturers such as McAfee, RSA, Symantec and Trend Micro all offer integrated DLP software suites that combine data identification, user identity and central management in one comprehensive console.