IT Focus Area: Security
August 25, 2016
Deploying Data Loss Prevention: Best Practices for Success
Traditional defenses are no match for targeted attacks that bypass security controls and steal sensitive data. As IT changes continue to occur, organizations need to keep pace and make security move with their data by focusing on the data itself through the development of a data-centric security program.
Data loss prevention (DLP) is a critical part of data-centric security. The technology is designed to perform both content inspection and contextual analysis in order to prevent the loss of data. It is often thought of as a way to keep users from uploading sensitive information into email, cloud storage services and unauthorized file transfer platforms.
The Resurgence of DLP
A decade ago, demand for DLP technology was generally driven by data protection requirements for regulatory compliance such as the Payment Card Industry Data Security Standard (PCI DSS), and the Health Insurance Portability and Accountability Act (HIPAA). Many organizations later expanded their use of DLP to better protect intellectual property.
Interest started to taper off and there was a decrease in deployments as organizations struggled with the cost and the complexity of implementing first-generation DLP. Many found it to be resource-intensive — with a steep learning curve. The dramatic increase in data breaches has refocused attention on data protection technologies such as DLP, and it has made great strides as a technology over the past few years, moving beyond the network into the endpoint, cloud and discovery. It has advanced in both time to deployment and time to value, and has even matured enough to be offered as a managed service. However, effective DLP implementation continues to require active participation from the organization; it is not a “set it and forget it” platform.
Successful DLP deployment requires a process-based approach that includes proper preparation and integration with complementary security controls.
DLP requires careful planning, including the development of clear and achievable goals and the establishment of proper expectations among executives and business unit leaders. While there are numerous considerations when preparing for a DLP deployment, it is important not to overlook the following five factors:
1. Deployment Strategy
Organizations are often eager to implement DLP in an effort to better protect intellectual property, enhance compliance efforts, and address the risks associated with cloud, mobility and the Internet of Things (IoT). Without a well-planned deployment strategy, they tend to go all-in and attempt to deploy all facets of a DLP solution — network, discovery endpoint and cloud — simultaneously. This hurried approach introduces an overwhelming number of alerts and false positives. Excessive alerts are usually the biggest complaint associated with DLP; they translate into lost hours spent on investigation and money wasted on inaccurate intelligence.
Alleviation of this issue and the success of DLP depends on a carefully planned deployment. Two strategies can help to ensure success. One strategy involves a phased approach that considers which DLP technologies should be deployed first and which organizational business units they should be rolled out to over a period of time. The second approach involves using a DLP managed service provider to accelerate the deployment and manage policies more easily. The right provider can help you reduce complexity and up-front costs, meet service level agreements (SLAs), and offer the proper controls to secure the sensitive data they will have access to.
2. Encrypted Traffic
The amount of network traffic that is encrypted — according to various studies — ranges between 30 and 80 percent. Even if we assume the low end of that range is accurate, it indicates that nearly one third of an average network is currently encrypted. It is hard for an organization to determine whether a data breach is occurring if it cannot see all of its traffic. Factoring in methods for forwarding encrypted traffic via proxies, application delivery controllers, or dedicated SSL decryption solutions to your DLP appliances for analysis is therefore critical.
3. Alignment with Business Units
Identifying which content to focus on is key. Standard policies looking for personally identifiable information (PII), protected health information (PHI), credit card numbers and social security numbers are easy to establish. The difficulty lies in defining custom policies that look for internal documents containing sensitive information. Many completed DLP deployments are operated by IT staff. Collaborating with the organization’s business units enables them to understand which data is considered sensitive. While integration with data classification and data tagging tools can help with this effort, DLP vendors are evolving their solutions to allow business units and users to be directly involved in tagging the documents that need to be protected. This allows the responsibility for protecting sensitive data to be more easily placed where it belongs — with the data owners, not with IT.
4. Endpoint Standardization
Endpoint DLP is generally considered to be the most effective method for preventing data loss, since it can monitor activity that extends beyond Web and email. However, it is also the most frustrating to work with; it can be difficult to fully deploy and tune, and it generates the greatest number of alerts. One key reason for this is that many organizations have not standardized their endpoint deployments. They often use various laptop models and do not have standard images defined and utilized. This makes it difficult to test DLP for effectiveness and potential conflicts, and to ensure the effective monitoring of hardware, such as removable media. It also makes it difficult to devise the specific strategies and policies that individual business units need in order to minimize the impact DLP may have on their day-to-day operations. The growing adoption of Windows 10 provides a great opportunity for enterprises to standardize their endpoint deployments.
5. Cloud and Mobile Issues
A DLP agent for mobile devices is currently infeasible for several reasons, including a lack of required CPU and memory resources. Typically, providing DLP on mobile devices requires a backhaul VPN connection to the corporate network where DLP can monitor activity. However, the growing use of cloud services makes mobile device activity more difficult to monitor, as connections are often bypassing VPN and going direct. This is also a concern for laptop users working remotely.
Monitoring cloud usage for potential data loss requires proper planning and expectations. DLP vendors are slowly introducing tighter API integrations with cloud services such as AWS, Box, Office 365, Google Drive, Salesforce and others. They are also integrating with Cloud Access Security Brokers (CASBs) to provide visibility to additional SaaS vendors. But cloud service vendor support and integration levels vary by DLP vendor. Establishing an understanding of which cloud services are being used — both authorized and unauthorized — is key. With this information, organizations can work with DLP vendors to determine what they can realistically support now and in the near future. Compensating controls should be leveraged to help monitor and secure sensitive data stored with cloud service providers that are not currently supported by DLP vendors.
Integrations with Security Controls
DLP is most effective as part of an overall data-centric security program, and integrates well with other security solutions to enhance its capabilities. Complementary controls include the following:
DLP Is a Process, Not a Product
As traditional approaches to security continue to prove ineffective against today’s threats, enterprises need to shift towards a security model that focuses on data protection at its core. Properly deployed, DLP is an integral part of a mature security program and a powerful tool for protecting sensitive data. But perhaps the most critical element of successful DLP implementation is understanding that it is not a product that provides a quick fix — it is a process, and installing it is just the beginning. In order for it to be part of successful data-centric security, organizations need to plan carefully and integrate it with complementary controls in order to understand their information assets and protect critical data throughout its lifecycle — no matter where it is stored, used or transmitted.
*Gartner, Competitive Landscape: Data Loss Prevention Market, October 22, 2015 http://www.gartner.com/document/3155717?ref=TypeAheadSearch&qid=cbfd6b5c92ca8b803b93a5adebabaecc