Not DLP…Data Risk Management – Part 1
The term “Data Loss Prevention”, or “DLP” for short, is being used to universally describe any technology able to detect, and then react to, information matching one or more pre-defined patterns as it traverses network devices, servers or workstations. As is the case with the most promising and well-funded concepts (think “SaaS” or “Cloud Computing”), the term is altogether overused, fairly misleading and, as a result, not completely understood by the overwhelming majority of businesses that would benefit greatly by leveraging the technology within their respective environments.
Over the coming weeks, I’ll do my best to demystify DLP from the perspective of one that has worked to design and implement DLP strategies within complex environments. To be clear, my objective is not to re-invent the Gartner Magic Quadrant for DLP, but rather to leave you, the reader, with an understanding of what considerations should underpin your strategy for utilizing DLP to improve risk management capabilities within your environment. If, after reading the series, any small percentage of those that had previously interpreted DLP to be a passing fad actually reach out to an experienced security integrator to initiate an assessment of their unique requirements, I’ll be forced to consider the project nothing less than a complete success.
The Term “Data Loss Prevention” is Nothing More/Less than Brilliant Marketing Lingo
The term “Data Loss Prevention” implies an ability to stop a fairly bad thing (data loss) from happening. While it is true that the associated technology is ultimately capable of this end, the phrase is too broad to be believable. For years, security professionals have deployed firewalls, intrusion detection systems, access control systems, etcetera in unison with the same aim of preventing/limiting loss. The idea that a single technology might embody the benefits now assigned to multiple facets of a well-designed security architecture is enough to turn most risk management professionals off.
Seriously, I can’t tell you how many times I’ve read, heard and used the phrase “Defense in Depth” as part of a passionate plea involving some otherwise well-intentioned information technology executive about to put all of his/her security eggs (dollars) in one basket. So, the first point I want to make is that, in the real world, the consistent prevention of data loss can be achieved only through the effective use of multiple technologies used in conjunction with an effective risk management program. And thus, I agree that the term “Data Loss Prevention” is a poor label for any single security technology.
In the same breath, I will admit that the term does generally garner the immediate and lasting attention of any top IT officer interested in self-preservation. For this reason alone, it is effectively marketing genius – to be sure, if part of your job involves “selling” security concepts upward, try getting stronger interest in the aforementioned methods (firewalls, intrusion detection, access controls) before reading on. For the most part, I’m sure you’ll agree that the three words become much more powerful when used to describe a single defense mechanism. So, for this reason alone, I’ve stopped complaining about the lingo. However, for the pundits, including those well seasoned IT veterans able to simultaneously recognize and discredit any attempt to promote a "magic bullet", I am quick to point out that DLP would have been called “Data Risk Management” if the same term weren’t completely boring and totally devoid of any marketable sizzle.
How does DLP technology enable Data Risk Management?
Risk Management 101 teaches use that, before being able to effectively manage risk associated with any specific asset, we must first establish an idea of what the asset is worth to us. Using this information as a guide, we’re in a much better position to make educated decisions about how much time/money we should spend defending it against loss or damage.
When implemented correctly, Data Loss Prevention technologies return a wealth of information about data being stored, transferred and used on and across a network. While assessing the effect such insights might have upon your ability to manage risk within your environment, first evaluate the number and size of documents currently being stored on shared folders attached to your network. Unless you’re sure of the precise content contained in each document, you’ve likely made some assumptions about what is exposed to large segments of your employee population.
Using DLP as a Data Discovery tool and studying the results in order to better understand the data being stored on your network, you’ll be able to determine where to apply extra layers of protection. You may choose to take advantage of the built-in active prevention features within the DLP toolset or choose to utilize other controls to enable this protection. Right now, the manner is inconsequential. It is only important to recognize the fact that DLP can help us identify specific types of information within much larger repositories of unstructured data.
As you begin to think about what specific information classes might need to be identified within your environment, consider the following examples:
- Engineering firms will likely want to find design details related to their most profitable products.
- Financial institutions may want to identify details related to high-worth clients.
- Software development houses will likely want to identify anything resembling source code.
I’ll get into the specifics of how we can begin to use DLP to identify important data in my next post, Not DLP…Data Risk Management – Part 2.