Defining a DLP strategy
Defining a DLP strategy
Data leakage prevention (DLP) solutions remain fairly immature, but the need to protect and monitor sensitive information is greater than ever. Creating a coherent DLP strategy can seem challenging, but it all starts with understanding the business requirements. Start by answering the fundamental questions. Is your organization looking to achieve basic regulatory compliance, or understand how sensitive data is being used and where it is being accessed? Do you want to actively block sensitive data, filter it or just monitor it? You need to consider all these scenarios in the context of data at rest, in transit and in use.

These requirements will ultimately be translated into DLP event triggers, so engage your business early on in this process. If you are deploying a global solution, you may also need to factor in employee privacy issues. While you should always start with meeting basic compliance requirements, the most value will come from bringing your business leaders to the table. Many DLP tools come with basic predefined policies addressing things like sensitive personally identifiable information, but what does intellectual property look like in your organization, and what should be done when these assets fall outside the parameters of acceptable use?

A key decision point will be deploying a gateway or endpoint monitoring solution. DLP endpoint monitoring tends to be more sophisticated, but can introduce support headaches. Endpoint monitoring solutions also tend to focus on Windows PCs, often neglecting mobile platforms, Linux and Mac. The “bring-your-own-device” trend will introduce a whole new breed of monitoring challenges at the endpoint. Gateway solutions tend to be broader in their reach, but may be less sophisticated in their ability to respond to events. If you need fine-grained control over how users print and access USB ports, then you need to focus on the endpoint. If broader response controls are acceptable, a gateway solution may make more sense. Ultimately, a hybrid approach may be your best choice.

Event response should be automated wherever possible. The output of these tools can be significant, and you won't be able to hire enough analysts to pore through all the data manually. Distinguishing between priority events that need a more formal response and low-level events that can be automated will be critical.

Start small and keep aggressive control over your project scope. Most DLP deployments are multiyear efforts that will evolve over time. And don't neglect the basics. Simple steps, like ensuring your laptops are encrypted and user awareness programs are up to date, can also serve as components of a solid strategy.

[sidebar]

»User education is key
A strong DLP program addresses user education, says Brown. It's not enough to simply block or monitor sensitive data. Make sure that users understand the security policy.

»Tools to simplify tasks
Also, provide them with compliance tools, like email encryption. Many DLP tools are even capable of automatically enforcing requirements, like data encryption.

»Spread the word
You will need to work with leaders across the company, as well as employees. DLP should be an education and awareness exercise as much as it is a means of protecting data.

»Nothing is foolproof, but...
Of course, no DLP solution will prevent a determined and intelligent insider, but don't underestimate how many exfiltration incidents occur by mistake every year.