Locking your front door and leaving your windows and back door open is not a wise home security strategy.  Protecting your endpoints and leaving your network and file servers vulnerable to data loss is not a sound enterprise Data Loss Prevention (DLP) strategy.

 

Endpoint DLP software is a good solution to prevent users from storing sensitive information on removable devices such as USB sticks and CD/ROM discs and to protect against unauthorized transmission of sensitive information when a user is not connected to the corporate network (e.g., at Starbucks, an airport, or a hotel).  

 

A complete endpoint solution also will include disk encryption, which prevents unauthorized individuals from accessing the information on a lost or stolen laptop.  However, endpoint DLP software is not a complete DLP solution.

 

A complete DLP solution offers protection in three domains: at the endpoint (data in use), at the network (data in motion), and at the file server (data at rest). 

 

Why are all three domains of protection necessary? 

 

First, it is difficult, if not impossible, to ensure that 100 percent of the endpoints connecting to the corporate network are managed by the corporation and are equipped with DLP agents.  Contractors, customers, business partners, and visitors may have a legitimate need to access the network. Forcing installation of DLP software on all these user devices is not practical.  Furthermore, most organizations have many servers (including email, FTP, and collaboration servers) that communicate externally and on which it is not possible to deploy agents.

 

Second, not all data-loss risk originates from the endpoint. Sensitive information may be inadvertently stored on “open” Sharepoint,  FTP, or other servers, for example.  Business partners, customers, or other authorized users of these “privately accessible” file shares may be able to download this sensitive information if there is not some protection in place at the network level. 

 

Third, whether it ever leaves the corporate network or not, some sensitive information (e.g., credit-card data or highly confidential R&D information) should never be stored in unprotected locations within the corporate network.  The only way to proactively identify these information security risks is to periodically scan file and document data repositories using a DLP discovery function.  If violations are detected, then the offending material can be moved or removed.

 

A critically important element of a complete DLP solution is the centralized policy and incident management system. This system should utilize a single policy manager and a single incident manager for data-in-motion, data-at-rest, and data-in-use DLP elements.

The actions taken on a violation may vary according to the domain in which the data loss is detected (e.g., you may take encryption action if you detect sensitive information leaving a network, while you may take a “move” action to relocate sensitive information from one file server to another).

 

Endpoint DLP software has an important role to play in a complete DLP implementation.  However, due to the challenges of deploying yet another endpoint and the gap in security coverage caused by using only endpoint solutions, most organizations have found that it is easiest to begin with a network (data-in-motion) or server (data-at-rest) DLP solution and to add the endpoint (data-in-use) solution as a third step in their deployment strategy.

 

Any solution requires a centralized management system with common policy management across all DLP elements.