Thomas Fischer (pictured), Global Security Advocate at Digital Guardian explains why Data Loss Prevention (DLP) should be the foundation for a data-centric security strategy in 2018. He lays out the steps organizations should consider when deploying a DLP solution.
AS BUSINESSES continue to go ‘digital’, we find ourselves in a perimeter-less world; constant information flow is the lifeblood of the business ecosystem. Data is distributed and disbursed throughout the ecosystem, expanding the domain requiring protection. Adversaries are actively targeting critical data assets throughout the ecosystem— significantly increasing exposure and impact to businesses.
Faced with this new reality, protecting your organizations’ most critical assets, requires a shift in mindset and a data-centric approach to security. Enter Data Loss Prevention (DLP). Today’s DLP solutions must protect against insider threats, external attacks, and outsiders posing as insiders. DLP must protect enterprise data no matter where it resides and how it is used. It must protect financial information, customer data, and intellectual property. DLP technologies provide valuable context that can help enterprises recognize the sensitivity of potentially compromised data, and then focus remediation and incident response efforts accordingly.
Success with DLP depends on setting reasonable data protection priorities, selecting a deployment method and correctly evaluating vendor solutions.
Step 1: Determine Your Primary Data Protection Objective
The most important consideration before undertaking a DLP project is to determine your organization’s primary data protection objective. Traditionally, organizations adopt DLP to achieve one of three objectives:
- Comply With Regulations – Compliance has long been and remains a primary driver of DLP demand. Starting more than 15 years ago, regulatory requirements mandated controls for handling sensitive data and helped drive a surge of “checkbox DLP” purchases by large, compliance-bound enterprises. Heavily regulated industries, such as financial services, retail, government and healthcare, tend to invest most in DLP when compliance is the primary objective.
- Protect Intellectual Property – Forrester Research makes the case for IP protection as the top DLP objective as compared to securing personal cardholder information (PCI), personal health information (PHI) or personally identifiable information (PII). The loss of IP can result in a permanent loss of competitive advantage. IP tends to skew towards unstructured data. DLP tools must be trained to understand which unstructured information constitutes your organization’s critical IP, meaning the solution must be able to discern unstructured data’s content and context.
- Business Partner Compliance – The globalization of the supply chain means that manufacturers of goods and services rely on global relationships to deliver value to their customers. To facilitate this an unimpeded data flow is needed, often this stream contains sensitive data. Global relationships require an unimpeded data flow, necessitating robust data protection.
Step 2: Determine the Architecture
With your data protection objective defined, there are four primary DLP deployment architectures, and a growing number of organizations are leveraging a mix to cover their evolving business.
- Endpoint DLP – Endpoint DLP relies primarily on purpose-built software agents, that live on endpoints – laptops, desktops, servers, any device that runs on Microsoft Windows, Linux, or Apple OS X. The agent delivers visibility and, if desired, control over data. Deployment involves installing the agent on machines where protections is desired. No agent means no coverage.
- Network DLP – Often referred to as agentless DLP, Network DLP delivers visibility and control of traffic that passes across the network. A physical or virtual machine inspects all traffic, such as mail, web, IM and can then enforce data policies. Deployment is either via a physical appliance or a virtual machine then configuring network traffic to pass through for the inspection.
- Discovery DLP – Discovery DLP proactively scans your network, including laptops, servers, file shares, and databases to deliver a comprehensive analysis of where sensitive data resides on all these devices. To perform the data discovery some solutions require an agent to also be installed on the machine being scanned.
- Cloud DLP – Cloud DLP, much like Discovery DLP, scans storage repositories and delivers an accurate picture of where sensitive data lives, though as its name suggests Cloud DLP focuses on your data that lives in the cloud. Cloud DLP relies on an API (Application Program Interface) to connect with the cloud storage service (Box, OneDrive, etc.) and then scans the content. Cloud DLP sees data as it is being put into the cloud and can perform a cloud storage audit or remediation.
Step 3: Selecting a Vendor
Before reaching out to vendors, engage business leaders informally on what data exists and how it’s used. What pockets of information exist in your business? Who uses the data, who shouldn’t use it? How does sensitive information move? How could your data be lost, compromised, or abused? Compare these insights with how perception differs from reality. The benefits of this are twofold. For one, these discussions provide you with the details needed to create a strategic data protection plan and secondly, it will make business leaders aware of the program and begin the process of gaining buy-in from critical constituencies.
When it comes down to actually selecting a vendor, make sure you:
- Research initial vendor set – Hundreds of vendors offer some form of data protection. I recommend identifying and applying a set of filters to narrow down your organization’s choices. One common filter is identifying whether the vendor supports all of your operating environments. Another guide used by many organizations is the Gartner Magic Quadrant report for Enterprise DLP. Peer research is a valuable source of information as well.
- Reach out to vendors with a plan – After you create the short list, it is time to contact the vendors. Have a list of use cases or critical business needs. This process can be as structured as you need it to be to satisfy your internal organization.
- Consolidate responses – Gather the key stakeholders and seek to build consensus around which vendors have the best ability to solve your problems.
- Narrow choices down to two vendors – Based on RFP scores or rankings, you should be able to eliminate all but two vendors that can be engaged for onsite presentation and risk assessment.
- Conduct pilot tests – Request pilots from both vendors, or from a single finalist as selected from onsite meetings.
- Select, negotiate, purchase – After pilot testing has concluded, take the results to the full selection team and begin negotiating with your top choice.
If you are business manager who values the data you own, demand a DLP solution. If you lead IT security, make DLP a priority initiative for 2018.