Data leakage prevention solution deployment faces huge pitfalls mainly due to lack of planning and insufficient knowledge.
While enterprises invest in the best of security tools, be it Firewalls, Intrusion Prevention Systems (IPS) or Intrusion Detection Systems (IDS), etc., to protect their data from external hackers, statistics indicate that the highest number of data leakage occurs from within the organisation, rather than from external sources, such as hackers. The biggest concern of every CISO is data compromised within the organisation.
Why is DLP Crucial?
Investments have already been made to protect organisations’ data from external hackers: an absolute must. But now the time has come for organisations to also accept the fact that there is a dire need for them to make investments in technology to protect their data from being leaked by their own employees, be it through an inadvertent mistake or malicious intent. Such sensitive data can come in the form of private or company information, financial statements, business strategies, patient details, credit-card details, intellectual property (IP), source code sent with CV to competitors and other information, depending on the industry vertical that the company is operating in.
Organisations are still not willing to invest in this technology, which has been around for quite some time now. This, even as technology players in this arena are not in plenty, and even as some are still grappling with perfecting this technology and their offerings. Despite efforts by CISOs to discover the leakages, there still exist leakages of information that go undiscovered and unnoticed, which, in turn, adversely affect business.
Besides, it is vital to understand if there are a few other reasons why organisations should invest in this technology, particularly when an organisation is associated with US patient details and is governed by The Health Insurance Portability and Accountability Act (HIPAA), and the patient’s confidential data is leaked by an employee. What if an organisation is compliant to The Payment Card Industry (PCI) Data Security Standard (DSS) and credit card information of customers is leaked by an employee? What if this information is made public in the press? How would the organisation handle the impact on the Brand, Reputation and adverse publicity?
What would the remediation cost be? How can DLP Help?
Data Leakage Prevention (DLP) Solutions are designed to detect potential data breaches and prevent them by monitoring, detecting and blocking sensitive data, through deep content analysis. The organisation needs to identify the holes or exit points through which leakage might occur. This might be through data in-use, for example, Mobile, DVD/CD, USB, Print, Network Shares, etc. (i.e. Endpoint); through data in-motion, for example, Email, Webmail, FTP, Instant Messaging (IM), etc. (i.e. Network Traffic); or through Data Storage mediums, for example, File Servers, Databases, Email Servers, etc.
Why do DLP Deployments Fail?
Buying and installing a DLP solution is not as simple as some vendors would like one to believe. In the days gone by, vendors used to pull a fast one on customers by promising them total security from external hackers by selling them firewalls. This is where the deal ended. Configuring the firewall correctly, fine-tuning, etc. was not given any importance and the management’s impression was that the organisation’s data was totally secure from external hackers, since they now had a firewall. The pitfalls were mainly due to lack of planning, prior to deploying the firewalls.
The biggest mistake organisations make when opting for a DLP is that they procure the solution before they even think about classifying their data. Without data classification, how would technology know what data to protect and how could technology prevent the loss of important, sensitive information? So, data classification, prior to procuring the product, is of paramount importance. If you are thinking of doing both the activities at the same time, it could lead to total failure, since data classification is not an overnight activity, even if an overzealous vendor keen to sell his DLP product, may lead you to believe otherwise.
Another drawback when deploying a DLP solutionis the lack of involvement of business owners directly with the creation and usage of the data targeted for protection. Designating a primary business owner of the DLP solution, in conjunction with technical management, is the best recipe for success in the planning phase of the project. Without direct involvement from the business, the DLP will never produce more than mediocre results.
Another recipe for failure is the dependence dependence of an organisation to use “out-of-thebox” policies as the main criteria for detection. This is akin to the analogy above: where vendors would deploy out-of-the-box policies when installing a firewall. In such instances, these out-of-the-box policies would never be able to encapsulate unique attributes of an organisation’s information targets. This could generate a combination of false positives and false negatives, which in turn could lead to an unmanageable amount of data. The biggest trap that companies fall into (especially smaller ones), is that they do not realise that for successful DLP deployment, they need to have processes in place first. The DLP technology is merely an enabler of the process. Continuous education and training is still an absolute must and cannot be discounted.
About the author:
Berjes Eric Shroff is Security Professional & former Senior IT Manager of Tata Services Ltd.