Data Loss Prevention – A Step-by-Step Guide to Blocking Leaks

Industry analysts report that of all the active DLP installations, over 90% are running in 'monitoring only' mode . This means they notify an organisation when data has been leaked but they do not stop it. Why are these DLP solutions not being deployed to proactively prevent the leakage of data, a function they were supposed to be designed for?

It is down to the impact the DLP technology can have on an organisation's day to day business.  The solutions can have high false positive rates which mean a lot of false triggers that have to be investigated. If the solution was active, a false positive means you just prevented an employee from doing their work.  Tuning the current solutions for lower false positives typically raises false negatives which mean you could be missing instances of data leakage.  To make these solutions more effective and accurate you need to spend time training them with each type of confidential content which can be very time consuming.

So the approach to deploying DLP solutions needs to be carefully thought through and planned.  To assist you in this task here are the key steps that you should consider to ensure you implement a successful DLP strategy:

Step 1 - Do you really need a DLP solution at the moment?

The technology and capability of DLP solutions is improving all the time, so the longer you can delay the implementation, then the better the product - so the theory goes. 

Step 2 - What type of solution do you require?

There are many different types of DLP products in the market such as hard drive encryption products or endpoint port control solutions but these only address one of the ways that data loss can occur.  Content-aware DLP solutions focus on controlling the content or data itself. 

There are two different types of Content Aware solutions:

1.       Single Channel solutions - Focuses on just the data loss channel you want to address such as email or Web.

2.       Enterprise DLP solutions - Focus on complete network coverage but involves costly and lengthy implementations that can impact your business.

However, just because you are an enterprise doesn't mean you need an Enterprise DLP solution.

Before buying a new product review your incumbent vendors for email or Web security. They might be able to meet your immediate needs and have a solid roadmap for the future.

Step 3 - Identify what you want to protect

If you know exactly where all the content is that needs to be protected, then you are well on your way.  If you don't, then you will need to consider using a data discovery solution to answer this but also ensure you get control of this in the future.

Step 4 - Establish why the content needs to be protected

Is it for compliance reasons or for protection of Intellectual Property?  This could change not only how the content is identified but also how it is reported on.  For compliance, you will need to ensure that you meet not only the data coverage required, like credit card numbers and other personally identifying information (PII) as required for PCI DSS compliance, but also the reporting requirements for the auditing process.  For IP control, perhaps the solution has to recognise source code, or perhaps cad files?  Ensure the solution you are evaluating is able to deliver this.

Step 5 - Identify how data is currently lost

This will help you determine the type of product to use. Is it through email? Is it being uploaded to websites such as Web email or blog sites? Is it the usage of USB sticks on your endpoints?  The most important advice here is not to try to solve all data loss possibilities that you can think of. Look at the accidental loss of data. Stopping the deliberate loss of data is significantly more difficult and will have a bigger impact. 

Step 6 - Policy Creation

This is where we get down to the implementation.  Once the solution is installed we now look at how we can create a policy that recognises the actual content we want to control and then how it will be controlled.  Completing the above steps will help you define the policy and application.

Step 7 -Testing 

Like any other IT implementation testing is a critical factor to ensure success.  You need to do a significant amount of testing and it is always better to initially run in monitoring only mode to gauge the impact while you are tuning the controls.  The testing will help you to fine tune the policy and how it is enforced in the future.

Step 8 - Policy Communication

A step many miss. Employees need to be brought into the project to guarantee success.  It will impact their day-to-day functions, so you need to be certain they understand why these controls are in place and that they support its use.  Obtain their feedback on the controls and how you might minimise the impact on their work.

Step 9 - Policy Enforcement

Now that we have created, tested and communicated the policy , we can shift into active mode.  Don't turn on all the policies at once. Prioritise and release the most important and critical ones first.  Ensure you have plenty of coverage to rectify any issues not found in testing as this will impact the employees who are trying to do their job. 

Step 10 - Future proof your organisation

You have taken the first steps here, but don't assume your job is now done.  Look for better ways of classifying content or where different types of content are saved.  When new applications or systems are installed, consider how you can implement them to simplify the DLP controls required.  Also continue to pay attention to the evolution of your DLP product. Keep it up to date as there will be newer and better ways of implementing the controls you have in place.