Mature Data Loss Prevention: 8 questions to ask about DLP
An effective DLP solution must not only be accurate, it must be easy to deploy and simple to manage. By Lior Arbel
Many of today’s DLP solutions reflect first generation approaches and fail to deliver on three key requirements: suffering from high false-positives, complicated and time-consuming deployments, and resource intensive incident management.
The most important thing with DLP projects is to realize how “Day 2” of the project will look. To help determine if a DLP solution will truly meet your organisations needs and will not lead to an unexpected investment, try asking the following questions:
Question 1: How many servers and or appliances are needed in production?
Why you need to know: A well-designed and mature solution does not require racks full of servers to deliver enterprise-class results and should not take weeks or months to deploy. The amount of hardware and the number of steps needed is a key identifier of the maturity of the product. One appliance and one server can provide a complete solution and additional boxes can be added for scalability. Ideally a DLP solution should be deployed as a unified solution, not as a collection of multiple point solutions.
Question 2: Can ALL data be protected when not connected to the corporate network?
Why you need to know: Sensitive information contained within mobile systems not connected to the corporate network should have the same level of protection as local users. Transmission delays between a remote user and the inspection server are impractical for real world use, leaving critical data vulnerable. The ideal solution should protect and monitor ALL types of sensitive information regardless of where the user is located.
Question 3: How resource-efficient is your architecture?
Why you need to know: A well-designed solution requires an efficient architecture that scales and adapts to your organization’s changing requirements. DLP policy can be user-aware and the endpoint policy server can serve all users regardless of which policy they have. This approach uses resources efficiently and adapts to changing requirements within the enterprise. Conversely, if each endpoint policy profile requires the customer to deploy, configure, and manage a dedicated server, it places a practical limit on the number of different endpoint policies that can be used.
Question 4: How easy is it to manage your solution?
Why you need to know: Immature products require multiple consoles and numerous complex configuration steps, driving costs up while increasing the likelihood of human error. With a mature product, all management and configuration is done in one unified GUI which streamlines administration, decreasing both the amount of time required to operate the solution as well as reducing the likelihood of human error.
Question 5: How broad is the supplied policy coverage?
Why you need to know: A mature solution should provide extensive out-of-box policy coverage, with all policies available as needed, to make the job of the operator easier and more effective. Since every company’s data is different, you are likely to require custom policies too. The vendor should be able to assist in writing, testing, and delivering custom policies which mean you can hit the ground running with the solution.
Question 6: Is your solution aware of the destination of sensitive communications?
Why you need to know: Destination awareness is the key to preventing the loss of sensitive data with a minimum of false positives. For example; confidential data sent to a Webmail site represents a different kind of risk than sending that same data to a social networking site. Having awareness of the destination when detecting DLP incidents that occur over the Web also lowers overall administrative burden when evaluating incidents for further action, which in itself equates to significant cost savings.
Question 7: How do you provide a manageable incident load with low false positives?
Why you need to know: False positive alerts have a major impact and while many vendors seemingly claim low false positive rates, it’s worthwhile to explore this area and fully test the solutions to see which solutions live up to the claims. Modern detection technologies go beyond simple reg-ex matching and utilize full featured script-based identification to complement basic pattern matching. Things to look out for include unnecessary incident duplications and natural language name identification which is critical for complying with privacy regulations.
Question 8: Can your solution protect my SaaS cloud based data?
Why you need to know: The solution should be able to protect data wherever it is stored, whether in an on-premise database or an in the cloud-based data store, such as SalesForce.com. The increasing use of cloud-based SaaS redefines the border between “internal” and “external” destinations. An effective solution must be able to offer the protection of confidential data regardless of where that data resides and without requiring any export of the data to a new format.
The need for effective and efficient DLP solutions continues to grow with the new regulatory requirements businesses and organizations face. First generation solutions with all of their complexity and inefficiency are no longer acceptable. It’s worthwhile to take the time and effort to carefully evaluate the key requirements and choose a solution that is right for your organisation.
Lior Arbel is Director Strategic Data Security Solutions at Websense