&
How to Avoid DLP
Implementation Errors
Data Loss Prevention
(DLP) is a strategy to ensure that end users do not send sensitive or
critical information outside of the corporate network. The term is also
used to describe software products that help a network administrator control
what data end users can transfer
The
adoption of DLP, also called preventing data leakage , loss
prevention information or preventing extrusions , is being
driven by internal threats and state laws more stringent privacy, many of which
have components strict data protection or access.
Data Loss Prevention
software products use business rules to examine the contents of files and
label sensitive and critical information so that users cannot divulge
it. The software can be useful for identifying and tagging well-defined
content (such as Social Security or credit card numbers), but it tends to fall
short when an administrator is trying to identify other sensitive data, such as
intellectual property. To successfully implement corporate DLP software,
you need to actively involve staff at all levels of management in creating the business
rules for labels.
Once
DLP software tools have been implemented, an end user who accidentally or
maliciously tries to reveal confidential information that has been tagged will
be disowned. In addition to being able to monitor and control
endpoint activities , DLP tools can also be used to filter data streams on
the corporate network and protect data at rest.
Here are some key points to keep in mind when implementing
and using data loss prevention (DLP) tools.
Data Loss Prevention
(DLP) tools are very effective in reducing the risk of sensitive data
ending up where it shouldn't, but like any tool, if not used properly, the
results will not be positive. By avoiding some common pitfalls, an
organization can save time and money while better protecting itself.
·
Set
the right expectations: One of the most common mistakes in DLP
implementations is not understanding what the technology is capable of, and how
to properly integrate it into business processes. DLP is not magic,
and different tools have different capabilities, especially in relation to
content analysis. None of them can fully protect all data from every
conceivable threat. DLP is about risk reduction, not threat
elimination. It is important to know what kinds of policies can be
defined, and what enforcement options are available, before starting an
implementation. Then you have to have the proper workflow to handle the
policy violations. While human resources and legal teams are rarely
involved in a virus infection, they can be intimately involved when an employee
tries to send a customer list to a competitor.
Establish a good baseline From
the beginning; Know what data needs protection, the capabilities of the
tools installed to protect it, and the workflow for handling incidents.
·
Start
with small, well-defined policies: DLP tools aren't
necessarily prone to a lot of false positives, but build a bad policy and an
organization will be inundated with bad results, or miss major
losses. Start a simple, narrow-scope, single-policy installation in
monitoring mode. Take the time to adjust the policy, until the expected
results materialize, and then expand the implementation by adding policies and
compliance actions.
·
Use
the right analysis technique, for the right content: I once spoke to
an organization who complained about all of their DLP false positives, but it
turned out that they had used a less effective content analysis technique than
their DLP tool offered. By switching to a new technique (database
fingerprinting, a "fingerprint" mapping methodology, and unique
characteristics), the organization reduced false positives to an acceptable
level.
Most of the time, false positives are
real positives, but they denote content that does not pose any risk in that
business context (for example, an employee using their personal credit card
number on a website against card number abuse credit of a customer). Using
the correct content analysis technique or adding context to a policy can reduce
false positives,
·
Clean
logged data before uploading it to a policy: Some policies protect logged
data, such as a database or document repository. However, scanning bad
content will not provide effective results. For databases, be sure to
undergo some data cleaning to remove bad content (often test data) that can
create false positives. For example, one of my clients had '0' listed as a
social security number in their database, causing every 0 in an email to
trigger an alert. For unstructured documents, exclude common corporate
letterheads or footers. It doesn't take long, and it will improve the
results substantially.
· Start with good directory integration (and clean directories): DLP policies are closely tied to users, groups, and lists. It is important to ensure that the DLP tool integrates properly with the organization's directory structure, and uses the functionality that exists in most Data Loss Prevention Software to bind users with their dynamic client configuration protocol addresses (DHCP). Some organizations are sloppy with their directories, which can make it difficult to locate an offending user(or apply policies to the right people). Check the directories for bad data before integration, and then test to make sure the integration works properly (I would hate to fire an employee because the IP addresses were transposed).
m Work closely with business units, don't just initiate enforcement: Lastly, there is no guarantee that the effects of a DLP policy on business units will be fully understood. Work with the management of that unit, and then implement the policies, first in monitoring mode, and then in notification mode (that is, an employee is told when he or she has violated a policy, even if the action is not locked). Collect feedback to fine-tune policy to balance business needs and risk management.
DLP tools are a
powerful way to protect sensitive content. Although effective and
efficient, failing to avoid the pitfalls listed above can distance the business
and lead to poor DLP results.
No comments:
Post a Comment