The Struggle with DLP
Few security technologies have received as much attention over the past few years as Data Leakage Prevention (DLP) solutions have. The concept behind them is exciting, offering the ability to scan traffic on your network and in your systems, and assign rules-based protections to the data that you want to protect. Someone e-mailing out a copy of customer records with SSNs? The DLP system will block it or encrypt it on the fly. Someone trying to copy IP to a USB drive? Alert management and block the action. It can be a great way to protect your most critical information assets, but as many have found, it is not an end-all, be-all solution to your data leakage problems.
Fri, October 30, 2009
CSO — Few security technologies have received as much attention over the past few years as Data Leakage Prevention (DLP) solutions have. The concept behind them is exciting, offering the ability to scan traffic on your network and in your systems, and assign rules-based protections to the data that you want to protect. Someone e-mailing out a copy of customer records with SSNs? The DLP system will block it or encrypt it on the fly. Someone trying to copy IP to a USB drive? Alert management and block the action. It can be a great way to protect your most critical information assets, but as many have found, it is not an end-all, be-all solution to your data leakage problems.
Also see Data Loss Prevention Dos and Don'ts
Unmasking DLP: the Data Security Survival Guide
This summer, CSO partnered with GTB Technologies to examine the experiences and expectations of DLP solutions. What we discovered is very consistent with what I have been hearing from CSOs around North America: DLP can be very good, but be prepared for hidden costs and lots of management effort, including internal staffing demands.
As I mentioned above, DLP does work, but the hidden challenges can be pretty big if you don't know what you're getting into. Consistent with what we have seen in other surveys we have conducted, 53 percent of respondents already have a DLP solution in place.
What was very interesting to see was that nearly half of those with a solution in place are planning to replace that solution within the next 12 months. This speaks to the frustration I hear with many businesses feeling that they were sold a "bill of goods" that just wasn't real. But my observations have been that many of these businesses fall down on the implementation, not because they were sold vaporware.
The primary reasons businesses adopt DLP is to protect company reputation (96 percent), avoid litigation (83 percent), meet regulatory obligations (77 percent), protect IP (66 percent) and the vast majority or respondents are very confident that their solution actually helps them to meet these objectives. But there appears to be some confusion regarding the capabilities of DLP. I believe much of that confusion has been driven by the "me too" mentality that has been adopted by some vendors who claim they offer DLP solutions when, in fact, their solutions only address individual silos of a true DLP solution.
Cost and management are also a large issue. When you add implementation and monthly management costs, businesses are spending, on average, $240 per user over a two-year period for their DLP solution. One-third of respondents found that the solution cost was higher than expected and one-quarter pay more than they planned for internal management, as they have to refine the solution to eliminate false positives and increase effectiveness.
At the end of the day, does it work? Yes. But the message here is that you need to plan accordingly going into the project so that it doesn't become a budget buster in terms of both hard dollars and internal resources.
