What’s the problem with DLP?

2008 was the year that major security vendors were in acquisitive mood for Data Leakage Prevention technologies. All expectations were that 2009 should be the year that saw the first major enterprise deployments of this technology, but it has been slow in coming to say the least. So what is the problem with DLP? To my mind there are two distinct issues, the first is really the lack of clarity around what actually constitutes “data leakage prevention”. Is it solely those products that vendors label “DLP” or is it the assortment of technologies that real enterprises employ and deploy to protect their intellectual property and other sensitive information? If it’s the former, then uptake hasn’t really taken off yet, but if we consider the real world for a second, enterprises have been engaging in DLP for some time already. Major rollouts of email filtering technologies at the gateway and of device level encryption have already taken place, look for example at the adoption hard drive encryption in the National Health Service. So the will is there to tackle data leakage and this will is of course being reinforced by legislation and regulation PCI-DSS and the Data Protection Act are key drivers for the application of technology to this issue. The recently announced fining powers of the ICO will add yet more urgency to the matter. This leads me to what I perceive as being the second barrier to adoption of the “vendorlabelled” DLP technology today, and it’s the age old problem of resources. Whenever I talk to people about data leakage prevention technology there is always initial excitement about the power and scale of the functionality. Imagine being able to monitor and enforce content-aware security on every endpoint, whether it’s a USB file write, an email or a web upload (and however many other channels the technology can cover), imagine being able to tie all those security events into your employee education initiatives. Imagine finally building that culture of security. Not long after this epiphany though, comes the cold hard realisation that your investment in DLP technology goes way beyond the (relatively) simple technology acquisitionrequired for, say hard drive encryption. If you really want to make DLP work for you, you need audit and you need monitoring. You need to first of all know what data you are protecting, what it means to your business and what permissible actions are. You also (once it’s rolled out across the business) need someone or teams of someones to make sense of the logs and notifications you’re going to get, to enable your organisation to learn from the employees everyday behaviour. So how should the responsible CIO or CSO look at addressing the issues raised by this ubiquity of both information and associated risks? The first step in addressing the problem is to carry out a thorough assessment of the data held by the company, intellectual property, source code, merger and acquisition plans, financial records, customer records, personally identifiable information (PII), human resources records, all of these and more must be located, audited and catalogued. Then a detailed risk and business impact analysis including each item of information, measuring such variables as the value of the information to the business, including financial and operational considerations, regulatory requirements both national and international to which the organisation is subject and the cost to reputation and brand in the event of a breach. The business impact assessment sets the stage for making a business and process oriented judgement concerning the corporate security policy with regard to sensitive information, both in terms of defining policies, access rights and also in the acquisition and deployment technological solutions to the issues raised.