You may wonder if DLP is the updated version of RUN-DMC, but what it really stands for is Data Loss Prevention. Some call it “Data Leak Prevention” to emphasize that important company data often “leaks” away through no malicious action. But as compliance regulations like HIPAA, PCI-DSS, and FRCP multiply like acronym rabbits, more and more companies must take steps to stop data from leaving their business, whether it's lost, leaked or stolen.
Huge companies struggle to deal with the size of this problem, and they have full IT staffs and money for security issues like this. Yet the DLP market remains small because of the complexity of the issue and the sizable cost and time required to keep files from leaving any exit point. Is there hope for smaller businesses that don't have full IT staffs and full security budgets? Of course. There's always hope, even when it's hidden under hard work.
The DLP group at Symantec hosted a training session for me and a few others not long ago in San Francisco. They understand this is a hard issue to get a grip on, and they've helpfully reduced the core issues to three bullet points. First, where is your confidential data? Second, how is it being used? Finally, how best to prevent its loss? Succinctly, the process is Discover, Monitor, and Protect.
Three little words, Discover, Monitor, and Protect, don't sound too bad, do they? Yet few companies, even the huge ones, really know where all their confidential data files are hidden in the various storage lockers on individual computers and file servers.
Once you inventory your sensitive data, such as customer Social Security Numbers or credit card information, you have to watch who uses that data and how they use it. Finally, you have to prevent intentional and accidental loss of those files. That means monitoring every USB port on every computer with access to sensitive files, and finding a way to block e-mails with critical files attached, or even information copied inside the body of the message.
Like all security functions, every file and every user must be monitored. That's a big job, and requires hardware support on the network, and software active on every personal computer. You shouldn't be surprised that systems like this come with six figure price tags, although a new company claims to cut that by more than half.
Before we discuss the serious investment in money and time DLP requires of large companies, let’s look at how you can protect your smaller company on the cheap. Here are four points to address.
First, explain to your workers why DLP matters and the penalties for mistakes. If workers don't know which files need protection, they can't protect them. Explain the penalties when customer information escapes. News stories help you with this by recounting yet another data loss just about weekly. Clip and save a couple of articles that outline the data breach laws, penalties and costs of customer notification. Even small companies fall under these guidelines, so emphasize how each employee may have to call customers and apologize for sending their credit card information to the Hackers 'R Us headquarters by accident.
Following the 80/20 rule, 80% of your coworkers will get the message and do a better job of monitoring how they use and abuse data, while the other 20% will nod and say they understand the issue, then do something crazy like e-mail a plain text listing of your customer files that afternoon. Behavior modification requires constant repetition, just as animal trainers work every day with their charges. Unfortunately, you can't use a whip with coworkers.
Second, move all critical files off individual computers. Enterprise DLP system software runs on every desktop and laptop, and monitors local and networked file activity. Until you can afford that, remove temptation by vigorously tracking all critical files on local computers and moving those files to networked storage of some kind.
This requires you to formulate a list of critical files, file types and information to be guarded. Compliance regulations focus on customer data like credit card numbers, but you have much more information you want to keep quiet. Whether plans for the 200 mile per gallon car or your customer list, you have plenty of information to safeguard. Leaving those types of files under the control of individual users means your DLP attempts failed.
Third, upgrade your local shared storage access controls. Management knows how to do this, because they don't put payroll information in the public file area. Treat all your critical files as if they were payroll files, and you'll be better off.
Shared file storage, whether a Network Attached Storage device you pick up at Best Buy or a redundant cluster of Linux servers in front of a Storage Area Network, provides controls over which users have access to which folders. The better the system, the more granular and secure the access rights controls. Even the cheapest shared storage box allows you to password protect volumes at a minimum, making it easy to put, say, all accounting and payroll files on a separate volume that requires a username and password different from the public file storage areas. Take the time to set this up properly, and your data problems drop in a big way.
Finally, talk to your e-mail host about filtering outbound attachments. If you run your own e-mail server, dig into the manuals to figure out how to block all e-mail attachments. Third party spam and virus protection services usually have these services, so ask them.
However, never underestimate the creativity of idiots, and especially idiot users. I've seen users who can't reset their own desktop background figure out a way to send critical files via proxy servers and anonymous file transfer services. As Murphy says, the worst things happen in the weirdest ways. Wouldn't it be great if Vista's annoying User Access Control popups could be harnessed to ask users if they really meant to attach a file to an e-mail every time they tried? Next best thing is to talk to your security consultant and see what you can put in place.
A new player in the DLP world wants to bring this level of security down to mid-sized businesses. Tarique Mustafa, CEO and founder of nexTier Networks, called and told me about his company’s Compliance Enforcer line of appliances. By building its software into an appliance that can be pre-configured in many ways, nexTier's pricing starts at $30,000 for 100 users. Mustafa said it has customers with as few as 50 users, such as law firms. If you're a mid-size company, nexTier might be worth a look.
Will DLP ever be simple? No. Security is never simple. You must watch and monitor and track a thousand security issues every single day, which is hard work. But remember, the data breach you prevent may be your own.