Data-leak prevention is more of a people and policy problem, not a technical one, according to some information-technology professionals who have gotten their feet wet with deploying DLP.
Data-leak prevention that lets organizations monitor for unauthorized transmission of sensitive content is a powerful technology sometimes put to surprising uses. And those with DLP experience say the biggest challenges lie with people and their online habits rather than technology.
DLP technology, at the gateway or host level, is not difficult or time-consuming to deploy, according to IT managers gaining experience with it in business, government and school systems. (Compare Data Leak Protection products.) Rather, DLP is a game-changer that creates an atmosphere where network users may be caught committing various types of data violations, inadvertent or not. The IT department, though first to know, can’t end up as the enforcement arm, experts say. Management of it comes from human resources and the legal department, and they have to be deeply involved to play the DLP police role. It all starts with creating the DLP policy.
“One of the lessons learned is get your policy in place first,” says Charles Thompson, chief information officer for the city of Phoenix, which is installing the Fidelis Security Systems' DLP called XPS to prevent unauthorized transmissions related to city business.
Thompson can be counted as a DLP veteran after previously installing DLP in the Washington, D.C. and Orange County, Florida school systems. He says years ago he quickly learned that turning on a DLP system for content monitoring without a clear policy in place, which management understands and supports, is a misstep others would do well to avoid.
“You need the personnel department, human resources, legal and management involved,” says Thompson, adding that it must be clear that they are to play a unified enforcement role when DLP catches policy violations.
It turns out that while DLP technology is fairly simple to deploy, getting policies and procedures to follow in the event of violations is not.
“There will have to be a lot of discussions about procedures, about what I call the ‘scope of sequence,’” says Thompson. That means a clear definition of what a violation is, how different sorts of violations should be handled since all may not be equal in scope, and keeping track of repeat offenses.
In the Washinton, D.C., and Florida school systems, schools not only watched out for prohibited sensitive content, such as student records as a privacy violation, or banned content like pornography or music; DLP also looked for evidence of cyberbullying using school-issued computers. “Cyberbullying is one child threatening another, whether it’s physical or mental abuse,” says Thompson.
It turns out defining sensitive content is one of the hardest parts of DLP.
According to Laz Montano, assistant vice president for information security at MetLife, the insurance company plans to deploy DLP as one means to ensure customer information doesn’t leak out across the Internet. But another driving factor is that business managers and executives are clamoring to be given much wider access to the Web than in the past.
“We’re finding our traditional approach to blocking and limiting access needs to be reexamined,” says Montano, noting the IT security department traditionally blocked much Internet access because of worries about malware.
But that era appears to be slipping away as MetLife’s business people make use of LinkedIn and Facebook for leads and opportunities. And MetLife is finding that the Web is a place where information about insurance claims is readily divulged, with people even admitting to fraud.
While MetLife wants to give its employees far greater access to the Web for business purposes, the security staff is concerned about what MetLife employees might end up posting online.
“Data-leak protection becomes more critical to us now,” says Montano. “But defining ‘sensitive’ is problematic in and of itself.” He adds: “How do you provide an environment that limits, warns or educates individuals?”
That’s exactly the challenge that concerns Starla Rivers, technical security architect at San Diego, Calif.-based Sharp Healthcare, which operates hospitals and clinics and deployed the Symantec DLP to watch for unauthorized transmissions of patient-care or business data.
“DLP has helped us determine where the data is and who’s using it,” says Rivers. DLP set-up was simple, she says, and while it has clearly helped in stopping data leaks, which are mainly mistakes like failing to encrypt information, the biggest challenge has been in getting employees to wake up to the changes wrought by DLP.
Policy used to be very broad, with the HIPAA privacy rules expounded in employee training, but DLP is bringing this to life in a very specific way that employees find is a surprise as their computer screens fill with a DLP warning that some action they just took was in violation of Sharp Healthcare’s policy.
One problem, for instance, is that doctors want to access documents they’ve stored elsewhere that are out of Sharp Healthcare’s immediate control.
Sometimes employees at the hospitals simply fail to apply the DLP training they get to the reality of everyday computer use. “There’s a large disconnect between the training we provided and each employee understanding this really means you,” says Rivers. But she adds she and other staff are re-doubling their efforts to find new ways to get the policy-enforcement message of DLP out to employees in a friendly manner.
“We’re trying to phrase the message: we’re trying to do something for you, not to you. Most employees mean to do well,” she says.