Data Loss Prevention: Solution in Search of a Problem?

Data loss prevention technology sounds like a no-brainer from the get-go. DLP technology tells us when confidential data is in danger of compromise or when users’ behaviour may lead to the threat of compromise.

Pro-active DLP products stops potentially threatening situations from developing and if they do occur it blocks, encrypts, and suggests reconfigurations on the fly. The more comprehensive enterprise versions of DLP are highly integrated with many of the above features and more all packed into one product.

So why am I questioning the validity of DLP? I question the return on investment of the total cost of ownership and management of the technology. There are several issues that in my opinion need to be examined:

1. What are the specific business problems that need to be addressed?

2. Are they being addressed by other overlapping technologies currently deployed?

3. Are compliance and IT security managers directed to manage specific control points other than DLP by auditors or by regulatory mandates? If “yes” then DLP challenges become secondary priorities, if indeed priorities at all.

4. Can a more cost effective solution such as consistent, uniformly enforcement of security policy be a candidate solution?

DLP Technologies are indeed Impressive but Not New

I remember in the mid 90’s an Israeli software package that did web browsing monitoring, outbound email filtering, alerting on pre-defined email content, and identifying and reporting on user traffic by service type.

So that tells us that DLP is really a new branding strategy for technology that has existed for quite a while. This mid 90’s technology did not need agents; it could monitor an enterprise; its reports were easily understood and pointed to clear calls to action. The user interface was… OK.

There have been products on the market that compile inventory lists of devices connected to a network, including peripherals on workstations. Some will even evaluate workstations that request connectivity to the corporate network and will block connectivity unless they pass a predetermined compliance list with regard to patch compliance, peripherals attached, and communications capabilities.

The difference with the new DLP technology is the degree integration of multiple capabilities within one product offering. For instance one product may be comprised of any number of:

• Anti –virus

• anti-spam

• web browsing monitoring

• Identification of threatening URLs

• Identify sensitive data and data files at rest.

• Blocking access to sensitive data and data files according to access privileges.

• Identification and/or blocking of restricted communication technology: Wi-Fi, infrared, blue- tooth

• Identification and/or blocking of restricted input / output technology; USB memory, DVD, firewire, external disks and tapes, printers,

• Identifying sensitive data in motion within email, IM, file transfers I wholeheartedly agree that these are all laudable, excellent features.

Where’s the ROI?

The return on investment of deploying DLP depends upon a risk analysis as the basis for determining what needs to be protected and at what cost. DLP may not come out on the winning side of a risk analysis if a corporation’s auditors or compliance group determine that other priorities take precedence.

For instance, as part of SOX compliance, an organization may be forced to implement critical asset identification and strict access control over those critical assets. We know that specific files and types of data will be considered critical assets.

So the organization should implement as part of their access control strategy at least a rudimentary version of:

• A strictly managed user identification / authentication / privilege management / credential management policy with enforcing technology.

• File access restricted by a user privilege table or by a more elegant set of document classifications and user privilege levels.

• Creation and strict enforcement of an IT security policy, with uniform and regular enforcement which means meting out disciplinary sanctions that are clearly identified in the policy.

It is assumed they will also deploy the absolute basics in countermeasures and monitoring such as anti-spam, anti-virus, URL filtering including identification of potentially malicious URLs, event log monitoring for critical assets, and monitoring of the IT security infrastructure.

To determine if a DLP solution should be considered as an alternative in the SOX compliance situation above, the costs of all the above then need to be compared with the total lifecycle cost of ownership and management of a separate DLP solution.

I’ve run out of time and space, so next week I’ll discuss in more detail deliverables of DLP solutions and some DLP vendors.

Have a secure week. Ron Lepofsky CISSP, CISM, BA.SC (Mechanical eng) www.ere-security.ca