Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

6/1/2012
12:59 PM
Connect Directly
LinkedIn
RSS
E-Mail
50%
50%

Tech Insight: Making Data Leak Prevention Work In The Enterprise

Second of a two-part series on implementing DLP

[Second of a two-part series of articles contributed by the (ISC)2 Executive Writers Bureau. Part 1, "Getting Ready For DLP," deals with the preimplementation phase.]

One of the most common misconceptions about data loss prevention (DLP) technology is that it is owned and implemented by IT security teams. DLP isn't strictly a security project -- it's part of a broad data protection program that demands a co-existence of people and process with technology.

In Part 1 of this series, we examined the benefits of establishing organizational policies prior to implementing security controls for internal use of data. Now, with an approved set of administrative data protection controls, let’s look at how organizations can begin to design and implement DLP to help enforce those controls.

DLP solutions may be offered as enterprise class, third-party/reseller packages, or add-on (DLP-lite) solutions, and each of these offers a different level of capabilities. There's no "right" choice -- each one is designed to meet the size and type of organization involved.

That said, it is important to note that while channel or add-on DLP solutions offer targeted risk mitigation, enterprise solutions support a more scalable and unified infrastructure that can enforce data protection policies no matter where the data is -- at rest, in motion, or in use. If you need to implement a reseller package in the near term but your long-term strategy is toward an enterprise solution, then think about sequentially deploying different components of an enterprise solutions as they are needed. Just as you would do before you purchase a new car, you will want to do some degree of research to see what is available in DLP, which products have the features you want, and which are within your budget. Look for online data from security research firms, such as Gartner and Forrester, which offer insights on the different criteria you can use when selecting a DLP product. No one DLP technology is the right choice for all organizations.

After going through the reference materials, you should be able to identify a number of DLP solutions that meet your organization’s data protection requirements. You can tie this data in with the results of the maturity assessment, which we discussed in Part 1, to generate customized criteria to help you evaluate these DLP solutions.

Some of the most common criteria for evaluating DLP products are ease of administration, business integration, infrastructure complexity, and cost of ownership.

As you develop your evaluation matrix, it will be evident that some criteria are more important than others. Integrating a weighting system into the matrix allows the organization to evaluate each criterion with an eye on how critical it is to your organization. Be sure to factor in your pre-established business relationships -- such as the business partners your organization works with -- to ensure continued alignment of business objectives with technical security controls.

Once you've chosen a DLP package, it may seem attractive to implement the entire DLP solution in a single phased approach, but such an approach can be a big mistake. Such sweeping implementation initiatives can result in failed deliverables that do not align with business objectives and cannot easily be re-engineered afterward.

The best approach to implementing DLP is to roll it out in separate, but interdependent, phases to reduce the likelihood of misinterpreted deliverables. To illustrate dependencies and provide a means of measuring key milestones, create an implementation plan that you can share with all the stakeholders. This will ensure that all of the players are involved, while demonstrating to executives the progress of the data protection program.

Whether you are implementing an enterprise solution, a reseller package, or an add-on product, you need to be sure that your DLP architecture is sustainable and can be scaled to accommodate future growth. Think about designing a shopping mall. The engineers and architects know they need to design a facility that is spacious enough to support a sufficient number of subsidiaries, can be easily navigated and managed, and allows patrons to maximize their experience. Similarly, the builders of a DLP solution must remember that while it will be used for one underlying purpose, it must provide the organization with a level of versatility.

In addition to the DLP technology itself, organizations should consider implementing physical protection controls to reduce the risk of data exposures. The principles of Crime Prevention Through Environmental Design (CPTED) have been used by physical security professional to control the human factor as a preventive means of reducing the likelihood for crime to occur.

To support DLP and reduce insider threat, you can use CPTED principles in four ways: to design spaces that effectively monitor personnel activity; control access to least privileged spaces; establish boundaries to controlled areas; and allow for the continued secure use of space. To successfully implement data protection controls, you must align business objectives with technical and physical security controls. Prior to making a decision on appropriate data protection controls, you need to know what the technology can and can't do. And you need to recognize that the business will change and grow, potentially changing priorities and controls. Implementing a data protection program is essential for every organization, and it doesn't have to be a painful process. The key is making DLP something that makes the business work better and more securely, rather than acting as an obstacle.

Have a comment on this story? Please click "Add a Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Jason is an Information Security professional with over 10 years of experience. He is currently the Director of Security Forensics & Civil Investigations within the Scotiabank group. Throughout his career at Scotiabank, he has been responsible for digital investigations, ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 7/2/2020
Ripple20 Threatens Increasingly Connected Medical Devices
Kelly Sheridan, Staff Editor, Dark Reading,  6/30/2020
DDoS Attacks Jump 542% from Q4 2019 to Q1 2020
Dark Reading Staff 6/30/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
How Cybersecurity Incident Response Programs Work (and Why Some Don't)
This Tech Digest takes a look at the vital role cybersecurity incident response (IR) plays in managing cyber-risk within organizations. Download the Tech Digest today to find out how well-planned IR programs can detect intrusions, contain breaches, and help an organization restore normal operations.
Flash Poll
The Threat from the Internetand What Your Organization Can Do About It
The Threat from the Internetand What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-9498
PUBLISHED: 2020-07-02
Apache Guacamole 1.1.0 and older may mishandle pointers involved inprocessing data received via RDP static virtual channels. If a userconnects to a malicious or compromised RDP server, a series ofspecially-crafted PDUs could result in memory corruption, possiblyallowing arbitrary code to be executed...
CVE-2020-3282
PUBLISHED: 2020-07-02
A vulnerability in the web-based management interface of Cisco Unified Communications Manager, Cisco Unified Communications Manager Session Management Edition, Cisco Unified Communications Manager IM & Presence Service, and Cisco Unity Connection could allow an unauthenticated, remote attack...
CVE-2020-5909
PUBLISHED: 2020-07-02
In versions 3.0.0-3.5.0, 2.0.0-2.9.0, and 1.0.1, when users run the command displayed in NGINX Controller user interface (UI) to fetch the agent installer, the server TLS certificate is not verified.
CVE-2020-5910
PUBLISHED: 2020-07-02
In versions 3.0.0-3.5.0, 2.0.0-2.9.0, and 1.0.1, the Neural Autonomic Transport System (NATS) messaging services in use by the NGINX Controller do not require any form of authentication, so any successful connection would be authorized.
CVE-2020-5911
PUBLISHED: 2020-07-02
In versions 3.0.0-3.5.0, 2.0.0-2.9.0, and 1.0.1, the NGINX Controller installer starts the download of Kubernetes packages from an HTTP URL On Debian/Ubuntu system.