Thursday, May 12, 2016

Top 3 Mistakes - Data Loss Prevention

Data Loss Prevention (DLP) has been around for quite awhile; however it has changed dramatically over the past 2 or 3 years. DLP is now both more complex and high profile than it used to be, primarily due to a series of well-publicized Cyber Attacks in which hundreds of millions of personal records were stolen from various organizations including the US Government.
So what is DLP, anyway? - Here is the definition that pops up on Google when you do a search on the term:
"a strategy for making sure that end users do not send sensitive or critical information outside the corporate network. The term is also used to describe software products that help a network administrator control what data end users can transfer."
There are variations of course on this definition, but it highlights the first problem associated with DLP - it's not very well understood. For example, you can have a DLP Strategy, but the practice of DLP obviously extends beyond that initial approach. The practice of DLP is comprised of a set of related practices or processes and tools derived from (or described by) the DLP strategy which in itself must be aligned with or otherwise be part of other strategies (e.g. Enterprise Cyber Security or Enterprise Governance).
The nature of DLP is evolving also. DLP may have originally been more focused on internal 'loss prevention' but that is no longer the case. There is as much or more concern now in regard to external loss. In other words, the major threat is now more related to outsiders breaking in than insiders taking out. The tools associated with DLP are not in any limited to network access control although that certainly constitutes part of the problem space. DLP software now encompass complex discovery, governance and data management features across a variety of platforms (e.g. databases, file storage, content management, email and many other types of applications).
A more modern or perhaps comprehensive way to describe DLP might be - "The ability to understand all risks associated with enterprise data assets and provide mitigation for those risks in the form of  DLP-related security controls and governance processes." Notice that I've made a key distinction in regards understanding the risk as the first part of an improved definition. The reason for that reflects one of the major changes associated with DLP in contrast to when it first appeared. We'll use that to segue into our list of the top 3 DLP related mistakes that organizations typically make when approaching the topic.
Top 3 DLP Mistakes:
1 - Mistake 1: Not Knowing Where the Risk Lies. Back in the day, there may have been cases where the limited amount of information or data involved allowed many organizations to be confident that they knew exactly what they had and where it was located. Today things have changed. Many organizations have dozens or hundreds of databases, large numbers of systems and services, as well as many online document or content repositories (many of which are spread across various internal and Cloud locations). Granted, there are some organizations with fairly robust EIM (Enterprise Information Management) practices. However even in those cases, there may be assets managed outside of the EIM context and of course many, many organizations have no EIM capability at all. Understanding what data might be at risk is the only way to fully assure such risks might be mitigated.
2 - Mistake 2: Assuming that any DLP tool manages the full Spectrum of DLP Related Threats.  The DLP software market has changed quite a bit in recent years and various DLP functions have diverged into different directions - everything from web filtering, email discovery and data discovery to endpoint encryption. The important thing is to be able to assign processes and tools to each pat of the equation. For example, how would you go about securing enterprise data movement? That might involve applying controls to an ESB or API Management framework but could also extend in many other directions as well. Each aspect of the problem must be considered an accounted for.
3 - Mistake 3: Assuming that DLP is a one-time Affair. Every DLP engagement or project typically has 2 or 3 components; 1) An initial Assessment, 2) a one-time Enterprise Level Remediation (or set of remediations) and 3) Continuous Management & Remediation. Typically all three of these elements or components are necessary in order to assure real risk elimination or reduction.
I will be writing some follow-up posts on DLP in coming weeks to take a deeper dive into key aspects of DLP projects including:
1 - Sensitive Data Definition
2 - Data Discovery
3 - Typical Enterprise Level Remediations
4 - Alignment of DLP to Security Controls and Enterprise Governance

Copyright 2016 - Stephen Lahanas