Effective deployments of data loss prevention (DLP) technology must be rolled out slowly and in stages to prevent disruption to end users and reduce the number of alerts that could overburden IT departments.
When you get good results, then you add another policy and roll it out further.
Rich Mogull, CEO, Securosis LLC
Experts at RSA Conference 2011 sharing data loss prevention best practices, said DLP technologies hold promise in preventing employee mistakes that could lead to costly data breaches or compliance violations. But firms that have started rolling out DLP warn that projects should begin small to avoid potential chaos.
Many organizations are implementing DLP over a limited subset of the network to show immediate value to management, said Rich Mogull, a former Gartner analyst and CEO of Phoenix-based Securosis, a security research consultancy. Organizations choose between focusing DLP for scanning the network, scanning storage or scanning the endpoint. Few organizations are using DLP automated enforcement capabilities and instead focus on monitoring for data security policy violations, Mogull said.
"Simpler use cases are what I've seen most people doing," he said. "Most people are not doing DLP in multiple channels."
Before organizations roll out a full-blown DLP deployment, Mogull warns firms to start with selecting a single policy and only monitoring email.
"You take it one step at a time," Mogull said. "When you get good results, then you add another policy and roll it out further."
After deploying DLP technology from Websense Inc., Larry Whiteside Jr., CISO of the Visiting Nurses Service of New York, said his team began monitoring the company's email gateway to avoid disrupting employees. In an interview with SearchSecurity.com, Whiteside said the intent was to monitor the violations in documents that employees can edit, save and move to certain locations.
Whiteside said the company hit its first roadblock immediately after turning on the technology. At first it was tuned to monitor too many policies, creating inefficient alerts that burdened system administrators, Whiteside said.
"We became overwhelmed with information," he said. "We scaled it back so we could get to a point of manageable information and then we started identifying things to tune it even more."
Whiteside said his message to companies is that DLP technology is not inexpensive, but also does not have to be "that big scary monster" that disrupts the entire company. The popularity of the technology soared in the last several years with early adopters trying to gain control over the leakage of sensitive data -- often times the result of employee mistakes or employees blatantly ignoring security policies.
Endpoint DLP best practices are finally emerging and today most endpoint security vendors sell DLP technology. In addition to Websense Inc., CA Inc., McAfee Inc. and Symantec Corp. have competitive offerings. RSA, the security division of EMC Corp., sells DLP technology in partnership with Microsoft. The niche players are Verdasys Inc. and NextLabs Inc., which have been ranked highly by analyst firms for their capabilities and company strategy.
"It's not possible to do anything seamlessly when putting it on an end user's workstation or laptop, but when you're talking about gateway monitoring and discovery of data at rest inside your environment, users can be completely oblivious to that as you implement it and roll it out," Whiteside said.
One of the myths of DLP is that organizations have to undergo a major data classification project before deploying the technology, Whiteside said. Starting at the gateway, companies can begin by tuning the software to detect a limited amount of data sets. Monitoring for Social Security numbers and sensitive health information helped Whiteside's team focus on potential violations of the Health Insurance Portability and Accountability Act (HIPAA).
Whiteside said his company will eventually use the DLP Open Data Base Connectivity (ODBC) connection to enable exact fingerprint matching across the company's entire clinical database. Once the connectivity is in place and alerts are set, the company will know with 100% certainty that clinical data is associated with the correct patients, he said.
For now, Whiteside said the intent of finding violations is part of an end-user education campaign to reduce incidents. The company spent a year using the product in monitoring mode -- rather than setting the DLP software to automatically block emails containing sensitive data -- to ensure there was little disruption to the business units.
"You can monitor and still smack people around," Whiteside said. "When I got buy-in from our legal dept and privacy officer, we wanted to tread very carefully to not disrupt the business in any way."
Whiteside estimates that just by telling employees that a monitoring technology was being deployed reduced incidents by more than 10%. Once department heads were confronted with violations, employee errors were reduced by more than 80%, he said.
"If a particular region or business unit wasn't aware about security policy, we were able to go back and help them fix that," Whiteside said. "In our environment our primary database holds all our clinical data that we were concerned about; now when I get an alert, its patient information that we're most concerned about."
This was first published in March 2011