Data leakage is now a very ‘real-world’ problem for individuals (exploitation of personal information), organizations (leakage of business sensitive information) and governments (leakage of critical strategic and national secrets). As concepts like ‘IT consumerization’
Globally, organizations have spent millions deploying data loss prevention tools to tackle this problem. Few have actually managed to implement data loss prevention tools in blocking mode. Most use such solutions in monitoring or port mirroring mode; others invest heavily, but are unable to utilize more than a fraction of the solution’s capability.
In my experience, the primary reasons for data loss prevention tools’ failure to meet expectations is the absence—from an infosec perspective—of the following five mantras for successful DLP implementation.
1. Information classification
Irrespective of the security control being deployed, this will remain the most important criteria for the success implementation of data loss prevention tools. Until you are dead sure of ‘WHAT’ to protect, you’ll never be able to resolve ‘HOW’ to do it and ‘WHO’ will do it. Information could be dispersed across mediums. Without proper classification (like confidential, top secret, public and internal), sensitivity cannot be ascribed to different data types. Cross functional teams need to locate, identify, rate and classify sensitivity and criticality of information.
Without classification, excessive controls will have to be resorted to, and granular application of controls within data loss prevention tools will never be possible. Controls need only be applied to sensitive information, beyond which they are an impediment to business. For example, organizations lacking proper information classification follow a blanket-ban policy on USB and optical drives. These companies realize specific personnel’s (like those in marketing and sales) needs for use of such devices. However, they end up being helpless in ensuring the protection of sensitive company information, leading to employee frustration and becoming an obstacle to business.
2. Role-based access control
It is essential that employee roles be mapped properly. Else a data loss prevention tool will generate hundreds of ‘false positives’. Group design in Active Directory and DLP solutions has to be in sync for policies to work as expected. A flaw in either can result in the data loss prevention tool generating false positives vis-à-vis user’s rightful access. For example, the DLP may report a critical productivity based alert if an employee sends CVs to multiple recipients. He or she may be from HR, and this might be a business requirement.
The challenge in most organizations is of employee information being spread across multiple databases (like HR master database, Active Directory and Accounting). These databases lack periodic cleansing and movement of personnel within organizations — often, role changes are not updated. Periodic reviews of access permissions are not given due priority. In each database (OS or application), user mapping to IT role is a MUST for a successful data loss prevention tool implementation.
3. Identity management
If users exist in multiple databases, and IDs in some of the applications are not modified after a user leaves or is transferred, the validity of authorized access may never be determined using a DLP tool. With IDs created in multiple databases using different access permissions, operations like updating, addition or deletion becomes a manual operation. Dependency on people increases, and process adherence becomes difficult to measure. ID lifecycle for an employee should be traceable and available for forensics and statutory audits.
4. Strong policy framework
Policies defined in data loss prevention tools need to be aligned to the organizational policy. Take the example of an organizational policy categorizing purchase orders or invoices as non-sensitive documents. A DLP policy which treats these as sensitive will cause conflicts when say, a business user sends an invoice copy to a customer and the DLP tool blocks the document’s transmission. It may even lead to monetary loss.
Policy frameworks of organizations are usually developed around security standards like ISO 27001. Policy review of non-IT focused organizational policies (like information retention, classification, and disciplinary actions) is missing, since they are not part of the review process. Policies need to be defined to suit business, market, geographic and cultural conditions for a successful DLP tool implementation. Finally, employees need to be aware of the disciplinary framework in case of process and policy violations.
5. Clear roles and responsibilities with escalation matrix
Prior to deploying a data loss prevention tool, organizations need to clearly identify its objectives, deliverables and measurement of effectiveness metrics. Resource identification for DLP monitoring and maintenance is usually missed out. Identify competent personnel and define their roles and responsibilities. For large organizations, a dedicated team should review all incidents, given the high volume of false positives.
An escalation matrix for the data loss prevention tool and a defined process must be published to all stakeholders to avoid ambiguity. An incident handling process should be circulated within a closed group of decision makers in case of reported incidents. Response and closure of incidents must be published to all stakeholders
Manish Dave is the group CISO at Essar.
This was first published in April 2012