An effective data loss prevention (DLP) solution must not only be accurate, but also easy to deploy and simple to manage. Many DLP solutions reflect first generation approaches, but suffer from high false-positives, complicated and time-consuming deployments, and resource-intensive incident management.
The most important thing with data loss prevention projects is to realize how ‘Day 2’ will look like. To help determine if a DLP solution truly meets your organization’s needs and does not lead to an unexpected investment, try asking the following questions:
Question 1: How many servers, and or appliances are needed in production?
A well-designed and mature DLP solution does not require racks full of servers to deliver enterprise-class results, and should not take weeks or months to deploy. The amount of hardware and number of steps in deploying the solution is a key identifier of its maturity. An appliance and a server can provide a complete solution—additional boxes can be added for scalability. Ideally, DLP should be deployed as a unified solution, and not as a collection of multiple-point solutions.
Question 2: Can all data be protected when not connected to the corporate network?
Sensitive information contained within mobile systems not connected to the corporate network should have the same level of protection as local users. Transmission delays between a remote user and the inspection server
Question 3: How resource-efficient is the architecture?
A well-designed DLP solution requires an efficient architecture that scales and adapts to your organization’s changing requirements. The data loss prevention policy can be user-aware, and your endpoint policy server can serve all users, regardless of the policy. This approach uses resources efficiently, and adapts to changing requirements within the enterprise. Conversely, if each endpoint policy profile requires the customer to deploy, configure, and manage a dedicated server, it practically limits the number of usable endpoint policies.
Question 4: Is it easy to manage the DLP solution?
Immature products require multiple consoles and numerous complex configuration steps, driving the costs up and increasing the likelihood of human error. With a mature product, all management and configuration is performed using a unified graphic user interface—streamlining administration, reducing time required to operate the DLP solution, as well as decreasing the likelihood of human error.
Question 5: How broad is the supplied policy coverage?
A mature DLP solution should provide an extensive out-of-box policy coverage, with all policies available as needed, to make the operator’s job easier and more effective. Since every organization’s data is different, you may require custom policies. The vendor should be able to assist in writing, testing, and delivering custom policies, which means that you can hit the ground running with the DLP solution.
Question 6: Is the DLP solution aware of the destination of sensitive communications?
Destination awareness is key to preventing the loss of sensitive data with minimal false-positives. For example, confidential data sent to a Webmail site represents a different kind of risk than sending the same data to a social networking site. Being aware of the destination when detecting data loss prevention incidents over the Web also lowers overall administrative burden while evaluating for further action (resulting in significant cost savings).
Question 7: How do you provide a manageable incident load with low false-positives?
While many vendors seemingly claim low false positive rates, it’s worthwhile to fully test the solutions to see which of them live up to the claims. Modern detection technologies go beyond simple reg-ex matching, and utilize full featured script-based identification to complement basic pattern matching. Things to look out for include unnecessary incident duplications and natural language name identification, which are critical for complying with privacy regulations.
Question 8: Can the DLP solution protect software as a service (SaaS) cloud-based data?
The DLP solution should be able to protect data, whether in an on-premise database or in the cloud-based data store (such as SalesForce.com). The increasing use of cloud-based SaaS redefines the border between ‘internal’ and ‘external’ destinations. An effective solution must be able to protect confidential data, regardless of where it resides, and without requiring any export of the data to a new format.
About the author: Lior Arbel is a DLP consultant at Websense.
This was first published in March 2011