Many organizations believe that implementing Data Loss Prevention (DLP) solutions can ease their data security and privacy policies implementation. However, when we are not aware of the challenges, we face during the implementation of DLP solutions or the limitations of that DLP tool we wish choose, we may not be able to utilize the maximum value of it in line with the company’s security policy guidelines.
We might also end up using multiple DLP solutions if the chosen DLP solution doesn’t fit into our requirement guidelines.
As a first step of DLP implementation, organizations need to identify the data to be secured and perform data classification / labeling. Until then we can start understanding the DLP tools with vendor demos and their limitations.
As a next step, we will need to understand the sources how data is leaving the organization and what are the data formats that allowed for the data movement.
It is not always suggested to rely solely on a DLP solution. DLP can be additional layer of security after you tighten the security posture. Couple of below points to be kept in mind before implementing a DLP.
Wherever confidential/sensitive date is being processed, we need have enough security measures and scrutiny. This includes limiting of USB ports to charging of mobile devices and copy from device to external drives to be disabled. USB data transfer may be allowed for the people who need it for their work related based on the necessary approvals only. Every case should be reviewed and to be approved by discretion of the management.
Disabling sending of unusual business format attachment e-mails (like video and audio files etc.,). This is important because most of the DLP tools cannot interpret audio/video files. In this remote world, all the work is happening through phone calls and those calls might be recorded by organizations for internal / legal purpose which are to be confidential as per federal laws. Even if the DLP interprets the conversations, there are high chances of errors as decoding the language can have multiple issues.
Using only internal cloud for file sharing to be imposed. According to the statistics it was reported that 45% of security breaches are cloud based. Most of the organizations experiencing data breaches or exposure due to multi cloud security configurations. We need to understand the privacy policies of the third-party cloud providers before using their services as our confidential data is stored on their cloud.
Whenever there is any confidential data is being transferred externally due to the business requirements, that should be done only in any approved security means (SSL, HTTPS etc.).
There should be stringent policies like whenever non-approved data formats to be sent external to the organization, prior approval from the management is required. This will ensure the proper investigation when something is reported by the DLP.
This may not be applicable for all the departments, but these should be imposed for the ones who process the confidential data on daily basis. Security cannot be guaranteed by any means but can be in a better posture if we do tighten as needed before depending on the third-party tools.
Coming back to the DLP tools, we need to choose a tool by having a POC based on our requirement and restrictions. Not all DLP tools work in the same way and same features. POC is a must to understand whether they are fitting into our goals. It is recommended to have more than one DLP tool with at least one for web and one for the network. Some DLP solutions especially the in-house solutions might slow down the systems where they are installed. Hence, we need to discuss with the vendors about their use cases and known issues. If possible, get the things documented post discussion with the vendor.
Implementing DLP solutions involves a cost, and it is always recommended to check out with in our known circles, if possible, to understand the use cases they implemented in their companies and known issues with that tool. This will help taking a better decision and will act as an added filtration along with online reviews of the tool. Do enough research if you want DLP policies for niche categories like passwords, Date of Birth etc.,
There can be many low-level things that need to be considered before finalizing a tool, but the above said ones are the high level and critical challenges faced by multiple organizations.
About the Author
Srinath Paladugula is a Lead Consultant in a respected multinational IT consulting firm with around 18 years of experience in the cyber security profession.
He can be reached online at [email protected].
