DLP and Business Needs

Tuesday, April 16, 2013

Scott Thomas

8e6e3972318ff74b194801340248199e

Well it's been a while and I wanted to write an entry about something that I've been dealing with lately. Data Leak Prevention or DLP.  

Most non-IT people know about DLP only when the IT organization contacts them to let them know they did something they shouldn't have. For those of us that have to deal with the policies, the alerts, and sending those notices, it can be more complicated. You start with crafting the policies based on corporate standards, other organization requests, and maybe some good ideas. The alerts start coming through, and you take action where appropriate.  

The issues start to happen when something triggers an alert-only policy and you notify the appropriate group, and they ask "well why was this not blocked?". You begin to describe what policies monitor items versus the ones that block. You try to explain that you can't block everything, the business still needs to get work done! An example of this is where you block a Word document from being sent from the company. Someone takes that document, scans it to create a .tif file and sends that out. The other organizations that don't understand the technology will expect that file to be blocked as well..."Well it's the same document!" Other issues can arise if someone is authorized to use USB devices, but you're expected to block them from taking specfic data that you're notified about after the fact.  

Like other security solutions, the promise of "Data Leak Prevention" is not perfect. The business expects DLP to work flawlessly and as those of us in the infosec community know, there is always a way around any restriction. Implementing DLP requires someone who understands the business needs to set up the policies and tweak them as appropriate. It also requires someone to monitor the alerts and either send a notification, escalate as appropriate, or update policies to catch something that was not getting the visibility it should. What can be the most difficult is trying to translate this process to business customers who tell us what they want to see or know about.  

Has anyone had any success explaining the nuances of DLP software to the business? If so please note and share some suggestions.  

Cross-posted from Secureholio

Possibly Related Articles:
9796
Enterprise Security Policy
Information Security
Data Loss Prevention Security DLP policies
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.