Well it's been a while and I wanted to write an entry about something that I've been dealing with lately. Data Leak Prevention or DLP.
Most non-IT people know about DLP only when the IT organization contacts them to let them know they did something they shouldn't have. For those of us that have to deal with the policies, the alerts, and sending those notices, it can be more complicated. You start with crafting the policies based on corporate standards, other organization requests, and maybe some good ideas. The alerts start coming through, and you take action where appropriate.
The issues start to happen when something triggers an alert-only policy and you notify the appropriate group, and they ask "well why was this not blocked?". You begin to describe what policies monitor items versus the ones that block. You try to explain that you can't block everything, the business still needs to get work done! An example of this is where you block a Word document from being sent from the company. Someone takes that document, scans it to create a .tif file and sends that out. The other organizations that don't understand the technology will expect that file to be blocked as well..."Well it's the same document!" Other issues can arise if someone is authorized to use USB devices, but you're expected to block them from taking specfic data that you're notified about after the fact.
Like other security solutions, the promise of "Data Leak Prevention" is not perfect. The business expects DLP to work flawlessly and as those of us in the infosec community know, there is always a way around any restriction. Implementing DLP requires someone who understands the business needs to set up the policies and tweak them as appropriate. It also requires someone to monitor the alerts and either send a notification, escalate as appropriate, or update policies to catch something that was not getting the visibility it should. What can be the most difficult is trying to translate this process to business customers who tell us what they want to see or know about.
Has anyone had any success explaining the nuances of DLP software to the business? If so please note and share some suggestions.
Cross-posted from Secureholio