Tuesday, April 5

Data Loss Prevention: Getting Started
By Brad C. Johnson


The term DLP, or Data Loss Prevention, tends to conjure up somewhat polarizing reactions such as “That’s the most important thing in our IT environment!” or “What is that?” The reality is, both reactions are perfectly reasonable.

The minute you start talking about Data Loss Prevention, or Data Leak Prevention/Protection, or, Information Loss/Leakage Prevention/Protection, or Content Monitoring or whatever, and finally get past the acronym du jour and realize it is a conversation about monitoring confidential data, everybody is interested and concerned about the topic.

Some organizations use the DLP title and create specific initiatives or employee roles based around the topic. Other organizations consider it a by-product of the other security or IT infrastructure they already have in place. I’m going to put a stake in the ground and say, it needs to be both.

The reason you need to explicitly consider the DLP topic is that normal and even formal security frameworks don’t usually provide good coverage of all of the DLP issues. Why is that?

At the heart of DLP is that most IT environments don’t include an explicit requirement to actually monitor data payloads in many normal day to day tasks and operations. We monitor users, we monitor intrusion attempts, we monitor changes to our Web site, we monitor unexpected protocol attempts on our firewalls, but we often have no idea all of the places our confidential data resides or how it got there.

According to studies on data loss, most companies have lost data on laptops and USB drives, Personal Identifying Information (PII) is often found on expected drives or systems, and an unexpected number of simple unencrypted emails have sensitive information in them. [The Open Security Foundation has catalogued a Data Loss Data Base and is focused on giving news about the details of data loss incidents: http://datalossdb.org/statistics]

The reason this happens is that most data loss is not from malicious attacks (although they tend to be the cases more publicized and scrutinized), but instead can be attributed to employee actions such as:

  • not following documented policies
  • storing files with sensitive information on public or lightly secured storage devices
  • using inherently insecure but popular technologies like social networking applications or instant messaging
  • putting sensitive information on mobile devices like laptops or Smartphones

In other words, data loss often happens in the course of doing normal work and trying to do your job.

Now that I have planted the seed on why you need to care about DLP, stay tuned for more detailed and focused entries on this important topic.

No comments: