I was recently asked to comment on mistakes companies make in purchasing and implementing data leak prevention tools (DLP). Although we have been talking about DLP for quite some time, it continues to be a challenging issue for many companies. In my experience, the mistakes companies make fall into the following categories:
- inadequate risk analysis prior to product selection
- inadequate investment of time in configuration and tuning
- failure to set expectations with business units
- failure to work closely with business units when tuning the configuration
Selecting the right tool for an environment can be difficult. There are typically many potential egress routes for data. These may include removable media, email, instant messaging, ftp, web application, and even paper copies.
The risks of each mechanism should be assessed and then determine which tool can best address the particular methods of egress that are deemed the most risky. Few, if any, tools will excel at DLP for all potential egress routes.
DLP tools can be disruptive to a business if not carefully configured and tuned. False positives can disrupt normal or essential business operations. To avoid this many DLP tools default to a passive mode, simply recording potential leaks. This is done so that customers can tune the product to reduce or eliminate an excessive number of false positives before enabling prevention.
Unfortunately, in some organizations, the tool is bought, deployed, and its configuration is never adjusted. The tool quietly records detections, but it is never configured to prevent data leaks. In more than one case, an organization thinks it has prevented leaks, but is in fact only recording leaks.
DLP can be difficult to deploy successfully. It is not a matter of simply purchasing the product and turning it on. The team responsible for the operation of the DLP product will need to work closely with business units. It requires setting expectations and working with the business units to tune the system so that normal processes are not disrupted.