How’s that for an esoteric title? In any case, data leak prevention technology is still somewhat misunderstood; my research this quarter aims to create a structured guidance to using it effectively for various scenarios. After all, would you say that encrypting data, enforcing better passwords, ahem… disabling telnet, using role-based access controls all reduce data leaks? They certainly do, together with many other security controls (as a side note, I do not think it is “all about the data”). However, narrowly defined DLP – content-aware DLP, in particular – aims to solve specific facets of the whole data loss and theft mega-challenge rather than replace all the other controls.
Now, the above would be a deep insight in, say, 2006 or so. However, today in 2012, content-aware DLP technology (“DLP narrow”) still has a rocky relationship with broader data security (“DLP wide”) and an even rockier one with enterprise data governance. For example, a recent GTP research project on information-sprawl revealed that even those organizations with mature data management programs sometimes don’t use the resulting metadata for DLP.
So, what IS the relationship of DLP to data security? By the way, this applies to all three components of modem DLP technology – “data in-motion” (network DLP), “data at-rest” (storage DLP) and “data in-use” (endpoint DLP).
- In some cases, the answer is “none”: a DLP tool is often used for a narrow, compliance-induced need, such as to ensure “no PANs in email.”
- Sometimes the answer is “some”: a DLP tool may serve as a “replacement control” at an environment where other controls that seek to reduce malicious data leaks are failing (as in “lots of people have access to servers with sensitive data, let’s just use DLP instead of reviewing access policies”)
- Occasionally, DLP is seen as equal to data security: the organizations subscribe to “data-centric” security vision and then, sadly, think that they can buy that vision in a box….
- And, yes, rarely “the right answer” is there: DLP works as one of many controls that comprise an enterprise-wide data protection effort.
So, yes, tactical DLP deployments without any data classification and without any connections to broader data security (and data management) exist and may occasionally be successful (that is, successful in achieving their modest goals). However, this is NOT why content –aware DLP technology ultimately exists. And this is NOT what large organizations pay $300-$800k for.
In future posts, I plan to explore other DLP mysteries and peculiarities while I am working on my technology assessment and operational guidance documents.