Should I DISCOVER where sensitive/regulated data resides in my environment OR DETECT when it is being leaked? Storage DLP first or network DLP first? Data-at-rest (DAR) first or Data-in-motion (DIM) first? What is more important, knowing WHAT can be stolen and from where OR WHAT is being sent out today?
Sorry, but “IT DEPENDS.” As many tough questions in life, this one has no single right answer. Successful data protection projects, whether for regulated data or corporate secrets, often start from a discovery sweep of an internal network. Looking for PANs, SSNs, known secret documents, customer records or whatever else allows the DLP conversation to start and the “lay of the data land” to become more clear. At the same time, they also often start from observing sensitive and regulated data flows out of your environment via email, FTP, web uploads, etc. This helps jumpstart the DLP discourse and creates a sobering realization of “Whaaaat!? This is going on RIGHT NOW!!?” Both are common and reasonable.
So, why discover first?
- Learn the extent of sprawl of a particular type of data
- Assess the complexity of the upcoming data protection effort
- Gather ammunition for identifying and then engaging the data owners
- Learn what to include in monitoring policies next
Why monitor first?
- Observe (and, then, hopefully, stop) the most blatant and obvious leaks
- Assess the priority of needed data protection efforts based on ongoing data movement
- Easily get a taste of content-aware DLP technology without too much hard work (!)
- Learn what to include in discover scans next
As a side note, few organizations would venture into “enforce first” as you need to know BEFORE you can act. Control comes after visibility (and, by the way, in some domain it never really comes…). One can discover first and then reduce, secure, monitor and protect what is discovered. One can also monitor first and then evolve to reduce the exposure. A sole exception I’ve seen is about enforcing something trivial like ‘block all USB access on endpoints’ which is hardly at the core of content-aware DLP.
Finally, if you’d absolutely push me to the wall and make me give a simple answer to a complex question, then go do network monitoring first… mostly because it is easier (= the most similar to netsec technologies) and often produces nasty (and thus deeply motivating) surprises.
P.S. this discussion does not remove the requirement to understand what you are trying to do with DLP and with data security in general. The real FIRST action is always ‘think’, not ‘buy’ or ‘deploy’. Don’t get those ideas 🙂